Yahoo and IPv6

Jeff Wheeler jsw at inconcepts.biz
Tue May 10 04:57:04 UTC 2011


On Mon, May 9, 2011 at 10:04 PM, Joel Maslak <jmaslak at antelope.net> wrote:
> On Mon, May 9, 2011 at 3:57 PM, Jeff Wheeler <jsw at inconcepts.biz> wrote:
> I do take issue with your suggestion that /64 LANs are in any way
>> smart in the datacenter.  They are not.  I have some slides on this
>> topic: http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
>
> There are ways of mitigating this (the easiest is to use ACLs or firewalls
> to limit traffic into a subnet from untrusted sources so that only
> legitimate traffic is allowed).

Your suggestion has two main disadvantages:
1) it doesn't work on some platforms, because input ACL won't stop ND
learn/solicit -- obviously this is bad
2) it requires you to configure a potentially large input ACL on every
single interface on the box, and adjust that ACL whenever you
provision more IPv6 addresses for end-hosts -- kinda like not having a
control-plane filter, only worse

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts




More information about the NANOG mailing list