IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

• Previous message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Next message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 30, 2011 at 8:48 AM, Ray Soucy <rps at maine.edu> wrote:
> Saying you can mitigate neighbor table exhaustion with a "simple ACL"
> is misleading (and you're not the only one who has tried to make that
> claim).

It's true, though, you can.
But you can also mitigate neighbor table exhaustion by using a long prefix /126;
you create an upper bound on the number of neighbor table entries that
are possible,
and that bound is less than your device's memory capacity for neighbor
table entries.

This is a more reliable mitigation than an ACL;  it is also simpler
and less likely for an
operator to mistake to render the mitigation useless, or cause other issues.

>From a pure security POV,  it's easy to reject ACL mitigation in favor
of inherent
designed-in  mitigation / non-vulnerability.

>From a network design POV, there may still be reasons to prefer the ACL method.
They better be good reasons, such as a requirement for SLAAC on a large LAN.

--
-JH

• Previous message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Next message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]