IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
Jamie Bowden
jamie at photon.com
Wed Nov 30 16:55:07 UTC 2011
> -----Original Message-----
> From: Jimmy Hess [mailto:mysidia at gmail.com]
> Sent: Wednesday, November 30, 2011 11:14 AM
> To: Ray Soucy
> Cc: NANOG
> Subject: Re: IPv6 prefixes longer then /64: are they possible in
DOCSIS
> networks?
>
> On Wed, Nov 30, 2011 at 8:48 AM, Ray Soucy <rps at maine.edu> wrote:
> > Saying you can mitigate neighbor table exhaustion with a "simple
ACL"
> > is misleading (and you're not the only one who has tried to make
that
> > claim).
>
> It's true, though, you can.
> But you can also mitigate neighbor table exhaustion by using a long
> prefix /126;
> you create an upper bound on the number of neighbor table entries that
> are possible,
> and that bound is less than your device's memory capacity for neighbor
> table entries.
>
> This is a more reliable mitigation than an ACL; it is also simpler
> and less likely for an
> operator to mistake to render the mitigation useless, or cause other
> issues.
>
> From a pure security POV, it's easy to reject ACL mitigation in favor
> of inherent
> designed-in mitigation / non-vulnerability.
>
> From a network design POV, there may still be reasons to prefer the
ACL
> method.
> They better be good reasons, such as a requirement for SLAAC on a
large
> LAN.
Or maybe the IETF could, you know, decouple SLAAC from a particular
netmask and make the world a better place for all of us who aren't
backbone providers. Do we have to recreate the mistakes from v4 all
over again?
Jamie
More information about the NANOG
mailing list