Important IPv6 Policy Issue -- Your Input Requested
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Nov 11 20:34:17 UTC 2004
On Thu, 11 Nov 2004 15:01:36 EST, Leo Bicknell said:
> Having to double the size of every ACL in your network (once for
> the local address, once for the "public" address) does not seem
> simpler. It also seems dangerous, since almost all devices have a
> limit to ACL size. As if larger addresses wasn't already enough
> penality on those boxes now we have to list each machine twice.
Actually, probably not - in the majority of cases, you can put in *one*
ACL that drops (for example) all outbound packets for anything in the /32
and avoid having to list each machine twice.
Yes, it's still double - but it's two subnet entries, not two copies of
all 2,048 addresses in the subnet....
(Hint - you'd *have* to do it that way - you *cant* enumerate all the
possible addresses in an IPv6 /64 unless your router has terabytes of
memory...)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20041111/ebd2b936/attachment.sig>
More information about the NANOG
mailing list