Important IPv6 Policy Issue -- Your Input Requested

• Previous message (by thread): Important IPv6 Policy Issue -- Your Input Requested
• Next message (by thread): Important IPv6 Policy Issue -- Your Input Requested
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 11 Nov 2004 15:01:36 EST, Leo Bicknell said:

> Having to double the size of every ACL in your network (once for
> the local address, once for the "public" address) does not seem
> simpler.  It also seems dangerous, since almost all devices have a
> limit to ACL size.  As if larger addresses wasn't already enough
> penality on those boxes now we have to list each machine twice.

Actually, probably not - in the majority of cases, you can put in *one*
ACL that drops (for example) all outbound packets for anything in the /32
and avoid having to list each machine twice.

Yes, it's still double - but it's two subnet entries, not two copies of
all 2,048 addresses in the subnet....

(Hint - you'd *have* to do it that way - you *cant* enumerate all the
possible addresses in an IPv6 /64 unless your router has terabytes of
memory...)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20041111/ebd2b936/attachment.sig>

• Previous message (by thread): Important IPv6 Policy Issue -- Your Input Requested
• Next message (by thread): Important IPv6 Policy Issue -- Your Input Requested
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]