IPv6 Addressing Help

Jeroen Massar jeroen at unfix.org
Fri Aug 14 13:35:38 CDT 2009


TJ wrote:
[..]
> A great counter-point to this is that if you do use /64s (or for that matter
> - anything shorter than the currently-not-recommended /127s, AFAIK), you
> should apply ACLs to them to prevent ping-pong.

One should be doing uRPF at minimum on all links anyway. BCP84 ;)

If the user (or whatever you call the place where you send packets to)
has a default route back and is not properly routing those packets can
come back quite quickly.

eg, route a /48 to the user. The user only uses the first /64, and
doesn't care about the rest and doesn't route them to lo0 to avoid the
default to match, the packets will nicely ping pong back to you.

Easy solution: source address check, then the source will not be
matching and you can drop the packet, or ICMP !A them so that the user
might once figure out what goes on.

Of course if user is sending packets with their source and their
destination you will need another kind of filter, but they will only
hurt themselves with it.

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090814/919fecf2/attachment.bin>


More information about the NANOG mailing list