Using /126 for IPv6 router links
mpetach at netflight.com
Mon Jan 25 09:14:17 UTC 2010
On Sat, Jan 23, 2010 at 4:52 AM, Mathias Seiler
<mathias.seiler at mironet.ch> wrote:
> In reference to the discussion about /31 for router links, I d'like to know what is your experience with IPv6 in this regard.
> I use a /126 if possible but have also configured one /64 just for the link between two routers. This works great but when I think that I'm wasting 2^64 - 2 addresses here it feels plain wrong.
> So what do you think? Good? Bad? Ugly? /127 ? ;)
> Mathias Seiler
> MiroNet GmbH, Strassburgerallee 86, CH-4055 Basel
> T +41 61 201 30 90, F +41 61 201 30 99
> mathias.seiler at mironet.ch
As I mentioned in my lightning talk at the last NANOG, we reserved a
/64 for each
PtP link, but configured it as the first /126 out of the /64. That
gives us the most
flexibility for expanding to the full /64 later if necessary, but
prevents us from being
victim of the classic v6 neighbor discovery attack that you're prone
to if you configure
the entire /64 on the link. All someone out on the 'net needs to do
is scan up through
your address space on the link as quickly as possible, sending single packets at
all the non-existent addresses on the link, and watch as your router CPU starts
to churn keeping track of all the neighbor discovery messages, state table
updates, and incomplete age-outs. With the link configured as a /126, there's
a very small limit to the number of neighbor discovery messages, and the amount
of state table that needs to be maintained and updated for each PtP link.
It seemed like a reasonable approach for us--but there's more than one way to
skin this particular cat.
Hope this helps!
More information about the NANOG