Using /126 for IPv6 router links

Pekka Savola pekkas at
Wed Jan 27 05:47:35 UTC 2010

On Tue, 26 Jan 2010, Igor Gashinsky wrote:
> Matt meant "reserve/assign a /64 for each PtP link, but only configure the
> first */127* of the link", as that's the only way to fully mitigate the
> scanning-type attacks (with a /126, there is still the possibility of
> ping-pong on a p-t-p interface) w/o using extensive ACLs..
> Anyways, that's what worked for us, and, as always, YMMV...

That's still relying on the fact that your vendor won't implement 
subnet-router anycast address and turn it on by default.  That would 
mess up the first address of the link.  But I suppose those would be 
pretty big ifs.

Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

More information about the NANOG mailing list