Using /126 for IPv6 router links

Igor Gashinsky igor at gashinsky.net
Wed Jan 27 15:19:23 CST 2010


:: > If a worst-case situation arises, and you have to peer with a device that 
:: > doesn't properly support /127's, you can always fall back to using /126's 
:: > or even /64's on those few links (this is why we reserved a /64 for every 
:: > link from the begining)..
:: 
:: If this is the case, why not just use /64s from the beginning? Why
:: bother with hacking it up if it's only going to be reserved anyway?
:: 
:: I'm trying to understand how reserving-and-hacking a /64 makes
:: administration any easier.
:: 
:: Even if all ptp are coming out of a single /64 (as opposed to reserving
:: a /64 for each), what benefits are there to that? It seems as though
:: that this is v4 thinking.

This really has nothing to do with wanting to use the space more 
efficiently, it has to do with overcoming potential operational issues. 
Reserving the whole /64 is what makes administration easier in face of 
different vendor capabilities, using only /127 is what's operationally 
safer on PtP links -- you face 2 major issues with not using /127 for 
PtP-type circuits:

1) ping-ponging of packets on Sonet/SDH links

	Let's say you put 2001:db8::0/64 and 2001:db8::1/64 on a PtP 
	interface, and somebody comes along and ping floods 2001:db8::2, 
	those packets will bounce back and forth between the 2 sides of 
	the link till TTL expires (since there is no address resolution 
	mechanism in PtP, so it just forwards packets not destined for 
	"him" on).

2) ping sweep of death

	Take the same assumption for addressing as above, and now ping 
	sweep 2001:db8::/64... if the link is ethernet, well, hope you 
	didn't have any important arp entries that the router actually 
	needed to learn... (and, if an important entry times out, 
	and now can't get re-learned, *really* bad shit happends, trust 
	me on that one)

Both of these can be mitigated by either *really* heavy-handed ACLs, 
or changes to SONET/SDH forwarding semantics, as well as ARP queue 
prioritization, but very few vendors support those right now. 

For most people, using /127's will be a lot operationaly easier then 
maintain those crazy ACLs, but, like I said before, YMMV..

-igor




More information about the NANOG mailing list