Using IPv6 with prefixes shorter than a /64 on a LAN

Randy Carpenter rcarpen at network1.net
Tue Jan 25 15:43:32 CST 2011


----- Original Message -----
> On Tue, 25 Jan 2011 13:42:29 -0500, Owen DeLong <owen at delong.com>
> wrote:
> > Seriously? Repetitively sweeping a /64? Let's do the math...
> ...
> 
> We've had this discussion before...
> 
> If the site is using SLAAC, then that 64bit target is effectively
> 48bits.
> And I can make a reasonable guess at 24 of those bits. (esp. if I've
> seen
> the address of even one of the machines.)

I wouldn't say you could assume that because one machine is a particular manufacturer, that they are all the same.  I would say you could certainly limit a scan to a set list of well-known 24-bit IDs (say ~100 or so?), that would still take a couple days at least to scan.

Could there not be something implemented in the firewall to prevent an incoming scan causing an issue with ND ? If you block all incoming by default, why would the router try to do a ND on an address that is not allowed?

-Randy




More information about the NANOG mailing list