Yahoo and IPv6

Robert Drake rdrake at
Sun May 15 03:01:46 UTC 2011

On 5/10/2011 12:57 AM, Jeff Wheeler wrote:
> Your suggestion has two main disadvantages:
> 1) it doesn't work on some platforms, because input ACL won't stop ND
> learn/solicit -- obviously this is bad
> 2) it requires you to configure a potentially large input ACL on every
> single interface on the box, and adjust that ACL whenever you
> provision more IPv6 addresses for end-hosts -- kinda like not having a
> control-plane filter, only worse

Might need to rewrite some portion of ND to do this, but can't a cookie 
be encoded in the ND packet and no state kept?  That should reduce the 
problem to one of a packet flood which everyone already deals with now.

Sorry if this has been suggested/shot down before.  The ND problems keep 
being mentioned and I never see this proposed and it seems like an 
obvious solution.


More information about the NANOG mailing list