<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><pre style="color:rgb(0,0,0);white-space:pre-wrap">Hi Christian,</pre><pre style="color:rgb(0,0,0);white-space:pre-wrap">Discontinuous mask for IPv6 was supported in IOS-XR in release 5.2.2.</pre><pre style="color:rgb(0,0,0);white-space:pre-wrap">You can refer below link for details:</pre><pre style="color:rgb(0,0,0);white-space:pre-wrap"><a href="https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/ip-addresses/command/reference/b-ip-addresses-cr-asr9000/b-ipaddr-cr-asr9k_chapter_01.html#wp4831598620">https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/ip-addresses/command/reference/b-ip-addresses-cr-asr9000/b-ipaddr-cr-asr9k_chapter_01.html#wp4831598620</a></pre><pre style="color:rgb(0,0,0);white-space:pre-wrap">Regards,</pre><pre style="color:rgb(0,0,0);white-space:pre-wrap">Aseem</pre><pre style="color:rgb(0,0,0);white-space:pre-wrap">On Wed, Dec 19, 2018 at 8:32 AM Saku Ytti <<a href="https://mailman.nanog.org/mailman/listinfo/nanog">saku at ytti.fi</a>> wrote:
><i> On Wed, 19 Dec 2018 at 02:55, Philip Loenneker
</i>><i> <<a href="https://mailman.nanog.org/mailman/listinfo/nanog">Philip.Loenneker at tasmanet.com.au</a>> wrote:
</i>><i>
</i>><i> > I had a heck of a time a few years back trying to troubleshoot an issue
</i>><i> where an upstream provider had an ACL with an incorrect mask along the
</i>><i> lines of 255.252.255.0. That was really interesting to talk about once we
</i>><i> discovered it, though it caused some loss of hair beforehand...
</i>><i>
</i>><i> Juniper originally didn't support them even in ACL use-case but were
</i>><i> forced to add later due to customer demand, so people do have
</i>><i> use-cases for them. If we'd still support them in forwarding, I'm sure
</i>><i> someone would come up with solution which depends on it. I am not
</i>><i> advocating we should, I'll rather take my extra PPS out of the HW.
</i>><i>
</i>><i> However there is one quite interesting use-case for discontinuous mask
</i>><i> in ACL. If you have, like you should have, specific block for customer
</i>><i> linknetworks, you can in iACL drop all packets to your side of the
</i>><i> links while still allowing packets to customer side of the links,
</i>><i> making attack surface against your network minimal.
</i>
And unfortunately is still not supported by IOS-XR for IPv6, which could
mean not having a scaleable way on your edge to protect your internal
network.
--
Christian
e-mail/xmpp: <a href="https://mailman.nanog.org/mailman/listinfo/nanog">christian at errxtx.net</a>
PGP Fingerprint: B458 E4D6 7173 A8C4 9C75315B 709C 295B FA53 2318
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <<a href="https://mailman.nanog.org/pipermail/nanog/attachments/20181220/cfd683a3/attachment.html">http://mailman.nanog.org/pipermail/nanog/attachments/20181220/cfd683a3/attachment.html</a>>
</pre><hr style="color:rgb(0,0,0);font-family:-webkit-standard"><p style="color:rgb(0,0,0);font-family:-webkit-standard"></p><ul style="color:rgb(0,0,0);font-family:-webkit-standard"><li>Previous message (by thread): <a href="https://mailman.nanog.org/pipermail/nanog/2018-December/098410.html">Stupid Question maybe?</a></li><li>Next message (by thread): <a href="https://mailman.nanog.org/pipermail/nanog/2018-December/098447.html">Stupid Question maybe?</a></li><li><b>Messages sorted by:</b> <a href="https://mailman.nanog.org/pipermail/nanog/2018-December/date.html#98465">[ date ]</a> <a href="https://mailman.nanog.org/pipermail/nanog/2018-December/thread.html#98465">[ thread ]</a> <a href="https://mailman.nanog.org/pipermail/nanog/2018-December/subject.html#98465">[ subject ]</a> <a href="https://mailman.nanog.org/pipermail/nanog/2018-December/author.html#98465">[ author ]</a></li></ul><hr style="color:rgb(0,0,0);font-family:-webkit-standard"><a href="https://mailman.nanog.org/mailman/listinfo/nanog" style="font-family:-webkit-standard">More information about the NANOG mailing list</a><br></div></div></div></div>