[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPv6 Netowrk Device Numbering BP
There are better ways to avoid neighbor exhaustion attacks unless you have attackers
inside your network.
If you have attackers inside your network, you probably have bigger problems than
neighbor table attacks anyway, but that's a different issue.
Even if you're going to do something silly like use /120s on interfaces, I highly
recommend going ahead and reserving the enclosing /64 so that when you discover
/120 wasn't the best idea, you can easily retrofit.
On Nov 1, 2012, at 12:58 , David Miller <dmiller at tiggee.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 11/1/2012 1:59 PM, Valdis.Kletnieks at vt.edu wrote:
>> On Thu, 01 Nov 2012 14:28:48 +0100, "Miquel van Smoorenburg" said:
>>> We use a /120 subnet for servers to prevent the NDP cache
>>> exhaustion attack. We do maintain a mapping between IPv4 and IPv6
>>> addresses; it's simply 2001:db8:vv:ww::xx, where xx is the hex
>>> value of the last octet of the IPv4 address.
>> ooh.. that's a clever approach I hadn't seen before. Who should we
>> credit for this one?
> /120 works well until you get > 99 (if you want the decimal
> representations of addresses to look the same)... or if your techs
> understand hex.
> 10.0.0.123 <-> 2001:db8:vv:ww::7b
> I have used /116 in the past. This gives you 1-fff at the end.
> 10.0.0.123 <-> 2001:db8:vv:ww::123
> Hopefully, this is future proof(ish) in that IPv6 only hosts (...when
> that happens...) on the same subnet can use
> 2001:db8:vv:ww::[a-f][0-f][0-f] without danger of collisions with
> IPv4/IPv6 hosts.
> - -DMM
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
> -----END PGP SIGNATURE-----