[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv6 Netowrk Device Numbering BP

In article <xs4all.963E27C7-A0C5-44AC-86AF-33E6286C9BC1 at delong.com> you write:
>There are better ways to avoid neighbor exhaustion attacks unless you
>have attackers
>inside your network.

You mean filtering. I haven't tried it recently, but a while ago
I put an output filter on a Juniper router that allowed just
the lower /120 out of a /64 on an interface. What happened was that
neighbor discovery happened /before/ filtering. I should probably
test that against recent JunOS releases, but that was a firm
reason to go with a /120 instead of a filter. Besides, configuring
a /120 is way less work than a filter per interface (yes we
do have per-interface filters but they're kind of generic).

>Even if you're going to do something silly like use /120s on interfaces,
>I highly
>recommend going ahead and reserving the enclosing /64 so that when you discover
>/120 wasn't the best idea, you can easily retrofit.

Sure, we do that, as soon as router vendors solve the NDP CE attack
problem we'll go back to /64s.