[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPv6 Netowrk Device Numbering BP
On 11/1/12 2:01 PM, Owen DeLong wrote:
> There are better ways to avoid neighbor exhaustion attacks unless you have attackers
> inside your network.
All of the migrations are compromises of one sort or another. We thought
this one was important enough to include in an informational status
Which approach is most appropriate (and whether it's necessary at all)
will depend on the circumstances involved.
> If you have attackers inside your network, you probably have bigger problems than
> neighbor table attacks anyway, but that's a different issue.
> Even if you're going to do something silly like use /120s on interfaces, I highly
> recommend going ahead and reserving the enclosing /64 so that when you discover
> /120 wasn't the best idea, you can easily retrofit.
The problem isn't silly, I didn't find it all that funny when I first
induced it in the lab.
> On Nov 1, 2012, at 12:58 , David Miller <dmiller at tiggee.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> On 11/1/2012 1:59 PM, Valdis.Kletnieks at vt.edu wrote:
>>> On Thu, 01 Nov 2012 14:28:48 +0100, "Miquel van Smoorenburg" said:
>>>> We use a /120 subnet for servers to prevent the NDP cache
>>>> exhaustion attack. We do maintain a mapping between IPv4 and IPv6
>>>> addresses; it's simply 2001:db8:vv:ww::xx, where xx is the hex
>>>> value of the last octet of the IPv4 address.
>>> ooh.. that's a clever approach I hadn't seen before. Who should we
>>> credit for this one?
>> /120 works well until you get > 99 (if you want the decimal
>> representations of addresses to look the same)... or if your techs
>> understand hex.
>> 10.0.0.123 <-> 2001:db8:vv:ww::7b
>> I have used /116 in the past. This gives you 1-fff at the end.
>> 10.0.0.123 <-> 2001:db8:vv:ww::123
>> Hopefully, this is future proof(ish) in that IPv6 only hosts (...when
>> that happens...) on the same subnet can use
>> 2001:db8:vv:ww::[a-f][0-f][0-f] without danger of collisions with
>> IPv4/IPv6 hosts.
>> - -DMM
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>> -----END PGP SIGNATURE-----