nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations

From: Owen DeLong <owen () delong com>
Date: Thu, 10 Mar 2011 23:02:58 -0800

On Mar 10, 2011, at 8:00 PM, Dobbins, Roland wrote:



On Mar 11, 2011, at 10:51 AM, George Bonser wrote:


If you are a content provider, it doesn't make any difference if they take down the links between your routers or if 
they take down the link that your content farm is on.



Of course, it does - you may have many content farms/instances, and taking down point-to-point links can DoS your 
entire set of farms/instances, whereas an attack against a given endpoint access network doesn't necessarily mean 
that your other properties/networks/services are being attacked, as well.


How is an attack against all your content farms in any way MORE difficult than an attack against enough
point to point links to take everything out?

If you've designed things properly, it takes more PtoP links to DOS the complete set than it does
End point networks.


Limiting this vector to endpoint access networks also makes mitigation mechanisms far more practicable.


It's actually pretty easy to eliminate it 100% from the PtoP links even if they are /64s by simply not
allowing traffic to the PtoP addresses other from selected sources (NOC/Admin Network, required
peers, etc.). If you want to be truly anal about it, you can also block packets to non-existent
addresses on the PtoP links.


There is no good reason to use /64s on point-to-point links.  It is wasteful (please, no more about the supposed 
infinitude of IPv6 addresses; some of us reject this as being shortsighted and insufficiently visionary concerning 
eventual one-time-uses of IPv6 addresses at nanoscale) and turns your routers into sinkholes.  It is a Very Bad Idea.


This isn't a one-time-use of IPv6 addresses and the one-time-uses of IPv6 addresses are what should be considered 
unscalable and absurdly wasteful.

There's a lot to be said for the principle of least surprise and uniform /64s actually help with that quite a bit.

Frankly, unless you have parallel links, there isn't a definite need to even number PtoP links for IPv6.
Every thing you need to do with an interface specific address on a PtoP link can be done with link local.

Owen
Previous By Date Next
Previous By Thread Next

Current thread: