nanog mailing list archives
Re: IPv6 Netowrk Device Numbering BP
From: joel jaeggli <joelja () bogus com>
Date: Sat, 03 Nov 2012 14:43:43 -0400
On 11/1/12 2:01 PM, Owen DeLong wrote:
All of the migrations are compromises of one sort or another. We thought this one was important enough to include in an informational status RFC (6583).There are better ways to avoid neighbor exhaustion attacks unless you have attackers inside your network.
Which approach is most appropriate (and whether it's necessary at all) will depend on the circumstances involved.
The problem isn't silly, I didn't find it all that funny when I first induced it in the lab.If you have attackers inside your network, you probably have bigger problems than neighbor table attacks anyway, but that's a different issue. Even if you're going to do something silly like use /120s on interfaces, I highly recommend going ahead and reserving the enclosing /64 so that when you discover /120 wasn't the best idea, you can easily retrofit.
Owen On Nov 1, 2012, at 12:58 , David Miller <dmiller () tiggee com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/1/2012 1:59 PM, Valdis.Kletnieks () vt edu wrote:On Thu, 01 Nov 2012 14:28:48 +0100, "Miquel van Smoorenburg" said:We use a /120 subnet for servers to prevent the NDP cache exhaustion attack. We do maintain a mapping between IPv4 and IPv6 addresses; it's simply 2001:db8:vv:ww::xx, where xx is the hex value of the last octet of the IPv4 address.ooh.. that's a clever approach I hadn't seen before. Who should we credit for this one?/120 works well until you get > 99 (if you want the decimal representations of addresses to look the same)... or if your techs understand hex. 10.0.0.123 <-> 2001:db8:vv:ww::7b I have used /116 in the past. This gives you 1-fff at the end. 10.0.0.123 <-> 2001:db8:vv:ww::123 Hopefully, this is future proof(ish) in that IPv6 only hosts (...when that happens...) on the same subnet can use 2001:db8:vv:ww::[a-f][0-f][0-f] without danger of collisions with IPv4/IPv6 hosts. - -DMM -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQktR2AAoJECp6zT7OFmGauBMH/2bntbEMqdTtwPc/kMKAeikc iHd3giEcstp/v5kaAgdZGm68Juy3jlHXVe7TZriQA3OWYI7dSzZhuVFQxwP2+t1t fsZiU1ptoSKJMnQZhUdCOSuDXQZ4IwAWyhLq1EoXNxwGWXbM+KpddfwHtfLG6syz 3RQ2BB48l+eT1fvxzd1xmyIAjOxvtsqmpLTTOmXAXtN7+e0py/VpoBvgaDfg3Xnt dnc80i2bKM+DGqZJyGbkno0lANh1iZRnUWaPethlxhgQA433Yzu06ut6Vq4zIN2k HZ84b7VbXbxrOmfiRca0vLgue/VyB6PlBevb9yVnqaHb3iWQKF0G8Mq1Ge/nm5I= =KSjA -----END PGP SIGNATURE-----
Current thread:
- Re: IPv6 Netowrk Device Numbering BP, (continued)
- Re: IPv6 Netowrk Device Numbering BP Tore Anderson (Nov 04)
- Re: IPv6 Netowrk Device Numbering BP Owen DeLong (Nov 04)
- Re: IPv6 Netowrk Device Numbering BP Tore Anderson (Nov 04)
- Re: IPv6 Netowrk Device Numbering BP Fred Baker (fred) (Nov 03)
- Re: IPv6 Netowrk Device Numbering BP Valdis . Kletnieks (Nov 01)
- Re: IPv6 Netowrk Device Numbering BP David Miller (Nov 01)
- Re: IPv6 Netowrk Device Numbering BP Owen DeLong (Nov 01)
- Re: IPv6 Netowrk Device Numbering BP Miquel van Smoorenburg (Nov 01)
- Re: IPv6 Netowrk Device Numbering BP Owen DeLong (Nov 01)
- Re: IPv6 Netowrk Device Numbering BP joel jaeggli (Nov 03)
- Re: IPv6 Netowrk Device Numbering BP Randy (Nov 02)
- Re: IPv6 Netowrk Device Numbering BP Graham Beneke (Nov 02)
- Re: IPv6 Netowrk Device Numbering BP Karl Auer (Nov 02)
- Re: IPv6 Netowrk Device Numbering BP Eugeniu Patrascu (Nov 05)
- Re: IPv6 Netowrk Device Numbering BP Karl Auer (Nov 05)
- Re: IPv6 Netowrk Device Numbering BP Karl Auer (Nov 04)