On 05/26/2011 06:37 PM, Martin Millnert wrote:
Hi,
On Thu, May 26, 2011 at 8:43 AM, Marco Hogewoning<marcoh@marcoh.net> wrote:
On May 26, 2011, at 2:25 PM, Yannis Nikolopoulos wrote:
so,
other than the fact that it's wasteful, is there any other reason for not using /64 (that's what we're using) on p2p links? I wouldn't describe it as wastwful, every subnet is per standard /64 anyway. The primary reason are security concerns like the fact that you might be able to trick a machine into sending loads of ND messages (or responses), filling up the neighbor cache or CAM table.
Yes. I recommend http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf for more details on this. It seems to be a pretty serious issue in most implementations. The author of the PDF recommends allocating /64 but using whatever fits your need. This way you'll stay ready for the future, should you have a reason to change, interoperability or other.
Best regards, Martin
i should've been more elaborate in my original post. One one hand, allocating a /64 per p2p link *could* be considered wasteful and Cisco's "official" word was to use /64 on p2p links as all code is optimized for that boundary. On the other hand, there's the NDP cache exhaustion issue mentioned in rfc6164 (this issue can be minimized by a sane security policy btw) plus Gunter's (very informative) comments. Allocating and using /64 on p2p links sounds tidy. The "allocating" part, we'll stick with, the "using" part remains to be seen regards, Yannis