On 28/03/2017 13:28, Philip Homburg wrote:
Hi Jan,
It's not clear to me why in Section 3.1.5, a global /64 prefix is recommended for PPPoE connections.
Sections 3.1.2 and 3.1.3 talk about directly connecting hosts without any kind of CPE. As far I know, the last time that was in fashion for PPP links was with dial-up.
Hey, Thank you for reading the document and commenting, I hope you find it useful. You would be surprised how many residential customers still have CPE in bridge mode and are connecting to PPPoE service using Windows (or any other OS) PC using a PPPoE dialer, some of them even using multiple parallel PPPoE sessions from multiple computers sitting on the same network. In this case, even static /64 for WAN link would not work as in this case the assignments would not work for both of them and you need to setup a dynamic WAN numbering to accommodate multiple PPPoE sessions. People still does strange things and since this is all about documenting the current operational practice, we need to take this into account.
So I think that for PPPoE we can safely assume that a CPE can request a prefix using DHCPv6 PD.
Yes.
As indirectly mentioned in Section 3.1.2, assigning a global /64 to a point-to-point link may open certain kinds of attacks. All links with a global /64 risk a ND exhaustion attack. However, point-to-points also risk a ping-pong attack.
Indeed. I believe we covered that with recommending /127 or similar.
For a PPPoE link these issues are trivially solved to leaving the link unnumbered.
Again, for those, using a PPPoE dialer that would not work. If you are 100% sure that nobody in your network is connecting using a PPPoE dialer, then yes, go ahead with unnumbered. Cheers, Jan