[AusNOG] IPv6 defacto standards/conventions
Mark Smith
markzzzsmith at gmail.com
Sat Nov 26 18:35:06 EST 2016
On 26 Nov. 2016 14:56, "Jeremy Visser" <jeremy.visser at gmail.com> wrote:
>
> On Fri, 25 Nov 2016 at 15:04 Ryan Tucker <rtucker09 at gmail.com> wrote:
>>
>> Do you use/prefer /64s or /126s for interconnects?
>
>
> If you decide to use /64s for the interconnect, make sure to only assign a /126 (or /127, whichever you want) to the interfaces.
>
> Assigning 2001:db8:1:1::1/64 to an interface is a good way to be vulnerable to neighbour cache exhaustion denial of service attacks.
>
They doesn't seem to be as much of an issue at it appears. People are
still assigning /64s to LAN segments, and they too would be vulnerable
to ND cache exhaustion attacks. That's where the servers are. From a
service availability perspective, available routers and links aren't
much use if the servers they're used to reach aren't.
I've proposed a couple of mitigations for this issue to the IETF (most
recent: https://www.ietf.org/proceedings/95/slides/slides-95-v6ops-0.pdf).
They get some interest, however it doesn't seem to be a topic
desperate for work because there isn't a lot of activity in this area.
My efforts have been because I really like the simplicity and other
values of having /64s on every link. IPX networks were so much more
simpler to operate than IPv4 ones, and same length and large prefixes
on all links was one of the reasons. If you only use one link prefix
size universally, it's pretty hard to get it wrong, and if you do it
sticks out.
It could be because vendors have implemented mitigations such as those
described in RFC6583, or it could be that nobody is bothering with ND
cache DoS attacks because other types of DoSs are more effective.
"Analysis of the 64-bit Boundary in IPv6 Addressing" discusses a
number of consequences of not using /64s (or more accurately, not
using 64 bit Interface Identifiers).
https://tools.ietf.org/html/rfc7421#section-4
Regards,
Mark.
_______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
More information about the AusNOG
mailing list