IPv6 network policies

Steve Bertrand steve at ibctech.ca
Sat Apr 10 01:55:20 CEST 2010


On 2010.04.09 19:44, David Freedman wrote:

> On 10/04/2010 00:35, "Steve Bertrand" <steve at ibctech.ca> wrote:

>> Although I use uRPF for everything, this doesn't fix the areas where
>> ACLs are still needed (and in fact, I have ACLs in place on top of uRPF).
> 
> I can't have uRPF6 in many places due to lack of hardware support on my
> vendor's equipment. This means resorting to ACLs. We have a lot of ACLs :)

Well, given that we're a small shop, just look at it that 'I don't have
uRPF6 in many places' and 'I do too' ;)

>> An issue that I notice from time-to-time, is that I have an interface
>> that has the appropriate v4 ACLs applied, but the v6 ones have been
>> forgotten. What do other operators do to ensure consistency on ACL
>> application in regards to both protocols?
> 
> Well, for us, we re-use the same framework we have in place for auditing
> compliance of components of existing infrastructure, for us it is just
> another check (i.e v4 acl present, v6 enabled, v6 acl should be present),
> whether you have a large multifaceted system for auditing configs, or just a
> set of simple scripts, the logic tests that can be applied remain the same.

Might I ask what you use for auditing? Does what you use for auditing
work against/with the likes of a RANCID setup as opposed to polling the
gear? iow, our auditing is limited to the op ensuring its done, and if
not, someone catching in the RANCID change log that it wasn't done. ie.
not yet automated.

>> The other 'question' I have is regarding a very sensitive area. I do not
>> want to get into a war about this. I figure that this list is exactly
>> where I should ask.
>>
>> What I'm looking for is from _only_ those that use it, is how you
>> document it, example config snips, if/how you reserve around it and from
>> a topology standpoint how you alloc/assign it. I'm sorry, but I'm
>> talking about /126 or /127 for ptp. I must admit, I am concerned with
>> ping-pong and no real easy way to combat it, so I'd like operational
>> feedback and education from those that use them without any traditional
>> strong opinions from those that oppose it (if possible :)
> 
> We use /126, no strong opinions, just trying to be kinder on cross training
> the folk who are comfortable with using IPv4 /30s. (we were never a /31
> adopter)

Ok. That works. I use /30. I'm more considerate to /126 (/30) than I am
to the other.

I've been using /64 for ptp, but am seriously reconsidering given the
inability to combat what I've been lab'ing that could potentially become
a nightmare. However, if I do change to this approach, I'm thinking that
I'll reserve the encompassing /64, just in case.

This is why I was curious about how these /12xs were being assigned.

>From one specific block for the entire network, or in the same tradition
as /30s are used (ie. steal from a delegation)?

Thanks David,

Steve


More information about the ipv6-ops mailing list