Point-to-point /64
Jeroen Massar
jeroen at massar.ch
Sat Jun 1 19:09:03 CEST 2013
On 2013-06-01 07:04, Arturo Servin wrote:
> Hi,
>
> I would like to ask which measures is people taking to protect p-2-p
> links that are configured with a /64. So far I imagine things like
> rate-limiting, ACLs, etc. But still that is a bit abstract of what to do
> in a router.
What is the problem you are trying to protect against?
If you are protecting against something scanning the rest of the /64
where for instance only ::1 and ::2 are configured, you have two options:
- actually use /128 routes
- firewall away the prefixes
The first option is the easiest, no route, no lookups, no response.
The 'advantage' of setting aside a whole /64 is that one can then
one-day enable that link as a multi-point link if wanted. Also using
/64's is easier than going back to 'what size will we use and which
prefix is the next free available one' (though programmatic assignments
and configuration help there of course ;)
Greets,
Jeroen
More information about the ipv6-ops
mailing list