Point-to-point /64

Arturo Servin arturo.servin at gmail.com
Sat Jun 1 19:41:11 CEST 2013


	Thanks Jeroen, comments inline.

On 6/1/13 2:09 PM, Jeroen Massar wrote:
> On 2013-06-01 07:04, Arturo Servin wrote:
>> Hi,
>>
>> 	I would like to ask which measures is people taking to protect p-2-p
>> links that are configured with a /64. So far I imagine things like
>> rate-limiting, ACLs, etc. But still that is a bit abstract of what to do
>> in a router.
> 
> What is the problem you are trying to protect against?


	Against scanning the whole /64 and doing a DDoS to the router. I could
use a longer prefix, but if were using a /64, what are the BCPs to
correctly protect my router?

	
> 
> If you are protecting against something scanning the rest of the /64
> where for instance only ::1 and ::2 are configured, you have two options:
>  - actually use /128 routes

What do you mean about /128 routes?

>  - firewall away the prefixes

	Yes, this is good for my internal infrastructure, but for public
routers (transit, IXP) I may not be able to protect with a FW.

> 
> The first option is the easiest, no route, no lookups, no response.
> 
> The 'advantage' of setting aside a whole /64 is that one can then
> one-day enable that link as a multi-point link if wanted. Also using
> /64's is easier than going back to 'what size will we use and which
> prefix is the next free available one' (though programmatic assignments
> and configuration help there of course ;)

	Yes, that is why we have /64s deployed. The question we have now is how
to protect them.

> 
> Greets,
>  Jeroen
> 
Thanks,
as



More information about the ipv6-ops mailing list