Point-to-point /64
Arturo Servin
arturo.servin at gmail.com
Sat Jun 1 19:41:11 CEST 2013
Thanks Jeroen, comments inline.
On 6/1/13 2:09 PM, Jeroen Massar wrote:
> On 2013-06-01 07:04, Arturo Servin wrote:
>> Hi,
>>
>> I would like to ask which measures is people taking to protect p-2-p
>> links that are configured with a /64. So far I imagine things like
>> rate-limiting, ACLs, etc. But still that is a bit abstract of what to do
>> in a router.
>
> What is the problem you are trying to protect against?
Against scanning the whole /64 and doing a DDoS to the router. I could
use a longer prefix, but if were using a /64, what are the BCPs to
correctly protect my router?
>
> If you are protecting against something scanning the rest of the /64
> where for instance only ::1 and ::2 are configured, you have two options:
> - actually use /128 routes
What do you mean about /128 routes?
> - firewall away the prefixes
Yes, this is good for my internal infrastructure, but for public
routers (transit, IXP) I may not be able to protect with a FW.
>
> The first option is the easiest, no route, no lookups, no response.
>
> The 'advantage' of setting aside a whole /64 is that one can then
> one-day enable that link as a multi-point link if wanted. Also using
> /64's is easier than going back to 'what size will we use and which
> prefix is the next free available one' (though programmatic assignments
> and configuration help there of course ;)
Yes, that is why we have /64s deployed. The question we have now is how
to protect them.
>
> Greets,
> Jeroen
>
Thanks,
as
More information about the ipv6-ops
mailing list