Point-to-point /64

Ole Troan otroan at employees.org
Sat Jun 1 22:28:35 CEST 2013


Arturo,

Don't put any global scope addresses on it at all. 

Ole

On 1 Jun 2013, at 22:24, Arturo Servin <arturo.servin at gmail.com> wrote:

> 
>    Got it.
> 
>    I though it was something different.
> 
>    Suppose now that I am very stubborn and I do not want to configure
> /128, /127, /126, /112, /96 or any other longer prefix that /64 (even
> when a /112 may let me growth in hosts without renumbering).
> 
>    So far I know that I could put a FW to protect the links, that works in
> some places. Where not, probably I should need to add some ACLs to the
> router (which I would not be a fan of).
> 
>    Anything else to protect the link?
> 
> 
> Thanks!
> .as
> 
> On 6/1/13 2:46 PM, Jeroen Massar wrote:
>> On 2013-06-01 10:41, Arturo Servin wrote:
>> [..]
>>>> If you are protecting against something scanning the rest of the /64
>>>> where for instance only ::1 and ::2 are configured, you have two options:
>>>> - actually use /128 routes
>>> 
>>> What do you mean about /128 routes?
>> 
>> You configure 2001:db8:abcd:1234::1/128 on A, and then configure
>> 2001:db8:abcd:1234::2/128 on B.
>> 
>> On A you route 2001:db8:abcd:1234::2/128 to the PtP interface,
>> on B you route 2001:db8:abcd:1234::1/128 to the PtP interface.
>> 
>> True Point-To-Point, with room to grow. Note that using a /127 might
>> seem logical, it does not work due to the subnet-anycast address.
>> 
>> Indeed, you 'lose' the rest of the /64, but when the time comes that you
>> convert it to a multi-point link one can just add extra /128s in there.
>> 
>> Greets,
>> Jeroen
>> 


More information about the ipv6-ops mailing list