Point-to-point /64

Arturo Servin arturo.servin at gmail.com
Sat Jun 1 22:38:36 CEST 2013


Ole,

	I know!

	Basically I want to have the whole picture before recommend or not
recommend to use /64s in p2p links (or use them myself)

	/64s in p2p looks very appealing for many reasons, but they have a
counter argument in security. Is it possible to overcome?

	Perhaps the only solution is to avoid /64s in p2p links.

Regards,
as

P.D. I didn't want to bring the old discussion about p2p prefix sizes, I
just wanted to know how to deploy securely p2p with /64 prefixes (it
seems that it may not be possible)

On 6/1/13 5:28 PM, Ole Troan wrote:
> Arturo,
> 
> Don't put any global scope addresses on it at all. 
> 
> Ole
> 
> On 1 Jun 2013, at 22:24, Arturo Servin <arturo.servin at gmail.com> wrote:
> 
>>
>>    Got it.
>>
>>    I though it was something different.
>>
>>    Suppose now that I am very stubborn and I do not want to configure
>> /128, /127, /126, /112, /96 or any other longer prefix that /64 (even
>> when a /112 may let me growth in hosts without renumbering).
>>
>>    So far I know that I could put a FW to protect the links, that works in
>> some places. Where not, probably I should need to add some ACLs to the
>> router (which I would not be a fan of).
>>
>>    Anything else to protect the link?
>>
>>
>> Thanks!
>> .as
>>
>> On 6/1/13 2:46 PM, Jeroen Massar wrote:
>>> On 2013-06-01 10:41, Arturo Servin wrote:
>>> [..]
>>>>> If you are protecting against something scanning the rest of the /64
>>>>> where for instance only ::1 and ::2 are configured, you have two options:
>>>>> - actually use /128 routes
>>>>
>>>> What do you mean about /128 routes?
>>>
>>> You configure 2001:db8:abcd:1234::1/128 on A, and then configure
>>> 2001:db8:abcd:1234::2/128 on B.
>>>
>>> On A you route 2001:db8:abcd:1234::2/128 to the PtP interface,
>>> on B you route 2001:db8:abcd:1234::1/128 to the PtP interface.
>>>
>>> True Point-To-Point, with room to grow. Note that using a /127 might
>>> seem logical, it does not work due to the subnet-anycast address.
>>>
>>> Indeed, you 'lose' the rest of the /64, but when the time comes that you
>>> convert it to a multi-point link one can just add extra /128s in there.
>>>
>>> Greets,
>>> Jeroen
>>>


More information about the ipv6-ops mailing list