Point-to-point /64

cb.list6 cb.list6 at gmail.com
Sat Jun 1 22:49:35 CEST 2013


On Jun 1, 2013 1:38 PM, "Arturo Servin" <arturo.servin at gmail.com> wrote:
>
> Ole,
>
>         I know!
>
>         Basically I want to have the whole picture before recommend or not
> recommend to use /64s in p2p links (or use them myself)
>
>         /64s in p2p looks very appealing for many reasons, but they have a
> counter argument in security. Is it possible to overcome?
>
>         Perhaps the only solution is to avoid /64s in p2p links.
>
> Regards,
> as
>
> P.D. I didn't want to bring the old discussion about p2p prefix sizes, I
> just wanted to know how to deploy securely p2p with /64 prefixes (it
> seems that it may not be possible)
>

I do /127 p2p

Subnet anycast is not a supported feature or requirment in my network.

Cheers!

CB
> On 6/1/13 5:28 PM, Ole Troan wrote:
> > Arturo,
> >
> > Don't put any global scope addresses on it at all.
> >
> > Ole
> >
> > On 1 Jun 2013, at 22:24, Arturo Servin <arturo.servin at gmail.com> wrote:
> >
> >>
> >>    Got it.
> >>
> >>    I though it was something different.
> >>
> >>    Suppose now that I am very stubborn and I do not want to configure
> >> /128, /127, /126, /112, /96 or any other longer prefix that /64 (even
> >> when a /112 may let me growth in hosts without renumbering).
> >>
> >>    So far I know that I could put a FW to protect the links, that
works in
> >> some places. Where not, probably I should need to add some ACLs to the
> >> router (which I would not be a fan of).
> >>
> >>    Anything else to protect the link?
> >>
> >>
> >> Thanks!
> >> .as
> >>
> >> On 6/1/13 2:46 PM, Jeroen Massar wrote:
> >>> On 2013-06-01 10:41, Arturo Servin wrote:
> >>> [..]
> >>>>> If you are protecting against something scanning the rest of the /64
> >>>>> where for instance only ::1 and ::2 are configured, you have two
options:
> >>>>> - actually use /128 routes
> >>>>
> >>>> What do you mean about /128 routes?
> >>>
> >>> You configure 2001:db8:abcd:1234::1/128 on A, and then configure
> >>> 2001:db8:abcd:1234::2/128 on B.
> >>>
> >>> On A you route 2001:db8:abcd:1234::2/128 to the PtP interface,
> >>> on B you route 2001:db8:abcd:1234::1/128 to the PtP interface.
> >>>
> >>> True Point-To-Point, with room to grow. Note that using a /127 might
> >>> seem logical, it does not work due to the subnet-anycast address.
> >>>
> >>> Indeed, you 'lose' the rest of the /64, but when the time comes that
you
> >>> convert it to a multi-point link one can just add extra /128s in
there.
> >>>
> >>> Greets,
> >>> Jeroen
> >>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20130601/3c09d4c5/attachment.htm>


More information about the ipv6-ops mailing list