Point-to-point /64

Eric Vyncke (evyncke) evyncke at cisco.com
Sun Jun 2 08:18:33 CEST 2013


Arturo,

I am sure that you know: http://tools.ietf.org/html/draft-ietf-opsec-lla-only-03 which is one way of fixing the 'scanning' problem. OTOH, AFAIK most routers not only allow for a /127 on a PtP (or even Ethernet) interface :-) but also implement RFC 4443 correctly, i.e., even if you configure a /64 on a PtP then will not 'loop' the packet back to the interface => no amplification possible.

-éric

> -----Original Message-----
> From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:ipv6-ops-
> bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Jeroen Massar
> Sent: samedi 1 juin 2013 19:46
> To: Arturo Servin
> Cc: ipv6-ops at lists.cluenet.de
> Subject: Re: Point-to-point /64
> 
> On 2013-06-01 10:41, Arturo Servin wrote:
> [..]
> >> If you are protecting against something scanning the rest of the /64
> >> where for instance only ::1 and ::2 are configured, you have two options:
> >>  - actually use /128 routes
> >
> > What do you mean about /128 routes?
> 
> You configure 2001:db8:abcd:1234::1/128 on A, and then configure
> 2001:db8:abcd:1234::2/128 on B.
> 
> On A you route 2001:db8:abcd:1234::2/128 to the PtP interface, on B you
> route 2001:db8:abcd:1234::1/128 to the PtP interface.
> 
> True Point-To-Point, with room to grow. Note that using a /127 might seem
> logical, it does not work due to the subnet-anycast address.
> 
> Indeed, you 'lose' the rest of the /64, but when the time comes that you
> convert it to a multi-point link one can just add extra /128s in there.
> 
> Greets,
>  Jeroen




More information about the ipv6-ops mailing list