Point-to-point /64
Gert Doering
gert at space.net
Sun Jun 2 17:05:20 CEST 2013
Hi,
On Sun, Jun 02, 2013 at 06:18:33AM +0000, Eric Vyncke (evyncke) wrote:
> I am sure that you know:
> http://tools.ietf.org/html/draft-ietf-opsec-lla-only-03 which is
> one way of fixing the 'scanning' problem. OTOH, AFAIK most routers
> not only allow for a /127 on a PtP (or even Ethernet) interface :-)
> but also implement RFC 4443 correctly, i.e., even if you configure
> a /64 on a PtP then will not 'loop' the packet back to the interface
> => no amplification possible.
This is actually quite a good bit of information (and thanks for digging
up RFC 4443 so I didn't have to go search).
OTOH, most "p2p" links these days are no longer "true p2p with no ND layer
below" (where ping-pong would be a problem) but "ethernet used as a p2p
link", which will do ND, and then ND exhaustion attacks enter the
picture.
(Is there an implementation that can use an ethernet link as a true p2p
medium without ND? Could be made work by putting the receiving PHY into
promiscuous mode to receive "anything that comes in" and sending with a
fixed arbitrary MAC header... OTOH it likely breaks a zillion specs...)
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
More information about the ipv6-ops
mailing list