Question about IPAM tools for v6

Alexandru Petrescu alexandru.petrescu at
Fri Jan 31 15:00:09 CET 2014

Messages cités pour référence (si rien alors fin de message) : Le 
31/01/2014 14:07, Ole Troan a écrit :
>>> Consensus around here is that we support DHCPv6 for non-/64 subnets
>>> (particularly in the context of Prefix Delegation), but the immediate
>>> next question is "Why would you need that?"
>> /64 netmask opens up nd cache exhaustion as a DoS vector.
> FUD.

Sigh... as usual with brief statements it's hard to see clearly.

I think ND attacks may be eased by an always-same prefix length (64).

Some attacks may be using unsolicited NAs to deny others configuring a 
particular address.  That's easier if the attacker assumes the prefix 
length were, as usual, 64.

Additionally, an always-64 prefix length gives a _scanning_ perspective 
to the security dimension, as per section 2.2 "Target Address Space for 
Network Scanning" of RFC5157.

As a side note, security is not the only reason why people would like to 
configure prefixes longer than 64 on some subnets... some of the most 
obvious being the address exhaustion at the very edge.


> cheers,
> Ole

More information about the ipv6-ops mailing list