<p dir="ltr"><br>
On Jun 1, 2013 1:38 PM, "Arturo Servin" <<a href="mailto:arturo.servin@gmail.com">arturo.servin@gmail.com</a>> wrote:<br>
><br>
> Ole,<br>
><br>
> I know!<br>
><br>
> Basically I want to have the whole picture before recommend or not<br>
> recommend to use /64s in p2p links (or use them myself)<br>
><br>
> /64s in p2p looks very appealing for many reasons, but they have a<br>
> counter argument in security. Is it possible to overcome?<br>
><br>
> Perhaps the only solution is to avoid /64s in p2p links.<br>
><br>
> Regards,<br>
> as<br>
><br>
> P.D. I didn't want to bring the old discussion about p2p prefix sizes, I<br>
> just wanted to know how to deploy securely p2p with /64 prefixes (it<br>
> seems that it may not be possible)<br>
></p>
<p dir="ltr">I do /127 p2p</p>
<p dir="ltr">Subnet anycast is not a supported feature or requirment in my network.</p>
<p dir="ltr">Cheers!</p>
<p dir="ltr">CB<br>
> On 6/1/13 5:28 PM, Ole Troan wrote:<br>
> > Arturo,<br>
> ><br>
> > Don't put any global scope addresses on it at all.<br>
> ><br>
> > Ole<br>
> ><br>
> > On 1 Jun 2013, at 22:24, Arturo Servin <<a href="mailto:arturo.servin@gmail.com">arturo.servin@gmail.com</a>> wrote:<br>
> ><br>
> >><br>
> >> Got it.<br>
> >><br>
> >> I though it was something different.<br>
> >><br>
> >> Suppose now that I am very stubborn and I do not want to configure<br>
> >> /128, /127, /126, /112, /96 or any other longer prefix that /64 (even<br>
> >> when a /112 may let me growth in hosts without renumbering).<br>
> >><br>
> >> So far I know that I could put a FW to protect the links, that works in<br>
> >> some places. Where not, probably I should need to add some ACLs to the<br>
> >> router (which I would not be a fan of).<br>
> >><br>
> >> Anything else to protect the link?<br>
> >><br>
> >><br>
> >> Thanks!<br>
> >> .as<br>
> >><br>
> >> On 6/1/13 2:46 PM, Jeroen Massar wrote:<br>
> >>> On 2013-06-01 10:41, Arturo Servin wrote:<br>
> >>> [..]<br>
> >>>>> If you are protecting against something scanning the rest of the /64<br>
> >>>>> where for instance only ::1 and ::2 are configured, you have two options:<br>
> >>>>> - actually use /128 routes<br>
> >>>><br>
> >>>> What do you mean about /128 routes?<br>
> >>><br>
> >>> You configure 2001:db8:abcd:1234::1/128 on A, and then configure<br>
> >>> 2001:db8:abcd:1234::2/128 on B.<br>
> >>><br>
> >>> On A you route 2001:db8:abcd:1234::2/128 to the PtP interface,<br>
> >>> on B you route 2001:db8:abcd:1234::1/128 to the PtP interface.<br>
> >>><br>
> >>> True Point-To-Point, with room to grow. Note that using a /127 might<br>
> >>> seem logical, it does not work due to the subnet-anycast address.<br>
> >>><br>
> >>> Indeed, you 'lose' the rest of the /64, but when the time comes that you<br>
> >>> convert it to a multi-point link one can just add extra /128s in there.<br>
> >>><br>
> >>> Greets,<br>
> >>> Jeroen<br>
> >>><br>
</p>