Correct, The security posture is more important. General consensus is that a subnet is a /64. More specifics should be used to reduce exposure to attacks. Links for example are generally assigned as /126 or /127.
Mack -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Saku Ytti Sent: Saturday, December 11, 2010 3:26 AM To: [email protected] Subject: Re: [c-nsp] "Compressed" IPv6 ACLs on Cat6500 On (2010-12-10 13:43 -0800), Mack McBride wrote: > This is exactly the expected behavior for sequence 30. > You can use longer than a /88 but don't expect differentiation on bits 39:24. > This corresponds to standard practice which would have those bits set to zero. > Ie. Allocate a /64 but use a /112 or /120 to reduce exposure to ND cache > exhaustion. I have no argument that this is what the platform should do, I'm just saying that operator using (assigning) more specific than /88 is not going to be happy, so it makes sense to just not use more specific than /88. What you're doing, is using more specific but you're making sure that security posture is same inside the /88 (or in this case /64). -- ++ytti _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
