The 24 - 39 bits are generally not an issue if you are deploying in a rational manner for the 6500/7600 platform. Ie. Don't use addresses with those bits set. Your carriers won't so why should you? All of the caveats for IPv4 apply to IPv6.
As for the attack vectors against a 6500/7600, the attacks are mostly neighbor discovery related. Neighbor discovery attacks are bad on most platforms. The solution we use is to limit the size of subnets switched by the box. This breaks things that depend on auto-configuration but we don't do auto-configuration for public customer space. That is statically assigned. If you have to use auto-configuration, then don't use the PFC3 based supervisors or use DHCP. LR Mack McBride Network Architect -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Nick Hilliard Sent: Saturday, December 29, 2012 2:27 PM To: [email protected] Cc: [email protected] Subject: Re: [c-nsp] IPv6 CoPP On 29/12/2012 14:15, Randy wrote: > Any caveats in ipv6? (The routers use sup7203bxl supervisors). oh man, sup720 + ipv6. what a world of pain. You could start out here: http://www.cesnet.cz/doc/techzpravy/2010/ipv6-copp/ Just be aware that some of their configurations don't actually work because (as ++ytti has previously noted on this mailing list) they haven't taken sup720 ipv6 acl address compression into account: http://goo.gl/TTzkw i.e. you can have either layer 4 port information in your acl and choose to lose bits 24-39 in the ipv6 address, or else you can have all ipv6 bits, but no ports specified. Beware also: - ipv6 multicast (pain++ on sup720) - ipv6 fragments (not supported in sup720 acls) - ipv6 urpf All things considered, it's not really a good idea to run ipv6 on a production pfc3 based box (e.g. sup720 / rsp720). It opens up too many DoS / performance vectors. Nick _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
