Arturo, Don't put any global scope addresses on it at all.
Ole On 1 Jun 2013, at 22:24, Arturo Servin <[email protected]> wrote: > > Got it. > > I though it was something different. > > Suppose now that I am very stubborn and I do not want to configure > /128, /127, /126, /112, /96 or any other longer prefix that /64 (even > when a /112 may let me growth in hosts without renumbering). > > So far I know that I could put a FW to protect the links, that works in > some places. Where not, probably I should need to add some ACLs to the > router (which I would not be a fan of). > > Anything else to protect the link? > > > Thanks! > .as > > On 6/1/13 2:46 PM, Jeroen Massar wrote: >> On 2013-06-01 10:41, Arturo Servin wrote: >> [..] >>>> If you are protecting against something scanning the rest of the /64 >>>> where for instance only ::1 and ::2 are configured, you have two options: >>>> - actually use /128 routes >>> >>> What do you mean about /128 routes? >> >> You configure 2001:db8:abcd:1234::1/128 on A, and then configure >> 2001:db8:abcd:1234::2/128 on B. >> >> On A you route 2001:db8:abcd:1234::2/128 to the PtP interface, >> on B you route 2001:db8:abcd:1234::1/128 to the PtP interface. >> >> True Point-To-Point, with room to grow. Note that using a /127 might >> seem logical, it does not work due to the subnet-anycast address. >> >> Indeed, you 'lose' the rest of the /64, but when the time comes that you >> convert it to a multi-point link one can just add extra /128s in there. >> >> Greets, >> Jeroen >>
