* Arturo Servin >> What is the problem you are trying to protect against? > > Against scanning the whole /64 and doing a DDoS to the router.
Hmm. The DDoS attack to PTP links would work equally well with /126, there's no need to "scan the whole /64" - just flood a non-assigned address with traffic, which will amplify x remaining Hop Limit, probably saturating the link easily. If you're instead talking about the ND cache attack to Ethernet links, you might be able to (depending on the implementation of course) disable Neighbour Discovery and add static Neighbour cache entries on the attached routers. Or just be pragmatic and use /127s... Tore
