On 1 Jun 2013, at 23:55, Jeroen Massar <[email protected]> wrote:
> On 2013-06-01 14:01, Ole Troan wrote: >> >> >> On 1 Jun 2013, at 22:56, Jeroen Massar <[email protected]> wrote: >> >>> One thing to keep in mind though is that quite some gear is >>> optimized upto the first /64 bits, and might use slower paths for >>> longer prefixes, thus if one is going to put a lot of /128s in a >>> single /64, thus when really stuffing all p2p links in a single /64 >>> or so, it might hurt performance on the gear being used. As such, >>> do ask your vendor about their limitations. >> >> If you are talking about router to router links, then typicall little >> traffic is forwarded to any of the link addresses. This should >> generally not be a concern. > > As the subject was about 'security', more in the rule of DoS/DDoS, the > problem becomes that some miscreants target exactly those addresses > because they are expected to not forward much.... > > Indeed for normal operation it should be okay, but miscreants are > getting smarter too... In the case of /127 or /128 you'd always hit the router's host stack. Ole
