>> /64 netmask opens up nd cache exhaustion as a DoS vector. > > FUD.
I probably should have qualified this statement a little better before posting it. Large locally-connected connected l2 domains can open up nd cache exhaustion and many other problems as DoS vectors if the operating systems connected to these domains do not have resource exhaustion limitations built in, or they are built in but not configured properly. In particular, the large address space prevents operating systems from implementing certain types of mitigation mechanisms that might be possible with ipv4 (e.g. slot based rate limiting). The ND rate limiters that I've tested all cause collateral connectivity problems as they place all ND floods from all hosts in the same RL bucket. While some aspects of this problem are more generic and not specifically related to the address domain size (i.e. they're similar to what's already seen on ipv4), the fact that the addressing domain is so large does not help either the o/s implementer or the operator and the issues relating to ND flooding of whatever sort (NS/RA/etc) are something that explicitly need to be understood by both the o/s implementer and the network operator because otherwise connectivity problems can occur in production. Nick
