On 2011-07-13 11:18 , Mikael Abrahamsson wrote: > On Wed, 13 Jul 2011, Jeroen Massar wrote: > >> Why not deploy it like a lot of folks have been deploying IPv6 for over >> a decade already: >> >> - a /64 link to the router/host of the user >> (<link>::1 is you, <link>::2 is them) >> - a route, be it /64, /56 or /48 to <link>::2 aka the user >> >> That link can be a real Ethernet link or a tunnel. AVM Fritz!Box >> supports this and various other vendors also find this great. > > What? If it's a /64, then we have the /64 ND DoS problem we've been > discussing for a gazillion mail already.
It might look like a /64, but you only use ::1 and ::2 and those are effectively static and effectively it is a /127 without the anycast issue. Heck, some people pick a /120 for it or whatever they find nice. Configuration wise and counting wise /64 is just handy. And if one day you have multi-access on that link, well, no re-numbering, just enable it. >> The "ND" issue now lies at the CPE device of the user, who will most >> likely not be able to handle 1GB/s anyway when somebody wants to DDoS >> them off the net... > > No it doesn't, if I am ::1 then if someone sends 10kpps to random values > of ::X:Y:Z:W on that subnet I have to ND all those. There is no subnet, only ::2, the rest you can ignore. > 10kpps is 5 megabit/s, anyone can do that. I doubt most routers will work properly > when handling 10k ND state changes per second. Test it out today and complain to your vendor ;) Greets, Jeroen -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
