Could you provide an example of such an ACL that can prevent neighbor table exhaustion while maintaining a usable 64-bit prefix? I am intrigued.
On Tue, Nov 29, 2011 at 12:21 PM, Owen DeLong <o...@delong.com> wrote: > > On Nov 29, 2011, at 4:58 AM, Dmitry Cherkasov wrote: > >> Thanks to everybody participating in the discussion. >> I try to summarize. >> >> 1) There is no any obvious benefit of using longer prefixes then /64 >> in DOCSIS networks yet there are no definite objections to use them >> except that it violates best practices and may lead to some problems >> in the future >> >> 2) DHCPv6 server can use any algorithm to generate interface ID part >> of the address, and EUI-64 may be just one of them that can be useful >> for keeping correspondence between MAC and IPv6 addresses. Yet if we >> use EUI-64 we definitely need to use /64 prefix >> >> 3) Using /64 networks possesses potential security threat related to >> neighbor tables overflow. This is wide IPv6 problem and not related to >> DOCSIS only >> > 99% of which can be easily mitigated by ACLs, especially in the context > you are describing. > >> There were also notes about address usage on link networks. Though >> this was out of the scope of original question it is agreed that using >> /64 is not reasonable here. BTW, RFC6164 (Using 127-Bit IPv6 Prefixes >> on Inter-Router Links) can be mentioned here. >> > > I don't agree that using /64 on link networks is not reasonable. It's > perfectly > fine and there is no policy against it. There are risks (buggy router code > having ping pong attack exposure, ND table overflow attacks if not > protected by ACL), but, otherwise, there's nothing wrong with it. > > Owen > >> >> Dmitry Cherkasov >> >> >> >> 2011/11/29 Dmitry Cherkasov <doctor...@gmail.com>: >>> Tore, >>> >>> To comply with this policy we delegate at least /64 to end-users >>> gateways. But this policy does not cover the network between WAN >>> interfaces of CPE and ISP access gateway. >>> >>> Dmitry Cherkasov >>> >>> >>> >>> 2011/11/29 Tore Anderson <tore.ander...@redpill-linpro.com>: >>>> * Dmitry Cherkasov >>>> >>>>> I am determining technical requirements to IPv6 provisioning system >>>>> for DOCSIS networks and I am deciding if it is worth to restrict user >>>>> to use not less then /64 networks on cable interface. It is obvious >>>>> that no true economy of IP addresses can be achieved with increasing >>>>> prefix length above 64 bits. >>>> >>>> I am not familiar with DOCSIS networks, but I thought I'd note that in >>>> order to comply with the RIPE policies, you must assign at least a /64 >>>> or shorter to each end user: >>>> >>>> http://www.ripe.net/ripe/docs/ripe-523#assignment_size >>>> >>>> -- >>>> Tore Anderson >>>> Redpill Linpro AS - http://www.redpill-linpro.com > > > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/