> -----Original Message----- > From: Jimmy Hess [mailto:[email protected]] > Sent: Wednesday, November 30, 2011 11:14 AM > To: Ray Soucy > Cc: NANOG > Subject: Re: IPv6 prefixes longer then /64: are they possible in DOCSIS > networks? > > On Wed, Nov 30, 2011 at 8:48 AM, Ray Soucy <[email protected]> wrote: > > Saying you can mitigate neighbor table exhaustion with a "simple ACL" > > is misleading (and you're not the only one who has tried to make that > > claim). > > It's true, though, you can. > But you can also mitigate neighbor table exhaustion by using a long > prefix /126; > you create an upper bound on the number of neighbor table entries that > are possible, > and that bound is less than your device's memory capacity for neighbor > table entries. > > This is a more reliable mitigation than an ACL; it is also simpler > and less likely for an > operator to mistake to render the mitigation useless, or cause other > issues. > > From a pure security POV, it's easy to reject ACL mitigation in favor > of inherent > designed-in mitigation / non-vulnerability. > > From a network design POV, there may still be reasons to prefer the ACL > method. > They better be good reasons, such as a requirement for SLAAC on a large > LAN.
Or maybe the IETF could, you know, decouple SLAAC from a particular netmask and make the world a better place for all of us who aren't backbone providers. Do we have to recreate the mistakes from v4 all over again? Jamie
