Re: Using /126 for IPv6 router links

2010-01-25 Thread Mathias Seiler 
Ok let's summarize:

/64:
+   Sticks to the way IPv6 was designed (64 bits host part)
+   Probability of renumbering very low
+   simpler for ACLs and the like
+   rDNS on a bit boundary

  You can give your peers funny names, like 2001:db8::dead:beef ;)

-   Prone to attacks (scans, router CPU load)
-   Waste of addresses
-   Peer address needs to be known, impossible to guess with 2^64 addresses


/126
+   Only 4 addresses possible (memorable, not so error-prone at 
configuration-time and while debugging)
+   Not prone to scan-like attacks

-   Not on a bit boundary, so more complicated for ACLs and …
-   … rDNS
-   Perhaps need to renumber into /64 some time.
-   No 64 bits for hosts


/127
Like /126 but there's an RFC not recommending it and an RFC (draft) which 
revises that non-recommendation.



On 25 Jan 2010, at 10:14, Matthew Petach wrote:

 On Sat, Jan 23, 2010 at 4:52 AM, Mathias Seiler
 mathias.sei...@mironet.ch wrote:
 Hi
 In reference to the discussion about /31 for router links, I d'like to know 
 what is your experience with IPv6 in this regard.
 
 I use a /126 if possible but have also configured one /64 just for the link 
 between two routers. This works great but when I think that I'm wasting 2^64 
 - 2 addresses here it feels plain wrong.
 
 So what do you think? Good? Bad? Ugly? /127 ? ;)
 
 Cheers
 
 Mathias Seiler
 MiroNet GmbH, Strassburgerallee 86, CH-4055 Basel
 T +41 61 201 30 90, F +41 61 201 30 99
 mathias.sei...@mironet.ch
 www.mironet.ch
 
 As I mentioned in my lightning talk at the last NANOG, we reserved a
 /64 for each
 PtP link,
 but configured it as the first /126 out of the /64.  That
 gives us the most
 flexibility for expanding to the full /64 later if necessary, but
 prevents us from being
 victim of the classic v6 neighbor discovery attack that you're prone
 to if you configure
 the entire /64 on the link.  

I think I will go this way. Since we've got the usual /32 assignment I have 
plenty of /64 to waste. 
If I continue assigning a /48 to every customer I can set apart a /64 for each 
PtP link and still have room to grow for a very long time (I'm not taking into 
account the assignment of IPv6 addresses to high amounts of MMs so far ;) )

This way the configuration and addressing plan is simple and understandable to 
anyone. 

 All someone out on the 'net needs to do
 is scan up through
 your address space on the link as quickly as possible, sending single packets 
 at
 all the non-existent addresses on the link, and watch as your router CPU 
 starts
 to churn keeping track of all the neighbor discovery messages, state table
 updates, and incomplete age-outs.  

Well I could filter that in hardware with an interface ACL but a /126 seems 
much easier to maintain. 

 With the link configured as a /126, there's
 a very small limit to the number of neighbor discovery messages, and the 
 amount
 of state table that needs to be maintained and updated for each PtP link.
 
 It seemed like a reasonable approach for us--but there's more than one way to
 skin this particular cat.
 
 Hope this helps!
 

Yes it does. Thanks!


Mathias Seiler

MiroNet GmbH, Strassburgerallee 86, CH-4055 Basel
T +41 61 201 30 90, F +41 61 201 30 99

mathias.sei...@mironet.ch
www.mironet.ch



smime.p7s
Description: S/MIME cryptographic signature

Using /126 for IPv6 router links

2010-01-23 Thread Mathias Seiler 
Hi 

In reference to the discussion about /31 for router links, I d'like to know 
what is your experience with IPv6 in this regard.

I use a /126 if possible but have also configured one /64 just for the link 
between two routers. This works great but when I think that I'm wasting 2^64 - 
2 addresses here it feels plain wrong.

So what do you think? Good? Bad? Ugly? /127 ? ;)


Cheers

Mathias Seiler

MiroNet GmbH, Strassburgerallee 86, CH-4055 Basel
T +41 61 201 30 90, F +41 61 201 30 99

mathias.sei...@mironet.ch
www.mironet.ch



smime.p7s
Description: S/MIME cryptographic signature

Re: Consumer-grade dual-homed connectivity options?

2010-01-03 Thread Mathias Seiler 
Hi Paul

You can do this on a linux box with a pretty much basic kernel.

I currently have a similar setup at home with a DSL and a cable line (from 
different providers).
Here's the script I'm actually using: http://ocaholic.ch/download/multinat.txt

Some packets are tagged with iptables (SSH as an example) because I want it to 
prefer the DSL connection. You can do pretty interesting things with it, even 
per-packet round-robin distribution … which is a Bad Idea™ though.

If you want it to fail-over automatically you need to patch the kernel etc. 
You'll find all information on http://lartc.org/ (especially on 
http://lartc.org/howto/lartc.rpdb.multiple-links.html) and here: 
http://www.ssi.bg/~ja/#routes

This setup is running for about a year now and it does this quite well.


Regards

Begin forwarded message:

 
 --- paul.w.benn...@gmail.com wrote:
 From: Paul Bennett paul.w.benn...@gmail.com
 
 At home, I currently run two DSL lines. Right now, we just have two  
 separate LANs, one connected to each line, with my wife's devices attached  
 to one, and my devices attached to the other. For a while now, I've been  
 thinking about setting up a load-balancing routing solution to give both  
 of us access to both lines.
 ---
 

Mathias Seiler

MiroNet GmbH, Strassburgerallee 86, CH-4055 Basel
T +41 61 201 30 90, F +41 61 201 30 99

mathias.sei...@mironet.ch
www.mironet.ch