Could you provide an example of such an ACL that can prevent neighbor table exhaustion while maintaining a usable 64-bit prefix? I am intrigued. On Tue, Nov 29, 2011 at 12:21 PM, Owen DeLong <owen@delong.com> wrote:
On Nov 29, 2011, at 4:58 AM, Dmitry Cherkasov wrote:
Thanks to everybody participating in the discussion. I try to summarize.
1) There is no any obvious benefit of using longer prefixes then /64 in DOCSIS networks yet there are no definite objections to use them except that it violates best practices and may lead to some problems in the future
2) DHCPv6 server can use any algorithm to generate interface ID part of the address, and EUI-64 may be just one of them that can be useful for keeping correspondence between MAC and IPv6 addresses. Yet if we use EUI-64 we definitely need to use /64 prefix
3) Using /64 networks possesses potential security threat related to neighbor tables overflow. This is wide IPv6 problem and not related to DOCSIS only
99% of which can be easily mitigated by ACLs, especially in the context you are describing.
There were also notes about address usage on link networks. Though this was out of the scope of original question it is agreed that using /64 is not reasonable here. BTW, RFC6164 (Using 127-Bit IPv6 Prefixes on Inter-Router Links) can be mentioned here.
I don't agree that using /64 on link networks is not reasonable. It's perfectly fine and there is no policy against it. There are risks (buggy router code having ping pong attack exposure, ND table overflow attacks if not protected by ACL), but, otherwise, there's nothing wrong with it.
Owen
Dmitry Cherkasov
2011/11/29 Dmitry Cherkasov <doctorchd@gmail.com>:
Tore,
To comply with this policy we delegate at least /64 to end-users gateways. But this policy does not cover the network between WAN interfaces of CPE and ISP access gateway.
Dmitry Cherkasov
2011/11/29 Tore Anderson <tore.anderson@redpill-linpro.com>:
* Dmitry Cherkasov
I am determining technical requirements to IPv6 provisioning system for DOCSIS networks and I am deciding if it is worth to restrict user to use not less then /64 networks on cable interface. It is obvious that no true economy of IP addresses can be achieved with increasing prefix length above 64 bits.
I am not familiar with DOCSIS networks, but I thought I'd note that in order to comply with the RIPE policies, you must assign at least a /64 or shorter to each end user:
http://www.ripe.net/ripe/docs/ripe-523#assignment_size
-- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com
-- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/