There are better ways to avoid neighbor exhaustion attacks unless you have attackers inside your network. All of the migrations are compromises of one sort or another. We thought
On 11/1/12 2:01 PM, Owen DeLong wrote: this one was important enough to include in an informational status RFC (6583). Which approach is most appropriate (and whether it's necessary at all) will depend on the circumstances involved.
If you have attackers inside your network, you probably have bigger problems than neighbor table attacks anyway, but that's a different issue.
Even if you're going to do something silly like use /120s on interfaces, I highly recommend going ahead and reserving the enclosing /64 so that when you discover /120 wasn't the best idea, you can easily retrofit. The problem isn't silly, I didn't find it all that funny when I first induced it in the lab. Owen
On Nov 1, 2012, at 12:58 , David Miller <dmiller@tiggee.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/1/2012 1:59 PM, Valdis.Kletnieks@vt.edu wrote:
On Thu, 01 Nov 2012 14:28:48 +0100, "Miquel van Smoorenburg" said:
We use a /120 subnet for servers to prevent the NDP cache exhaustion attack. We do maintain a mapping between IPv4 and IPv6 addresses; it's simply 2001:db8:vv:ww::xx, where xx is the hex value of the last octet of the IPv4 address. ooh.. that's a clever approach I hadn't seen before. Who should we credit for this one?
/120 works well until you get > 99 (if you want the decimal representations of addresses to look the same)... or if your techs understand hex.
10.0.0.123 <-> 2001:db8:vv:ww::7b
I have used /116 in the past. This gives you 1-fff at the end.
10.0.0.123 <-> 2001:db8:vv:ww::123
Hopefully, this is future proof(ish) in that IPv6 only hosts (...when that happens...) on the same subnet can use 2001:db8:vv:ww::[a-f][0-f][0-f] without danger of collisions with IPv4/IPv6 hosts.
- -DMM -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQEcBAEBAgAGBQJQktR2AAoJECp6zT7OFmGauBMH/2bntbEMqdTtwPc/kMKAeikc iHd3giEcstp/v5kaAgdZGm68Juy3jlHXVe7TZriQA3OWYI7dSzZhuVFQxwP2+t1t fsZiU1ptoSKJMnQZhUdCOSuDXQZ4IwAWyhLq1EoXNxwGWXbM+KpddfwHtfLG6syz 3RQ2BB48l+eT1fvxzd1xmyIAjOxvtsqmpLTTOmXAXtN7+e0py/VpoBvgaDfg3Xnt dnc80i2bKM+DGqZJyGbkno0lANh1iZRnUWaPethlxhgQA433Yzu06ut6Vq4zIN2k HZ84b7VbXbxrOmfiRca0vLgue/VyB6PlBevb9yVnqaHb3iWQKF0G8Mq1Ge/nm5I= =KSjA -----END PGP SIGNATURE-----