Apologies for the double post... Mistakenly hit send instead of cancel on the first one. Owen On Jun 5, 2012, at 3:32 PM, Owen DeLong wrote:
On Jun 5, 2012, at 3:23 PM, William Herrin wrote:
On 6/5/12, Owen DeLong <owen@delong.com> wrote:
On Jun 5, 2012, at 2:23 PM, William Herrin wrote:
c. If it's a point to point, a reasonable practice seems to be a /64 per network area and around /124 per link. Works OK for ethernet point to points too.
/64 is perfectly reasonable per point to point as well.
Hi Owen,
Sure, but with the neighbor discovery cache issues that come up with /64's under attack, why open yourself to trouble where you can't realize any benefit?
It makes little sense to me to permit people outside your network to deliver packets to your point to point interfaces. Denying this traffic at your borders/edges eliminates all of the attacks without having to juggle inconsistent prefix sizes or do silly bit-math to figure out which address is at the other end of the link.
Owen