On Mar 10, 2011, at 8:00 PM, Dobbins, Roland wrote:
On Mar 11, 2011, at 10:51 AM, George Bonser wrote:
If you are a content provider, it doesn't make any difference if they take down the links between your routers or if they take down the link that your content farm is on.
Of course, it does - you may have many content farms/instances, and taking down point-to-point links can DoS your entire set of farms/instances, whereas an attack against a given endpoint access network doesn't necessarily mean that your other properties/networks/services are being attacked, as well.
How is an attack against all your content farms in any way MORE difficult than an attack against enough point to point links to take everything out? If you've designed things properly, it takes more PtoP links to DOS the complete set than it does End point networks.
Limiting this vector to endpoint access networks also makes mitigation mechanisms far more practicable.
It's actually pretty easy to eliminate it 100% from the PtoP links even if they are /64s by simply not allowing traffic to the PtoP addresses other from selected sources (NOC/Admin Network, required peers, etc.). If you want to be truly anal about it, you can also block packets to non-existent addresses on the PtoP links.
There is no good reason to use /64s on point-to-point links. It is wasteful (please, no more about the supposed infinitude of IPv6 addresses; some of us reject this as being shortsighted and insufficiently visionary concerning eventual one-time-uses of IPv6 addresses at nanoscale) and turns your routers into sinkholes. It is a Very Bad Idea.
This isn't a one-time-use of IPv6 addresses and the one-time-uses of IPv6 addresses are what should be considered unscalable and absurdly wasteful. There's a lot to be said for the principle of least surprise and uniform /64s actually help with that quite a bit. Frankly, unless you have parallel links, there isn't a definite need to even number PtoP links for IPv6. Every thing you need to do with an interface specific address on a PtoP link can be done with link local. Owen