In article <xs4all.963E27C7-A0C5-44AC-86AF-33E6286C9BC1@delong.com> you write:
There are better ways to avoid neighbor exhaustion attacks unless you have attackers inside your network.
You mean filtering. I haven't tried it recently, but a while ago I put an output filter on a Juniper router that allowed just the lower /120 out of a /64 on an interface. What happened was that neighbor discovery happened /before/ filtering. I should probably test that against recent JunOS releases, but that was a firm reason to go with a /120 instead of a filter. Besides, configuring a /120 is way less work than a filter per interface (yes we do have per-interface filters but they're kind of generic).
Even if you're going to do something silly like use /120s on interfaces, I highly recommend going ahead and reserving the enclosing /64 so that when you discover /120 wasn't the best idea, you can easily retrofit.
Sure, we do that, as soon as router vendors solve the NDP CE attack problem we'll go back to /64s. Mike.