-----Original Message----- From: Jimmy Hess [mailto:mysidia@gmail.com] Sent: Wednesday, November 30, 2011 11:14 AM To: Ray Soucy Cc: NANOG Subject: Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
On Wed, Nov 30, 2011 at 8:48 AM, Ray Soucy <rps@maine.edu> wrote:
Saying you can mitigate neighbor table exhaustion with a "simple ACL" is misleading (and you're not the only one who has tried to make
that
claim).
It's true, though, you can. But you can also mitigate neighbor table exhaustion by using a long prefix /126; you create an upper bound on the number of neighbor table entries that are possible, and that bound is less than your device's memory capacity for neighbor table entries.
This is a more reliable mitigation than an ACL; it is also simpler and less likely for an operator to mistake to render the mitigation useless, or cause other issues.
From a pure security POV, it's easy to reject ACL mitigation in favor of inherent designed-in mitigation / non-vulnerability.
From a network design POV, there may still be reasons to prefer the ACL method. They better be good reasons, such as a requirement for SLAAC on a large LAN.
Or maybe the IETF could, you know, decouple SLAAC from a particular netmask and make the world a better place for all of us who aren't backbone providers. Do we have to recreate the mistakes from v4 all over again? Jamie