On Thu, Feb 23, 2017 at 12:56:45AM +0900, Lorenzo Colitti wrote: > On Thu, Feb 23, 2017 at 12:31 AM, Job Snijders <job@xxxxxxx> wrote: > > > rfc6164 and rfc6583 are great examples that document considerations > > regarding not using a /64, it simply is not always the best fit. > > RFC6583-style attacks (of which the class addressed by RFC6164 is a > subset) are low payoff and pretty easy to mitigate using very small > changes to ND implementations. You can solve most or all of the > problem by using per-interface ND queues and prioritizing existing and > gleaned ND entries over incomplete ones. You can do even better by > pushing the filtering away from the host so that you don't have to > carry the packets. The perfect solution is always just one upgrade away! :-) > Also, bear in mind that the interface ID length is *not* the same as > the prefix you route to the link. Given that you're talking about > static configuration, you can perfectly well configure all the hosts > with /64 prefixes, but give them addresses that are all in a given > /120 and then route only the /120 to that link. That will also avoid > all the attacks. > > It also makes configuration much simpler, because you don't have to > touch any of the hosts when you run out of the /120: just increase the > /120 to a /119 on the router and move up from ::ff to ::100. That is > 100% supported by the current text of RFC4291bis, which requires that > the router forward packets to the /120. Thanks for sharing this Lorenzo, it something I did not think of. I appreciate the cleverness of this trick, just as much as the next person appreciates this funny photo [2]. :-) However, while the trick can be made to work on Linux, it does not appear to work on Cisco IOS XR, JunOS and OpenBSD. As such, its no more then a party trick, and cannot be considered as a supportive argument for an Internet Standard. For the benefit of the working group, what Lorenzo describes is the following in linux-lingo: $ sudo ip -6 address add 2001:67c:208c:4291::1/64 dev eth1 $ sudo ip -6 route delete 2001:67c:208c:4291::/64 dev eth1 $ sudo ip -6 route add 2001:67c:208c:4291::/126 dev eth1 $ sudo ip -6 route show dev eth1 2001:67c:208c:4291::/126 metric 1024 $ sudo ip -6 addr show dev eth1 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qlen 1000 inet6 2001:67c:208c:4291::1/64 scope global tentative valid_lft forever preferred_lft forever I also fear that the moment "disunited addressing & routing" become commonplace, you'll find your devices on the dirty end of a '/120 routed + /64 addressed'-link and have a dysfunctional experience. As far as I know there is no way to signal host "only a /120 out of this /64 is routed". Kind regards, Job [2]: http://instituut.net/~job/ietf-6man.jpg