On Jun 1, 2013 1:38 PM, "Arturo Servin" <[email protected]> wrote: > > Ole, > > I know! > > Basically I want to have the whole picture before recommend or not > recommend to use /64s in p2p links (or use them myself) > > /64s in p2p looks very appealing for many reasons, but they have a > counter argument in security. Is it possible to overcome? > > Perhaps the only solution is to avoid /64s in p2p links. > > Regards, > as > > P.D. I didn't want to bring the old discussion about p2p prefix sizes, I > just wanted to know how to deploy securely p2p with /64 prefixes (it > seems that it may not be possible) >
I do /127 p2p Subnet anycast is not a supported feature or requirment in my network. Cheers! CB > On 6/1/13 5:28 PM, Ole Troan wrote: > > Arturo, > > > > Don't put any global scope addresses on it at all. > > > > Ole > > > > On 1 Jun 2013, at 22:24, Arturo Servin <[email protected]> wrote: > > > >> > >> Got it. > >> > >> I though it was something different. > >> > >> Suppose now that I am very stubborn and I do not want to configure > >> /128, /127, /126, /112, /96 or any other longer prefix that /64 (even > >> when a /112 may let me growth in hosts without renumbering). > >> > >> So far I know that I could put a FW to protect the links, that works in > >> some places. Where not, probably I should need to add some ACLs to the > >> router (which I would not be a fan of). > >> > >> Anything else to protect the link? > >> > >> > >> Thanks! > >> .as > >> > >> On 6/1/13 2:46 PM, Jeroen Massar wrote: > >>> On 2013-06-01 10:41, Arturo Servin wrote: > >>> [..] > >>>>> If you are protecting against something scanning the rest of the /64 > >>>>> where for instance only ::1 and ::2 are configured, you have two options: > >>>>> - actually use /128 routes > >>>> > >>>> What do you mean about /128 routes? > >>> > >>> You configure 2001:db8:abcd:1234::1/128 on A, and then configure > >>> 2001:db8:abcd:1234::2/128 on B. > >>> > >>> On A you route 2001:db8:abcd:1234::2/128 to the PtP interface, > >>> on B you route 2001:db8:abcd:1234::1/128 to the PtP interface. > >>> > >>> True Point-To-Point, with room to grow. Note that using a /127 might > >>> seem logical, it does not work due to the subnet-anycast address. > >>> > >>> Indeed, you 'lose' the rest of the /64, but when the time comes that you > >>> convert it to a multi-point link one can just add extra /128s in there. > >>> > >>> Greets, > >>> Jeroen > >>>
