Arturo, I am sure that you know: http://tools.ietf.org/html/draft-ietf-opsec-lla-only-03 which is one way of fixing the 'scanning' problem. OTOH, AFAIK most routers not only allow for a /127 on a PtP (or even Ethernet) interface :-) but also implement RFC 4443 correctly, i.e., even if you configure a /64 on a PtP then will not 'loop' the packet back to the interface => no amplification possible.
-éric > -----Original Message----- > From: [email protected] [mailto:ipv6-ops- > [email protected]] On Behalf Of Jeroen Massar > Sent: samedi 1 juin 2013 19:46 > To: Arturo Servin > Cc: [email protected] > Subject: Re: Point-to-point /64 > > On 2013-06-01 10:41, Arturo Servin wrote: > [..] > >> If you are protecting against something scanning the rest of the /64 > >> where for instance only ::1 and ::2 are configured, you have two options: > >> - actually use /128 routes > > > > What do you mean about /128 routes? > > You configure 2001:db8:abcd:1234::1/128 on A, and then configure > 2001:db8:abcd:1234::2/128 on B. > > On A you route 2001:db8:abcd:1234::2/128 to the PtP interface, on B you > route 2001:db8:abcd:1234::1/128 to the PtP interface. > > True Point-To-Point, with room to grow. Note that using a /127 might seem > logical, it does not work due to the subnet-anycast address. > > Indeed, you 'lose' the rest of the /64, but when the time comes that you > convert it to a multi-point link one can just add extra /128s in there. > > Greets, > Jeroen
