Apologies for the double post... Mistakenly hit send instead of cancel on the first one.
Owen On Jun 5, 2012, at 3:32 PM, Owen DeLong wrote: > > On Jun 5, 2012, at 3:23 PM, William Herrin wrote: > >> On 6/5/12, Owen DeLong <o...@delong.com> wrote: >>> On Jun 5, 2012, at 2:23 PM, William Herrin wrote: >>>> c. If it's a point to point, a reasonable practice seems to be a /64 >>>> per network area and around /124 per link. Works OK for ethernet point >>>> to points too. >>> >>> /64 is perfectly reasonable per point to point as well. >> >> Hi Owen, >> >> Sure, but with the neighbor discovery cache issues that come up with >> /64's under attack, why open yourself to trouble where you can't >> realize any benefit? >> > > It makes little sense to me to permit people outside your network > to deliver packets to your point to point interfaces. Denying this > traffic at your borders/edges eliminates all of the attacks without > having to juggle inconsistent prefix sizes or do silly bit-math to > figure out which address is at the other end of the link. > > Owen >