RE: IPv6 Advertisements
This assumes a single machine scanning, not a botnet of 1000 or even the 1.5m the dutch gov't collected 2 yrs ago. Again, a sane discussion is in order. Scanning isn't AS EASY, but it certainly is still feasible, With 1.5 million hosts it will only take 3500 years... for a _single_ /64! I'm not sure that's what I would call feasible. I would call that not understanding today's security world. Scanning is not the primary mode of looking for vulnerabilities today. There are several more effective come here and get infected and click on this attachment and get infected techniques. What scanning that does go on today usually not the lets scan the Internet. No money in it. You target your scans to the address ranges of the sites you are trying to mine (i.e. build BOTNETs) or go after.
Re: IPv6 Advertisements
On Tue, 29 May 2007, Donald Stahl wrote: That said- ARIN is handing out /48's- should we be blocking validly assigned networks? your network might have to to protect it's valuable routing slots. There are places in the v4 world where /24's are not carried either. So, as Bill said just cause you get an allocation doesn't mean you can assure routability of it everywhere.
Re: IPv6 Advertisements
On Tue, 29 May 2007, Donald Stahl wrote: That said- ARIN is handing out /48's- should we be blocking validly assigned networks? your network might have to to protect it's valuable routing slots. There are places in the v4 world where /24's are not carried either. So, as Bill said just cause you get an allocation doesn't mean you can assure routability of it everywhere. I understand the problems but I think there are clear cut cases where /48's make sense- a large scale anycast DNS provider would seem to be a good candidate for a /48 and I would hope it would get routed. Then again that might be the only sensible reason... vixie had a fun discussion about anycast and dns... something about him being sad/sorry about making everyone have to carry a /24 for f-root everywhere. I think there is a list of 'golden prefixes' or something, normally this is where Jeroen Masseur jumps in with GRH data and pointers. -Chris
Re: IPv6 Advertisements
vixie had a fun discussion about anycast and dns... something about him being sad/sorry about making everyone have to carry a /24 for f-root everywhere. Whether it's a /24 for f-root or a /20 doesn't really make a difference- it's a routing table entry either way- and why waste addresses. I think there are a few services where these sorts of exceptions make sense and f-root is certainly one of them. -Don
Re: IPv6 Advertisements
RIPE may only give out /32's but ARIN gives out /48's so there wouldn't be any deaggregation in that case. The RIPE NCC assign /48s from 2001:0678::/29 according to ripe-404: http://www.ripe.net/ripe/docs/ripe-404.html Yeah I missed that. This matches ARIN's policy for critical infrastructure. -Don
Re: IPv6 Advertisements
On Tue, 29 May 2007, David Conrad wrote: Should've clarified: this was in the context of IPv4... To be honest, I'm not sure what the appropriate equivalent would be in IPv6 (/128 or /64? Arguments can be made for both I suppose). There have been discussions of this sort made over the years. A good place to start would be the old (well, maybe not that old) 6Net site where there's a list of publications called 'Deliverables'. The info is buried in other, but amongst other things it contains deployment scenarios as well as cookbooks decumenting IPv6 deigns and roll-outs, and what they learned from it all. Lot's to read, but good info nonetheless: http://www.6net.org/publications/deliverables/ Rgds, -drc On May 29, 2007, at 9:34 AM, David Conrad wrote: On May 29, 2007, at 8:23 AM, Donald Stahl wrote: vixie had a fun discussion about anycast and dns... something about him being sad/sorry about making everyone have to carry a /24 for f-root everywhere. Whether it's a /24 for f-root or a /20 doesn't really make a difference- it's a routing table entry either way- and why waste addresses. I once suggested that due to the odd nature of the root name server addresses in the DNS protocol (namely, that they must be hardwired into every caching resolver out there and thus, are somewhat difficult to change), the IETF/IAB should designate a bunch of /32s as root server addresses as DNS protocol parameters. ISPs could then explicitly permit those /32s. However, the folks I mentioned this to (some root server operators) felt this would be inappropriate. Rgds, -drc wfms
Re: IPv6 Advertisements
On Tue, May 29, 2007 at 06:14:51PM +0100, Brandon Butterworth wrote: You get one shot at fixed prefix size filters, miss and you'll pay forever. Which is more scarce, /32's or routing table entries. your first lema is false. and RTE are more scarce. brandon let me ask you two questions: ... how many /32's are there? ... how many of them will you allow in your routing table? and a bonus question: ... what are your criteria for rejecting a given /32? --bill
Re: IPv6 Advertisements
This assumes a single machine scanning, not a botnet of 1000 or even the 1.5m the dutch gov't collected 2 yrs ago. Again, a sane discussion is in order. Scanning isn't AS EASY, but it certainly is still feasible, With 1.5 million hosts it will only take 3500 years... for a _single_ /64! I'm not sure that's what I would call feasible. -Don