al work, but you are not vulnerable to NDP attacks from outside.
CONVERT MAC ADDRESS INTO IPV6 EUI 64 FREE
In this way, you're free to just go ahead and use a /64 on your P2P links and still have traceroutes, ICMP errors et. My personal favourite, however is to allocate a reasonable chunk of your IPv6 space purely for facilitating P2P links (in my case, I reserved a /48) - this /48 is then blocked on all network edge interfaces at ingress as a destination. So, my personal recommendation is to allocate a /64 for every P2P link even if you only use a /127 on the wire - that way, when you bring up your routing protocol, you can then aggregate the /127 to a /64. We will place fffe in the middle of the Mac address as shown here.
CONVERT MAC ADDRESS INTO IPV6 EUI 64 64 BITS
Even on a TCAM that only has 32 or 48 bit width, going beyond /64 is obviously still significant. How does the MAC address 00a1-6789-abcd translate into the right-most 64 bits of the IPv6 address when EUI-64 is used Very interesting question here. Anything longer and it has to perform another lookup operation. The reason for this is that, essentially, most modern router TCAMs can typically only handle up to 64 bits of address width at a time - this means that if you're in a situation where all routes are /64 or shorter, lookups can occur in a single cycle. Using a /127 isn't terrible, but letting it go into your backbone as a /127 is. Just keep the RFC I mentioned in mind, and make sure you follow the guidelines it provides. Your routing table may take a small hit since all of the P2P prefixes won't be easy to summarize, but it's unlikely to be a significant problem. In conclusion, I believe the general consensus is that using a /127 is not a big deal - in fact you may want to allocate a single /64 for all your P2P links. On P2P links where SLAAC is not used, it's not that big of a deal. A mac address is 48 bits, an IPv6 address is 128 bits. This link-local IPv6 is infered from the NIC’s mac address. The fear of ping-pong attacks was mitigated in the most recent version of ICMP, and neighbor cache exhaustion attacks are actually eliminated on P2P links by using a /127 prefix.ĮUI-64 is generally preferable on user subnets, since SLAAC generally breaks if /64 subnets are not used. Instead of getting an address via DHCP, a NIC will hop on the network with a link-local IPv6 address and with this will have to ability to do further configuration automatically (soliciting neighbors, router, et cetera).
RFC6164 illustrates that it actually may be a good idea to use a /127 - it identifies some of the big issues for moving to a /127 on a P2P link, and talks about the steps that have been taken to mitigate, if any. Stateless Address Autoconfiguration (SLAAC): Uses EUI-64 (64-bit extended unique identifier) to determine a globally unique address based on the MAC address.
When it comes down to it, using a /127 on a point-to-point link isn't really a terrible idea. The unspecified address cannot be used as a destination IPv6 address.This is the subject of a large debate that's been going on for a while. Before acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets. It may never be assigned to any physical interface and can be used by a node to send an IPv6 packet to itself in the same way as the loopback address in IPv4. Packets with site-local source or destination addresses are not forwarded out of the local site (or a private network). The site-local unicast addresses are similar to private IPv4 addresses. Packets with link-local source or destination addresses are not forwarded to other links. The link-local addresses are used for communication among link-local nodes for neighbor discovery and stateless autoconfiguration. This type of address allows efficient prefix aggregation to restrict the number of global routing entries. The global unicast addresses, equivalent to public IPv4 addresses, are provided for network service providers. Unicast addresses comprise global unicast addresses, link-local unicast addresses, site-local unicast addresses, the loopback address, and the unspecified address. A 64-bit interface ID is created by inserting the hex value of FFFE in the middle of the MAC address of the network card.
0 kommentar(er)
