Home page logo
/

nanog logo nanog mailing list archives

Re: subnet prefix length > 64 breaks IPv6?
From: Ray Soucy <rps () maine edu>
Date: Sat, 24 Dec 2011 12:10:32 -0500

Your understanding of IPv6 is poor if you think by not using a 64-bit
prefix you will be protected against rogue RA.

The prefix length you define on your router will have no impact on a
rogue RA sent out.  IPv6 hosts can have addresses from multiple
prefixes on the same link.  Choosing to make use of a 120-bit prefix
(for example) will do nothing to protect against a rogue RA announcing
its own 64-bit prefix with the A flag set.

You can use a 64-bit prefix and not use SLAAC as well.  SLAAC is used
only when the A flag is set.  It just so happens that the majority of
router implementations have it set by default.

You still need to filter RA from unauthorized hosts.  Currently, many
switches can accomplish this using a PACL on access ports.  In the
near future, we will begin to see the RA Guard feature become standard
on enterprise switches.

Mind you, you should be filtering out rogue RA regardless if whether
or not you have deployed IPv6.  Windows ICS sending RA is a widespread
problem (honestly wish Microsoft would remove ICS from the default
install).

There are some things that will break by not using a 64-bit prefix.
SLAAC can't function without it.  Privacy Extensions for SLAAC can't
either (obviously).

If you make use of a longer prefix, then you need to use either manual
configuration or DHCPv6 for address assignment.

All standards-compliant implementations of IPv6 will work with
prefixes longer than 64-bit.  In production, we make use of 126-bit
prefixes for link networks, and common use of 120 (and similar)
prefixes for host networks and they work perfectly.

That said, the only reason we don't make use of 64-bit prefixes for
host networks is in an effort (which may be futile) to mitigate
neighbor table exhaustion attacks.  We still reserve a full 64-bit
prefix, allowing us to expand the prefix in the future without
disrupting service.  The long term plan is to migrate to 64-bit
prefixes when routing equipment is better able to handle neighbor
table exhaustion attacks.

As for the comments on the use of multicast; multicast is a good
thing.  On most devices is is no different than broadcast, but it adds
the information needed for more advanced hardware (e.g. managed
switches with MLD snooping) to only replicate the traffic to
interested parties.  The elimination of broadcast traffic in IPv6 is a
good thing, and doesn't introduce any problem.

The (related) other comment made was using ARP with IPv6 instead of
ND.  This also shows a poor understanding of how IPv6 works.  ARP is
for IPv4, ND is for IPv6.  There is no ARP for IPv6.  ND has the
advantage that it actually happens over IPv6, rather than a lower
level or parallel protocol.  This makes filtering such traffic and
designing hardware that is aware of it significantly easier.  It will
be nice to reach a point where non-IPv6 traffic can be filtered and
dropped completely.  Other than making use of the link-local scope and
using a multicast group instead of broadcast, ND is pretty much the
same thing as ARP.

On Sat, Dec 24, 2011 at 10:30 AM, Sven Olaf Kamphuis <sven () cb3rob net> wrote:
it only breaks the auto configure crap which you don't want to use anyway.

(unless you want to have any computer on your network be able to tell any
other computer "oh hai i'm a router, please route all your packets through
me so i can intercept them" and/or flood its route table ;)

we use all kinds of things from /126'es to /112 (but hardly any /64 crap)

works perfectly fine.

as long as its nibble aligned (for other reasons ;)

--
Greetings,

Sven Olaf Kamphuis,
CB3ROB Ltd. & Co. KG
=========================================================================
Address: Koloniestrasse 34         VAT Tax ID:      DE267268209
        D-13359                   Registration:    HRA 42834 B
        BERLIN                    Phone:           +31/(0)87-8747479
        Germany                   GSM:             +49/(0)152-26410799
RIPE:    CBSK1-RIPE                e-Mail:          sven () cb3rob net
=========================================================================
<penpen> C3P0, der elektrische Westerwelle
http://www.facebook.com/cb3rob
=========================================================================

Confidential: Please be advised that the information contained in this
email message, including all attached documents or files, is privileged
and confidential and is intended only for the use of the individual or
individuals addressed. Any other use, dissemination, distribution or
copying of this communication is strictly prohibited.



On Sat, 24 Dec 2011, Glen Kent wrote:

Hi,

I am trying to understand why standards say that "using a subnet
prefix length other than a /64 will break many features of IPv6,
including Neighbor Discovery (ND), Secure Neighbor Discovery (SEND)
[RFC3971], .. " [reference RFC 5375]

Or "A number of other features currently in development, or being
proposed, also rely on /64 subnet prefixes."

Is it because the 128 bits are divided into two 64 bit halves, where
the latter identifies an Interface ID which is uniquely derived from
the 48bit MAC address.

I am not sure if this is the reason as this only applies to the link
local IP address. One could still assign a global IPv6 address. So,
why does basic IPv6 (ND process, etc) break if i use a netmask of say
/120?

I know that several operators use /120 as a /64 can be quite risky in
terms of ND attacks. So, how does that work? I tried googling but
couldnt find any references that explain how IPv6 breaks with using a
netmask other than 64.

Glen





-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]