Home page logo
/

nanog logo nanog mailing list archives

Re: subnet prefix length > 64 breaks IPv6?
From: Kevin Loch <kloch () kl net>
Date: Thu, 29 Dec 2011 14:03:02 -0500

Iljitsch van Beijnum wrote:
On 24 Dec 2011, at 6:32 , Glen Kent wrote:

I am trying to understand why standards say that "using a subnet
prefix length other than a /64 will break many features of IPv6,
including Neighbor Discovery (ND), Secure Neighbor Discovery (SEND)
[RFC3971], .. " [reference RFC 5375]

For stateless autoconfig the issue is that it uses 64-bit "interface identifiers" (~ MAC addresses) that are supposed to be 
globally unique. You can't shave off bits and remain globally unique.

With SEND a cryptographic hash that can be used to determine address ownership is stored in the interface identifier. 
Here shaving off addresses reduces security.

Also somehow the rule that all normal address space must use 64-bit interface identifiers found its way into the specs for no 
reason that I have ever been able to uncover. On the other hand there's also the rule that IPv6 is classless and therefore 
routing on any prefix length must be supported, although for some implementations forwarding based on > /64 is somewhat less 
efficient.


The 64 bit "mattress tag" is one of the cute historical quirks of IPv6.
Of course in practice we use all sorts of longer prefixes for the same
reasons we do in IPv4:  Loopback ips, Limiting the scope of
infrastructure links and server subnets, the many uses of more specific
static routes, null routes (including the very important /128 ddos
blackhole).

The good news is that vendors recognized the need to efficiently route
all 128 bits.  Is there any known platform that does not?  I'm starting
to think this is an ancient myth that keeps resurfacing.

- Kevin


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]