Re: Yahoo and IPv6

[Jeff Wheeler <jsw () inconcepts biz>]

On Mon, May 9, 2011 at 10:04 PM, Joel Maslak <jmaslak () antelope net> wrote:
> On Mon, May 9, 2011 at 3:57 PM, Jeff Wheeler <jsw () inconcepts biz> wrote:
> I do take issue with your suggestion that /64 LANs are in any way
> > smart in the datacenter.  They are not.  I have some slides on this
> > topic: http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
>
> There are ways of mitigating this (the easiest is to use ACLs or firewalls
> to limit traffic into a subnet from untrusted sources so that only
> legitimate traffic is allowed).

Your suggestion has two main disadvantages:
1) it doesn't work on some platforms, because input ACL won't stop ND
learn/solicit -- obviously this is bad
2) it requires you to configure a potentially large input ACL on every
single interface on the box, and adjust that ACL whenever you
provision more IPv6 addresses for end-hosts -- kinda like not having a
control-plane filter, only worse

-- 
Jeff S Wheeler <jsw () inconcepts biz>
Sr Network Operator  /  Innovative Network Concepts