[c-nsp] "Compressed" IPv6 ACLs on Cat6500
Mack McBride
mack.mcbride at viawest.com
Sat Dec 11 14:41:33 EST 2010
Correct, The security posture is more important.
General consensus is that a subnet is a /64.
More specifics should be used to reduce exposure to attacks.
Links for example are generally assigned as /126 or /127.
Mack
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Saturday, December 11, 2010 3:26 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] "Compressed" IPv6 ACLs on Cat6500
On (2010-12-10 13:43 -0800), Mack McBride wrote:
> This is exactly the expected behavior for sequence 30.
> You can use longer than a /88 but don't expect differentiation on bits 39:24.
> This corresponds to standard practice which would have those bits set to zero.
> Ie. Allocate a /64 but use a /112 or /120 to reduce exposure to ND cache exhaustion.
I have no argument that this is what the platform should do, I'm just
saying that operator using (assigning) more specific than /88 is not going
to be happy, so it makes sense to just not use more specific than /88.
What you're doing, is using more specific but you're making sure that
security posture is same inside the /88 (or in this case /64).
--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list