Mailing List Archive

From:: Fernando Gont <fgont@si6networks.com>
Subject:: Re: Use IPv6 /128 instead of /64 for PPP interfaces
To:: Florian Obser <florian@openbsd.org>, Denis Fondras <denis@openbsd.org>
Cc:: tech@openbsd.org
Date:: Sun, 17 Nov 2024 15:33:39 -0300

Download raw body.

Thread

2024-11-16 18:50 Denis Fondras:
Use IPv6 /128 instead of /64 for PPP interfaces
- 2024-11-16 21:25 Florian Obser:
  Use IPv6 /128 instead of /64 for PPP interfaces
- - 2024-11-17 18:33 Fernando Gont:
    Use IPv6 /128 instead of /64 for PPP interfaces
  - - 2024-11-17 20:48 Florian Obser:
      Use IPv6 /128 instead of /64 for PPP interfaces
- 2024-11-17 10:48 Stefan Sperling:
  Use IPv6 /128 instead of /64 for PPP interfaces

Hi,

On 16/11/24 18:25, Florian Obser wrote:
> I'm probably missing something because I've never used PPP with IPv6.
> 
> What does this solve? It's not like you are going to run out of space in fe80::/10 and if the PPP server is attacking your ndp table you have bigger problems...

If the OP refers to link-local addresses, there's probably not much of a 
reason (that I know of, at least).

OTOH, if he refers to a GUA (assuming he's assigning a GUA to such 
interfaces), then it does make sense (see 
https://www.rfc-editor.org/rfc/rfc6583.txt ).

TLDR; a remote attacker address-scanning the associated subnet can 
trigger NCE (neighbor cache exhaustion).

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

2024-11-16 18:50 Denis Fondras:
Use IPv6 /128 instead of /64 for PPP interfaces
- 2024-11-16 21:25 Florian Obser:
  Use IPv6 /128 instead of /64 for PPP interfaces
- - 2024-11-17 18:33 Fernando Gont:
    Use IPv6 /128 instead of /64 for PPP interfaces
  - - 2024-11-17 20:48 Florian Obser:
      Use IPv6 /128 instead of /64 for PPP interfaces
- 2024-11-17 10:48 Stefan Sperling:
  Use IPv6 /128 instead of /64 for PPP interfaces