From: Fernando Gont Subject: Re: Use IPv6 /128 instead of /64 for PPP interfaces To: Florian Obser , Denis Fondras Cc: tech@openbsd.org Date: Sun, 17 Nov 2024 15:33:39 -0300 Hi, On 16/11/24 18:25, Florian Obser wrote: > I'm probably missing something because I've never used PPP with IPv6. > > What does this solve? It's not like you are going to run out of space in fe80::/10 and if the PPP server is attacking your ndp table you have bigger problems... If the OP refers to link-local addresses, there's probably not much of a reason (that I know of, at least). OTOH, if he refers to a GUA (assuming he's assigning a GUA to such interfaces), then it does make sense (see https://www.rfc-editor.org/rfc/rfc6583.txt ). TLDR; a remote attacker address-scanning the associated subnet can trigger NCE (neighbor cache exhaustion). Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494