Disadvantages or risks of leaving the the family inet6 configuration under interface configuration in Junos...
up vote
3
down vote
favorite
I have a corner-case where I need to leave the family inet6 configuration under IFL present while hosts in that network should not use IPv6. This means, that the logical interface of a router will contain a family inet6 and a link-local address:
root@r1> show interfaces ge-0/0/0.10
Logical interface ge-0/0/0.10 (Index 332) (SNMP ifIndex 534)
Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.10 ] Encapsulation: ENET2
Input packets : 0
Output packets: 146
Protocol inet6, MTU: 1500
Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::206:a00:a0e:fff0
Protocol multiservice, MTU: Unlimited
root@r1>
This should mean, that when hosts manually configure global unicast address, then in theory, they can reach the destination, but the packet is not routed back to them. However, this is not even viable because of RPF check. Also, hosts can reach the router over IPv6, but I don't see this as a problem.
Are there any other risks/disadvantages with this setup?
ipv6 juniper
asked 2 days ago
Martin
19411431
add a comment |
up vote
3
down vote
favorite
I have a corner-case where I need to leave the family inet6 configuration under IFL present while hosts in that network should not use IPv6. This means, that the logical interface of a router will contain a family inet6 and a link-local address:
root@r1> show interfaces ge-0/0/0.10
Logical interface ge-0/0/0.10 (Index 332) (SNMP ifIndex 534)
Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.10 ] Encapsulation: ENET2
Input packets : 0
Output packets: 146
Protocol inet6, MTU: 1500
Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::206:a00:a0e:fff0
Protocol multiservice, MTU: Unlimited
root@r1>
This should mean, that when hosts manually configure global unicast address, then in theory, they can reach the destination, but the packet is not routed back to them. However, this is not even viable because of RPF check. Also, hosts can reach the router over IPv6, but I don't see this as a problem.
Are there any other risks/disadvantages with this setup?
ipv6 juniper
asked 2 days ago
Martin
19411431
add a comment |
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I have a corner-case where I need to leave the family inet6 configuration under IFL present while hosts in that network should not use IPv6. This means, that the logical interface of a router will contain a family inet6 and a link-local address:
root@r1> show interfaces ge-0/0/0.10
Logical interface ge-0/0/0.10 (Index 332) (SNMP ifIndex 534)
Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.10 ] Encapsulation: ENET2
Input packets : 0
Output packets: 146
Protocol inet6, MTU: 1500
Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::206:a00:a0e:fff0
Protocol multiservice, MTU: Unlimited
root@r1>
This should mean, that when hosts manually configure global unicast address, then in theory, they can reach the destination, but the packet is not routed back to them. However, this is not even viable because of RPF check. Also, hosts can reach the router over IPv6, but I don't see this as a problem.
Are there any other risks/disadvantages with this setup?
ipv6 juniper
asked 2 days ago
Martin
19411431
I have a corner-case where I need to leave the family inet6 configuration under IFL present while hosts in that network should not use IPv6. This means, that the logical interface of a router will contain a family inet6 and a link-local address:
root@r1> show interfaces ge-0/0/0.10
Logical interface ge-0/0/0.10 (Index 332) (SNMP ifIndex 534)
Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.10 ] Encapsulation: ENET2
Input packets : 0
Output packets: 146
Protocol inet6, MTU: 1500
Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
Addresses, Flags: Is-Preferred
Destination: fe80::/64, Local: fe80::206:a00:a0e:fff0
Protocol multiservice, MTU: Unlimited
root@r1>
This should mean, that when hosts manually configure global unicast address, then in theory, they can reach the destination, but the packet is not routed back to them. However, this is not even viable because of RPF check. Also, hosts can reach the router over IPv6, but I don't see this as a problem.
Are there any other risks/disadvantages with this setup?
ipv6 juniper
ipv6 juniper
asked 2 days ago
Martin
19411431
asked 2 days ago
Martin
19411431
asked 2 days ago
Martin
19411431
asked 2 days ago
Martin
19411431
asked 2 days ago
Martin
19411431
19411431
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
3
down vote
In my mind, this is unusual, and would probably get picked up as a configuration error in an audit unless you document it really well - consider leaving a comment on the interface to explain to future generations why this is being done.
Also consider the "hosts can reach the router over IPv6" - this means that you should also update your loopback filter to protect your routing-engine from connections arriving on IPv6 (eg: control-plane protocols, remote access, SNMP etc.)
I'd like to know your corner case, and wonder if putting family inet6 on a loopback interface wouldn't be a better way to solve it? (a loopback IP wouldn't be exposed to any other hosts without interface routes)
answered 2 days ago
Benjamin Dale
6,0141036
I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
– Ron Maupin♦
2 days ago
Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
– Benjamin Dale
yesterday
No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
– Ron Maupin♦
23 hours ago
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
In my mind, this is unusual, and would probably get picked up as a configuration error in an audit unless you document it really well - consider leaving a comment on the interface to explain to future generations why this is being done.
Also consider the "hosts can reach the router over IPv6" - this means that you should also update your loopback filter to protect your routing-engine from connections arriving on IPv6 (eg: control-plane protocols, remote access, SNMP etc.)
I'd like to know your corner case, and wonder if putting family inet6 on a loopback interface wouldn't be a better way to solve it? (a loopback IP wouldn't be exposed to any other hosts without interface routes)
answered 2 days ago
Benjamin Dale
6,0141036
I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
– Ron Maupin♦
2 days ago
Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
– Benjamin Dale
yesterday
No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
– Ron Maupin♦
23 hours ago
add a comment |
up vote
3
down vote
In my mind, this is unusual, and would probably get picked up as a configuration error in an audit unless you document it really well - consider leaving a comment on the interface to explain to future generations why this is being done.
Also consider the "hosts can reach the router over IPv6" - this means that you should also update your loopback filter to protect your routing-engine from connections arriving on IPv6 (eg: control-plane protocols, remote access, SNMP etc.)
I'd like to know your corner case, and wonder if putting family inet6 on a loopback interface wouldn't be a better way to solve it? (a loopback IP wouldn't be exposed to any other hosts without interface routes)
answered 2 days ago
Benjamin Dale
6,0141036
I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
– Ron Maupin♦
2 days ago
Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
– Benjamin Dale
yesterday
No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
– Ron Maupin♦
23 hours ago
add a comment |
up vote
3
down vote
up vote
3
down vote
In my mind, this is unusual, and would probably get picked up as a configuration error in an audit unless you document it really well - consider leaving a comment on the interface to explain to future generations why this is being done.
Also consider the "hosts can reach the router over IPv6" - this means that you should also update your loopback filter to protect your routing-engine from connections arriving on IPv6 (eg: control-plane protocols, remote access, SNMP etc.)
I'd like to know your corner case, and wonder if putting family inet6 on a loopback interface wouldn't be a better way to solve it? (a loopback IP wouldn't be exposed to any other hosts without interface routes)
answered 2 days ago
Benjamin Dale
6,0141036
In my mind, this is unusual, and would probably get picked up as a configuration error in an audit unless you document it really well - consider leaving a comment on the interface to explain to future generations why this is being done.
Also consider the "hosts can reach the router over IPv6" - this means that you should also update your loopback filter to protect your routing-engine from connections arriving on IPv6 (eg: control-plane protocols, remote access, SNMP etc.)
I'd like to know your corner case, and wonder if putting family inet6 on a loopback interface wouldn't be a better way to solve it? (a loopback IP wouldn't be exposed to any other hosts without interface routes)
answered 2 days ago
Benjamin Dale
6,0141036
answered 2 days ago
Benjamin Dale
6,0141036
answered 2 days ago
Benjamin Dale
6,0141036
answered 2 days ago
Benjamin Dale
6,0141036
6,0141036
I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
– Ron Maupin♦
2 days ago
Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
– Benjamin Dale
yesterday
No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
– Ron Maupin♦
23 hours ago
add a comment |
I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
– Ron Maupin♦
2 days ago
Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
– Benjamin Dale
yesterday
No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
– Ron Maupin♦
23 hours ago
I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
– Ron Maupin♦
2 days ago
I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
– Ron Maupin♦
2 days ago
Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
– Benjamin Dale
yesterday
Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
– Benjamin Dale
yesterday
No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
– Ron Maupin♦
23 hours ago
No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
– Ron Maupin♦
23 hours ago
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f54854%2fdisadvantages-or-risks-of-leaving-the-the-family-inet6-configuration-under-inter%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
