Disadvantages or risks of leaving the the family inet6 configuration under interface configuration in Junos...












5














I have a corner-case where I need to leave the family inet6 configuration under IFL present while hosts in that network should not use IPv6. This means, that the logical interface of a router will contain a family inet6 and a link-local address:



root@r1> show interfaces ge-0/0/0.10   

  Logical interface ge-0/0/0.10 (Index 332) (SNMP ifIndex 534)

    Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.10 ]  Encapsulation: ENET2

    Input packets : 0

    Output packets: 146

    Protocol inet6, MTU: 1500

    Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0

      Addresses, Flags: Is-Preferred

        Destination: fe80::/64, Local: fe80::206:a00:a0e:fff0

    Protocol multiservice, MTU: Unlimited



root@r1>


This should mean, that when hosts manually configure global unicast address, then in theory, they can reach the destination, but the packet is not routed back to them. However, this is not even viable because of RPF check. Also, hosts can reach the router over IPv6, but I don't see this as a problem.
Are there any other risks/disadvantages with this setup?






ipv6 juniper juniper-junos







share|improve this question
























  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can provide and accept your own answer.
    – Ron Maupin
    Dec 25 '18 at 10:04
















5














I have a corner-case where I need to leave the family inet6 configuration under IFL present while hosts in that network should not use IPv6. This means, that the logical interface of a router will contain a family inet6 and a link-local address:



root@r1> show interfaces ge-0/0/0.10   

  Logical interface ge-0/0/0.10 (Index 332) (SNMP ifIndex 534)

    Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.10 ]  Encapsulation: ENET2

    Input packets : 0

    Output packets: 146

    Protocol inet6, MTU: 1500

    Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0

      Addresses, Flags: Is-Preferred

        Destination: fe80::/64, Local: fe80::206:a00:a0e:fff0

    Protocol multiservice, MTU: Unlimited



root@r1>


This should mean, that when hosts manually configure global unicast address, then in theory, they can reach the destination, but the packet is not routed back to them. However, this is not even viable because of RPF check. Also, hosts can reach the router over IPv6, but I don't see this as a problem.
Are there any other risks/disadvantages with this setup?






ipv6 juniper juniper-junos







share|improve this question
























  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can provide and accept your own answer.
    – Ron Maupin
    Dec 25 '18 at 10:04














5












5








5







I have a corner-case where I need to leave the family inet6 configuration under IFL present while hosts in that network should not use IPv6. This means, that the logical interface of a router will contain a family inet6 and a link-local address:



root@r1> show interfaces ge-0/0/0.10   

  Logical interface ge-0/0/0.10 (Index 332) (SNMP ifIndex 534)

    Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.10 ]  Encapsulation: ENET2

    Input packets : 0

    Output packets: 146

    Protocol inet6, MTU: 1500

    Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0

      Addresses, Flags: Is-Preferred

        Destination: fe80::/64, Local: fe80::206:a00:a0e:fff0

    Protocol multiservice, MTU: Unlimited



root@r1>


This should mean, that when hosts manually configure global unicast address, then in theory, they can reach the destination, but the packet is not routed back to them. However, this is not even viable because of RPF check. Also, hosts can reach the router over IPv6, but I don't see this as a problem.
Are there any other risks/disadvantages with this setup?






ipv6 juniper juniper-junos







share|improve this question















I have a corner-case where I need to leave the family inet6 configuration under IFL present while hosts in that network should not use IPv6. This means, that the logical interface of a router will contain a family inet6 and a link-local address:



root@r1> show interfaces ge-0/0/0.10   

  Logical interface ge-0/0/0.10 (Index 332) (SNMP ifIndex 534)

    Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.10 ]  Encapsulation: ENET2

    Input packets : 0

    Output packets: 146

    Protocol inet6, MTU: 1500

    Max nh cache: 75000, New hold nh limit: 75000, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0

      Addresses, Flags: Is-Preferred

        Destination: fe80::/64, Local: fe80::206:a00:a0e:fff0

    Protocol multiservice, MTU: Unlimited



root@r1>


This should mean, that when hosts manually configure global unicast address, then in theory, they can reach the destination, but the packet is not routed back to them. However, this is not even viable because of RPF check. Also, hosts can reach the router over IPv6, but I don't see this as a problem.
Are there any other risks/disadvantages with this setup?






ipv6 juniper juniper-junos




ipv6 juniper juniper-junos






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 21 '18 at 3:35









Ron Maupin

62.4k1263119




62.4k1263119










asked Nov 20 '18 at 8:48









Martin

28311431




28311431












  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can provide and accept your own answer.
    – Ron Maupin
    Dec 25 '18 at 10:04


















  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can provide and accept your own answer.
    – Ron Maupin
    Dec 25 '18 at 10:04
















Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can provide and accept your own answer.
– Ron Maupin
Dec 25 '18 at 10:04




Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can provide and accept your own answer.
– Ron Maupin
Dec 25 '18 at 10:04










1 Answer
1






active

oldest

votes


















4














In my mind, this is unusual, and would probably get picked up as a configuration error in an audit unless you document it really well - consider leaving a comment on the interface to explain to future generations why this is being done.



Also consider the "hosts can reach the router over IPv6" - this means that you should also update your loopback filter to protect your routing-engine from connections arriving on IPv6 (eg: control-plane protocols, remote access, SNMP etc.)



I'd like to know your corner case, and wonder if putting family inet6 on a loopback interface wouldn't be a better way to solve it? (a loopback IP wouldn't be exposed to any other hosts without interface routes)






share|improve this answer





















  • I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
    – Ron Maupin
    Nov 20 '18 at 17:29










  • Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
    – Benjamin Dale
    Nov 21 '18 at 23:56










  • No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
    – Ron Maupin
    Nov 22 '18 at 4:00













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "496"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f54854%2fdisadvantages-or-risks-of-leaving-the-the-family-inet6-configuration-under-inter%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









4














In my mind, this is unusual, and would probably get picked up as a configuration error in an audit unless you document it really well - consider leaving a comment on the interface to explain to future generations why this is being done.



Also consider the "hosts can reach the router over IPv6" - this means that you should also update your loopback filter to protect your routing-engine from connections arriving on IPv6 (eg: control-plane protocols, remote access, SNMP etc.)



I'd like to know your corner case, and wonder if putting family inet6 on a loopback interface wouldn't be a better way to solve it? (a loopback IP wouldn't be exposed to any other hosts without interface routes)






share|improve this answer





















  • I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
    – Ron Maupin
    Nov 20 '18 at 17:29










  • Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
    – Benjamin Dale
    Nov 21 '18 at 23:56










  • No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
    – Ron Maupin
    Nov 22 '18 at 4:00


















4














In my mind, this is unusual, and would probably get picked up as a configuration error in an audit unless you document it really well - consider leaving a comment on the interface to explain to future generations why this is being done.



Also consider the "hosts can reach the router over IPv6" - this means that you should also update your loopback filter to protect your routing-engine from connections arriving on IPv6 (eg: control-plane protocols, remote access, SNMP etc.)



I'd like to know your corner case, and wonder if putting family inet6 on a loopback interface wouldn't be a better way to solve it? (a loopback IP wouldn't be exposed to any other hosts without interface routes)






share|improve this answer





















  • I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
    – Ron Maupin
    Nov 20 '18 at 17:29










  • Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
    – Benjamin Dale
    Nov 21 '18 at 23:56










  • No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
    – Ron Maupin
    Nov 22 '18 at 4:00
















4












4








4






In my mind, this is unusual, and would probably get picked up as a configuration error in an audit unless you document it really well - consider leaving a comment on the interface to explain to future generations why this is being done.



Also consider the "hosts can reach the router over IPv6" - this means that you should also update your loopback filter to protect your routing-engine from connections arriving on IPv6 (eg: control-plane protocols, remote access, SNMP etc.)



I'd like to know your corner case, and wonder if putting family inet6 on a loopback interface wouldn't be a better way to solve it? (a loopback IP wouldn't be exposed to any other hosts without interface routes)






share|improve this answer












In my mind, this is unusual, and would probably get picked up as a configuration error in an audit unless you document it really well - consider leaving a comment on the interface to explain to future generations why this is being done.



Also consider the "hosts can reach the router over IPv6" - this means that you should also update your loopback filter to protect your routing-engine from connections arriving on IPv6 (eg: control-plane protocols, remote access, SNMP etc.)



I'd like to know your corner case, and wonder if putting family inet6 on a loopback interface wouldn't be a better way to solve it? (a loopback IP wouldn't be exposed to any other hosts without interface routes)







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 20 '18 at 11:20









Benjamin Dale

6,4041036




6,4041036












  • I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
    – Ron Maupin
    Nov 20 '18 at 17:29










  • Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
    – Benjamin Dale
    Nov 21 '18 at 23:56










  • No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
    – Ron Maupin
    Nov 22 '18 at 4:00




















  • I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
    – Ron Maupin
    Nov 20 '18 at 17:29










  • Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
    – Benjamin Dale
    Nov 21 '18 at 23:56










  • No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
    – Ron Maupin
    Nov 22 '18 at 4:00


















I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
– Ron Maupin
Nov 20 '18 at 17:29




I want to make sure you saw this: networkengineering.meta.stackexchange.com/q/813/8499
– Ron Maupin
Nov 20 '18 at 17:29












Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
– Benjamin Dale
Nov 21 '18 at 23:56




Just read it - not sure what I'm looking for though? Are you suggesting the question is off topic?
– Benjamin Dale
Nov 21 '18 at 23:56












No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
– Ron Maupin
Nov 22 '18 at 4:00






No. It is for users to determine what is or is not on-topic here, and I have been trying to notify people to comment/answer/vote on what they want to see for this site.
– Ron Maupin
Nov 22 '18 at 4:00




















draft saved

draft discarded




















































Thanks for contributing an answer to Network Engineering Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f54854%2fdisadvantages-or-risks-of-leaving-the-the-family-inet6-configuration-under-inter%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

MongoDB - Not Authorized To Execute Command

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I have successfully enabled authorization on MongoDB and I have created an account on the admin database and then I created an account for my database called test. The following connection string to connect to my test database works successfully: mongo --host 192.168.17.52 --port 27017 -u user1 -p password --authenticationDatabase test Only problem I have now is, I cannot execute commands such as: show dbs. I get the following error when I try to do so: "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, lsid: { id: UUID("a1d5bc0d-bc58-485e-b232-270758a89455") }, $db: "admin...
Read more

How to fix TextFormField cause rebuild widget in Flutter

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I've got the same issue at #9280. I tried all solutions from that topic with/without GlobalKey for Scaffold and Form but the problem wasn't fixed. I tried to build a authentication form with login and signup. But the keyboard doesn't show when I tap the TextFormField at the first time. Then I try to input some letter from physical keyboard, the widget is rebuilt. Like this: login screen Nothing to be log when I run flutter run --verbose, so I logged manually. Every tapping on field, the widget called dispose -> init -> build. [√] Flutter (Channel beta, v1.0.0, on Microsoft Windows [Version 10.0.17763.195], ...
Read more

in spring boot 2.1 many test slices are not allowed anymore due to multiple @BootstrapWith

Image
1 I tried to upgrade a yummy sandwich made of two test slices (@JsonTest and @JdbcTest in my case, crunchy test code in between) adding spring boot 2.1 flavour to it. But it seems it was not much of a success. I cannot annotate my tests with many @...Test since they are now each bringing their own XxxTestContextBootstrapper. It used to work when they all used same SpringBootTestContextBootstrapper. @RunWith(SpringRunner.class) @JdbcTest @JsonTest public class Test { @Test public void test() { System.out.printn("Hello, World !"); } } The error I get from BootstrapUtils is illegalStateException : Configuration error: found multiple declarations of @BootstrapWith for test class I understand I might be doing something wrong here but is there an easy way I could load both Json and Jdbc contex...
Read more