Allow smaller subnets than /64 for security.ipv6_normalized_subnet_size #57650
Description
Tip
Help move this idea forward
- Use the 👍 reaction to show support for this feature.
- Avoid commenting unless you have relevant information to add; unnecessary comments create noise for subscribers.
- Subscribe to receive notifications about status changes and new comments.
Is your feature request related to a problem? Please describe.
If one operates a network for client devices with a single /64 IPv6 prefix and SLAAC, a single client using wrong passwords can impact all clients of the network. This cannot be mitigated at the moment, because security.ipv6_normalized_subnet_size will clamp values larger than 64 to 64.
Consider e.g. a wifi-network with a /64 IPv6 range and SLAAC. If one smartphone in that network has an outdated password stored in a calendar client, the entire /64 might be blocked, leading to delayed requests (due to throttling) for all other clients in that wifi network (and therefore bad user experience...).
Describe the solution you'd like
Allow values up to 128 for security.ipv6_normalized_subnet_size.
Describe alternatives you've considered
AFAICS the only viable solution might be turning off bruteforce protection - but it is a nice feature, therefore I would like to keep it enabled.
Additional context