IPv6 Deployment for the LAN

Karl Auer kauer at biplane.com.au
Sun Oct 18 03:51:00 UTC 2009


On Sat, 2009-10-17 at 20:55 -0400, Ray Soucy wrote:
> making use of SLAAC.  The concern here is that older hosts with less
> than OK implementations will still enable IPv6 without regard for the
> stability and security concerns associated with IPv6.

Some hosts - very dumb ones or very old ones, probably
embedded stacks - may do SLAAC even with a prefix other than 64 bits!
Once a stack is broken,, anything is possible, so I'm not sure you win
much here. Zig to avoid one dud, you'll have to zag to avoid thenext,
and before you know it your life is nothing but dodging. Take the high
ground instead.

Better to find and cure/replace/isolate broken hosts than break your
entire network just to accommodate them. If you start doing the "wrong
thing" to accommodate broken hosts, you will never find peace. Zig to
avoid one dud; you'll have to zag to avoid the next and before you know
it your life is nothing but dodging. Take the high ground instead.

Do the advertisements "right", advise sysadmins that hosts should not do
SLAAC, and (if you are really concerned about broken hosts) collect MAC
address information from your switches and do an automated test of
reachability on all SLAAC addresses. You can generate the addresses
yourself easily enough from the prefix and the MAC. None should be
reachable, and any that are - well, you now know where they are and can
take appropriate action.

And then block all SLAAC addresses at your routers or firewalls, that'll
larn 'em :-)

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20091018/4b84ef57/attachment.sig>


More information about the NANOG mailing list