IPv6 end user addressing

Jimmy Hess mysidia at gmail.com
Mon Aug 8 23:37:11 CDT 2011


On Mon, Aug 8, 2011 at 10:43 PM, Chris Adams <cmadams at hiwaay.net> wrote:
>> Even on a server lan you'll occasionally want to plug in a PC for
>> diagnostics without having to poke in an IP address by hand.
> Actually, nobody should be plugging any random device into my server
> LANs, and I certainly don't want to encourage it by having it work (even
> if just for IPv6).

If you must not have someone plugging into your server LAN without
permission, you
turn unused ports off, or preferably, place them in a VLAN island with
no topological
connection to anything.

Because it's going to be easier to turn the port back on, than to give someone a
128-bit IP6 address,  IPv6 netmask, IPv6 DNS servers, and IPv6 default gateway
address set to manually key into their machine.


If someone can get to a live port,  assuming it's not protected by
802.1x port security or similar;   IPv6 will  "just work" for  fe80::
network link-local connectivity,   whether you  deploy stateless
auto-config or not,  which is enough connectivity to find and mess
with servers in the LAN.

And probably enough connectivity to say "that's too much connectivity",
if the LAN is indeed restricted.

Similar to how IPv4 has rfc3927,  except IPv6 link local addresses
get assigned, even to devices that have global IPv6 IPs,
so the link local 'subnet' is active even on fully connected devices.



> Chris Adams <cmadams at hiwaay.net>

Regards,

--
-JH




More information about the NANOG mailing list