Anybody can participate in the IETF (Was: Why is IPv6 broken?)

• Previous message (by thread): Anybody can participate in the IETF (Was: Why is IPv6 broken?)
• Next message (by thread): Anybody can participate in the IETF (Was: Why is IPv6 broken?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 11, 2011 at 5:12 PM, Owen DeLong <owen at delong.com> wrote:
> No... I like SLAAC and find it useful in a number of places. What's wrong
> with /64? Yes, we need better DOS protection in switches and routers

See my slides http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf for
why no vendor's implementation is effective "DOS protection" today and
how much complexity is involved in doing it correctly, which requires
not only knobs on routers, but also on layer-2 access switches, which
is not easy to implement.  It's a whole lot smarter to just configure
a smaller network when that is practical.  In fact, that advice should
be "the standard."

I really don't understand why we need SLAAC.  I believe it is a relic
of a mindset when a DHCP client might have been hard to implement
cost-effectively in a really light-weight client device (coffee pot?
wrist-watch?)  Or when running a DHCP server was some big undertaking
that couldn't be made not only obvious, but transparent, to SOHO users
buying any $99 CPE.

I do understand why SLAAC needs /64.  Okay, so configure /64 on those
networks where SLAAC is utilized.  Otherwise, do something else.
Pretty simple!  Again, please see my slides.

> to accommodate some of the realities of those decisions, but, that's not
> to say that SLAAC or /64s are bad. They're fine ideas with proper
> protections.

The proper protections are kinda hard to do if you have relatively
dumb layer-2 access switches.  It is a lot harder than RA Guard, and
we aren't ever likely to see that feature on a large base of installed
"legacy" switches, like Cisco 2950.  Replacing those will be
expensive.  We can't replace them yet anyway because similar switches
(price) today still do not have RA Guard, let alone any knobs to
defend against neighbor table churn, etc.  I'm not sure if they ever
will have the later.

> I'm not sure about the /80 reference as I haven't encountered that
> recommendation outside of some perverse ideas about point-to-point
> links.

This is because you didn't follow IPv6 progress until somewhat
recently, and you are not aware that the original suggestion for
prefix length was 80 bits, leaving just 48 bits for the host portion
of the address.  This was later revised.  It helps to know a bit of
the history that got us to where we are now.

It was originally hoped, by some, that we may not even need NDP
because the layer-2 adjacency would always be encoded in the end of
the layer-3 address.  Some people still think vendors may get us to
that point with configuration knobs.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts

• Previous message (by thread): Anybody can participate in the IETF (Was: Why is IPv6 broken?)
• Next message (by thread): Anybody can participate in the IETF (Was: Why is IPv6 broken?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]