v6 subnet size for DSL & leased line customers

Leo Bicknell bicknell at ufp.org
Wed Dec 26 21:40:02 UTC 2007

In a message written on Wed, Dec 26, 2007 at 09:19:54PM +0100, Iljitsch van Beijnum wrote:
> Many switches can enforce a MAC/port relationship, so that MAC  
> addresses can't be spoofed.

Which gets to the crux of my question.

If you're a shop that uses such features today (MAC/Port tracking,
DHCP snooping, etc) to "secure" your IPv4 infrastructure does IPv6
RA's represent a step backwards from a security perspective?  Would
IPv6 deployment be hindered until there is DHCPv6 snooping and
DHCPv6 is able to provide a default gateway, a-la how it is done
today in IPv4?

It would be very interesting to me if the answer was "it's moot
because we're going to move to CGA's as a step forward"; it would
be equally interesting if the answer is "CGA isn't ready for prime
time / we can't deploy it for xyz reason, so IPv6 is less secure
than IPv4 today and that's a problem."

       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20071226/298bc77f/attachment.sig>

More information about the NANOG mailing list