IPv6 delivery model to end customers

Mikael Abrahamsson swmike at swm.pp.se
Mon Feb 9 08:20:41 UTC 2009

On Mon, 9 Feb 2009, Pekka Savola wrote:

> I may be missing something.  "only have ethernet and IP".  Why is 
> plain-ethernet with each subscriber provisioned in a separate router's 
> vlan subinterface insufficient?  There is no security issue because each 
> subscriber only sees its own traffic.

It's rare that this is the way it's done.

Most ETTH deployments I know use one of these deployment scenarios:

1. One vlan per customer (not so often) plus uRPF like behaviour.
2. Shared broadcast domain with L2 devices doing one or several of:
   2.1 Forced forwarding towards router.
   2.2 ARP inspection
   2.3 DHCP server protection (stops customers from running DHCP server)
   2.4 Spoofing filters by means of DHCP snooping (both L2 and L3)
   2.5 STP root guard
   2.6 MAC rewrite
   2.7 Ethertype filtering

Plus more I can't think of right now.

It's scenario 2 I'm worried about, all those machanisms haven't been 
implemented for IPv6 as far as I know and if you're only doing 2.2-2.5 
then you're open to the IPv6 security issue I described.

Mikael Abrahamsson    email: swmike at swm.pp.se

More information about the NANOG mailing list