IPv6 delivery model to end customers

TJ trejrco at gmail.com
Mon Feb 9 18:58:43 UTC 2009

>A big one is a solution to address the security concerns with IPv6 RA
>(Router Advertisement) and rogue DHCPv6. On IPv4 networks we have the
>of using DHCP snooping to suppress unauthorized DHCP servers from handing
>out address information. With IPv6, any host can announce itself as a
>(using RA) and make network traffic suddenly start making use of it as the
>router for a network. This makes it possible for hosts to inadvertently
>disrupt network service (Vista) or even be used maliciously to perform a
>man-in-the-middle attack to intercept your traffic. Similarly with DHCPv6
>there is nothing stopping a host from trying to hand out stateful IPv6
>address configuration.
>Even worse is that since modern hosts give traffic priority to IPv6, it
>becomes easy for a rogue host (Vista) to advertise itself as an IPv6 router
>on IPv4-only networks. So there are security concerns even for networks
>do not run IPv6 here.
>I think it goes without saying that this needs to be addressed before
>IPv6 can be deployed on most campus networks where users manage their own
>So Cisco (and other vendors) needs to introduce two things for LAN
>switching. DHCPv6 snooping, and more importantly, RA suppression (or RA

Indeed, this is a problem.
RA Guard is a very straight-forward, hopefully soon-to-be-widely-supported,

A "pure layer 3" solution is, of course, SEND/CGA ... where deployment
concerns/problems abound ...
	http://tools.ietf.org/html/rfc3971 &

And as I may have said once or thrice already, YES - I agree these solutions
should have been developed / made deployable long before now.

>As far as IPv6 deployment to residential customers...  I say most things
>these days are moving to Metro Ethernet.  Give ea. customer a VLAN, that
>will save you a lot of headache and ultimately provide a better experience
>for the customer.

Amen to that ...

More information about the NANOG mailing list