nanog at daork.net
Wed Feb 18 22:39:24 UTC 2009
On 19/02/2009, at 11:20 AM, Adrian Chadd wrote:
> On Thu, Feb 19, 2009, Nathan Ward wrote:
>> So, those people don't use DHCP in IPv4 if this is a concern, so I'm
>> guessing they are not hoping to use DHCPv6 either.
>> Static configuration of IP addressing information and other
>> configuration will work just fine for them.
>> I wonder, do they use ARP?
> In the corporate world, you get wonderful L2/L3 features in switches,
> such as:
> * helper address stuff, to run centralised DHCP servers
> * dhcp sniffing/filtering
> * per port L2/L3 filters
> * dynamic arp inspection
> which are used on corporate LANs to both build out scalable address
> management platforms (ie, no need to run a DHCP server on each subnet,
> nor one DHCP server with seperate vlan if's to provide service),
> access and mitigate security risks.
> I don't know what the IPv6 LAN "snooping" functionality is across
> vendors but the last time I checked this out (say, 2-3 years ago)
> it was pretty lacking.
Yep. You asked your vendors to support equivalent IPv6 things at the
time though, so when you roll out IPv6 the support is ready, right?
The point is that these deficiencies exist in IPv4, and I'm not sure
how you would solve them in IPv6 (assuming you can make all the
changes you want, and get instant industry-wide support) any better
than you solve them in IPv4.
My view is that this is an ethernet switch thing, not a problem with
the L3 protocols.
Are there IETF documents on the above L2/L3 features for dealing with
these problems in IPv4? I have not seen any. There probably should be
>> The things you are talking about are about protecting against
>> misconfiguration, not about protecting against malicious people.
> See above.
More information about the NANOG