{SPAM?} Re: IPv6 Deployment for the LAN

Bernhard Schmidt berni at birkenwald.de
Fri Nov 6 19:09:04 CST 2009


David W. Hankins <David_Hankins at isc.org> wrote:

> There are some wireless equipment that claim to have a setting that
> forces all packets through the wireless bridge (where all traffic is
> between clients and bridge, and never client to client), and so one
> can filter DHCPv6 and maybe RA, but I am kind of skeptical about how
> much of this is elective and dependent upon client implementation...

As already said, wireless in infrastructure mode (with access points)
always sends traffic between clients through the access point, so a
decent AP can filter this.

On the university network we frequently had the problem of rogue RAs (in
99% of the cases generated by Windows hosts running 6to4 and ICS). We
are currently migrating from an unencrypted wireless with mandatory VPN
towards full IPv4/IPv6 eduroam (WPA2 Enterprise) with about 500
concurrent hosts, spread around four large subnets. Fortunately our
access point vendor (Colubris, which very sadly is HP Procurve now)
supports pcap-style filters on the wireless side. We've deployed the
ingress filter

ether proto 0x888e or (ip6 and not (ip6[6] == 58 and ip6[40] == 134)) or
(ip and not (udp port 137 or udp port 138 or udp port 139 or udp src
port 67)) or arp

six months ago and have never had any problems again.

Bernhard





More information about the NANOG mailing list