NIST IPv6 document

Mikael Abrahamsson swmike at swm.pp.se
Thu Jan 6 15:52:41 UTC 2011


On Thu, 6 Jan 2011, Jack Bates wrote:

> Not stateful firewalls. He's referring to neighbor learning based on 
> incoming traffic to the router from the trusted side. ie, I received a 
> packet from the server, so I will add his MAC to my neighbor table. 
> There are many methods for learning MAC addresses, though. DHCP/MAC 
> security with static ARP and other viable options have properly killed 
> this problem in v4 by routers not looking for unknown neighbors.

When people start to talk about "trusted side" etc, I immediately think 
firewalls and not plain routing. I don't trust anyone, neither my 
customers, nor Internet.

I guess it might make sense to have the host register address usage (in 
the SLAAC case) with the router, and the router having a mechanism to 
broadcast/multicast to everybody that "I lost my state mac/ip table, 
please re-register" so they can do it again.

> It's how it works, but not how it should work. In the last years, v4 has 
> seen some nice implementations that specifically are designed 
> (especially for eyeball networks who have vast pools of space) to keep 
> routers from sending unsolicited arp requests and maintaining only a 
> valid pool of mappings.

In the DHCP case this is easy, yes.

I perfer to have only LL on the link towards the customer operated CPE, 
thus I don't really need to keep lots of ND state per customer.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se




More information about the NANOG mailing list