Using IPv6 with prefixes shorter than a /64 on a LAN

Fernando Gont fernando at gont.com.ar
Thu Jan 27 03:08:56 UTC 2011


On 26/01/2011 11:36 p.m., Douglas Otis wrote:

>>> Discovery implemented at layer 2 fully mitigate these issues?  I too
>>> would be interested in hearing from Radia and Fred.
>> It need not. Also, think about actual deployment of SEND: for instance,
>> last time I checked Windows Vista didn't support it.
> First, it should be noted ND over ARP offers ~16M to 2 reduction in
> traffic.  

Does this really make a difference in a typical LAN?


> Secondly, services offered within a facility can implement
> Secure Neighbor Discovery, since a local network's data link layer, by
> definition, is isolated from the rest of the Internet. 

How many implementations are there of SEND? e.g., Is there SEND support
for Windows?


> While ICMPv6
> supports ND and SeND using standard IPv6 headers, only stateful ICMPv6
> Packets Too Big messages should be permitted.  

Not sure what you mean.



> Nor is Vista, ISATAP, or
> Teredo wise choices for offering Internet services.  At least there are
> Java implementations of Secure Neighbor Discovery.

C'mon. That's great for "proof of concept". But would you raun a real
network with that? Would you deploy e.g., 200+ Windows boxes with
Java-based SEND support? What about all the PKI burden?



> When one considers what is needed to defend a facility's resources,
> Secure Neighbor Discovery seems desirable since it offers hardware
> supported defenses from a wide range of threats.  

Without DNSsec fully deployed, is it worth the effort?


> While it is easy to
> understand a desire to keep specific IP addresses organized into small
> segments, such an approach seems at greater risk and more fragile in the
> face of frequent renumbering.  In other words, it seems best to use IPv6
> secure automation whenever possible.

??



> The make before break feature of IPv6 should also remove most
> impediments related to renumbering.  

One of the most important impediments on renumbering is the IP addresses
hardcoded in configuration files, ACLs, etc. And IPv6 does nothing (and
cannot do anything) to help with that.

Thanks,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1








More information about the NANOG mailing list