Estonian IPv6 deployment report
Tarko Tikan
tarko at lanparty.ee
Sat Dec 27 16:27:08 UTC 2014
hey,
> How do you protect customers from each other?
>
> There are many nasty IPv6 attacks you can do when on a shared VLAN.
Split-horizon (switchport protected in Cisco world). Customers can't
send packets directly to each other, all communication has to go via BNG
router. Obviously we protect L2 as well like limiting number of MACs per
customers, make sure BNG MAC cannot be learned from customer ports etc.
We don't use any L3 (both v4 and v6) inspection in ANs, everything
happens in BNG.
It's actually much better and logical for v6 as it is for v4. In v4
world you have to implement proxy-arp, in v6 world there is no need for
customers to send packets to each others link-local WAN addresses and
packets sent to PD addresses are by default routed via BNG.
--
tarko
More information about the NANOG
mailing list