Estonian IPv6 deployment report

Tarko Tikan tarko at
Sat Dec 27 16:27:08 UTC 2014


> How do you protect customers from each other?
> There are many nasty IPv6 attacks you can do when on a shared VLAN.

Split-horizon (switchport protected in Cisco world). Customers can't 
send packets directly to each other, all communication has to go via BNG 
router. Obviously we protect L2 as well like limiting number of MACs per 
customers, make sure BNG MAC cannot be learned from customer ports etc. 
We don't use any L3 (both v4 and v6) inspection in ANs, everything 
happens in BNG.

It's actually much better and logical for v6 as it is for v4. In v4 
world you have to implement proxy-arp, in v6 world there is no need for 
customers to send packets to each others link-local WAN addresses and 
packets sent to PD addresses are by default routed via BNG.


More information about the NANOG mailing list