IPv6 Security [Was: Re: misunderstanding scale]

Owen DeLong owen at delong.com
Thu Mar 27 06:14:55 UTC 2014


On Mar 26, 2014, at 4:25 PM, Luke S. Crawford <lsc at prgmr.com> wrote:

> On 03/26/2014 03:49 PM, Matt Palmer wrote:
>> On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
>>> There are many ways to skin this cat; stateless autoconfig looks
>>> like it mostly works, but privacy extensions seem to be the default
>>> in many places; outgoing IPv6 from those random addresses will trip
>>> my BCP38 filters.
>> 
>> Your what-now?  You do realise SLAAC works entirely within a single /64,
>> which shouldn't be difficult to decide is either routable or not in one hit,
>> right?
> 
> If you give every customer their own vlan and /64, sure. That can be done, and there are many advantages to doing it that way.   But it's quite a bit more complex than my current setup.
> 
> The way I'm setup now, I've got an IPv4  address block on a vlan, and an IPv6/64 on the same vlan.   I have many customers on that vlan.   Each customer has one (or more) IPv4 /32 addresses and one IPv6 /128 addresses. (if the customer wants more IPv6, we just route a /64 to the /128 they are allowed.)  There are firewall rules that only allow appropriate packets in and out of the interface.    These rules are important for privacy as well as preventing spoofing;  they prevent sniffing of most traffic bound for other guests.

Why not just use private VLAN layer 2 controls for the privacy you describe?

Yes, you risk customer A spoofing customer B, but is that really a problem in your environment? Really? If so, one could argue you might want to consider getting a better class of customers.

Owen




More information about the NANOG mailing list