IPv6 Security [Was: Re: misunderstanding scale]
owen at delong.com
Thu Mar 27 06:14:55 UTC 2014
On Mar 26, 2014, at 4:25 PM, Luke S. Crawford <lsc at prgmr.com> wrote:
> On 03/26/2014 03:49 PM, Matt Palmer wrote:
>> On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
>>> There are many ways to skin this cat; stateless autoconfig looks
>>> like it mostly works, but privacy extensions seem to be the default
>>> in many places; outgoing IPv6 from those random addresses will trip
>>> my BCP38 filters.
>> Your what-now? You do realise SLAAC works entirely within a single /64,
>> which shouldn't be difficult to decide is either routable or not in one hit,
> If you give every customer their own vlan and /64, sure. That can be done, and there are many advantages to doing it that way. But it's quite a bit more complex than my current setup.
> The way I'm setup now, I've got an IPv4 address block on a vlan, and an IPv6/64 on the same vlan. I have many customers on that vlan. Each customer has one (or more) IPv4 /32 addresses and one IPv6 /128 addresses. (if the customer wants more IPv6, we just route a /64 to the /128 they are allowed.) There are firewall rules that only allow appropriate packets in and out of the interface. These rules are important for privacy as well as preventing spoofing; they prevent sniffing of most traffic bound for other guests.
Why not just use private VLAN layer 2 controls for the privacy you describe?
Yes, you risk customer A spoofing customer B, but is that really a problem in your environment? Really? If so, one could argue you might want to consider getting a better class of customers.
More information about the NANOG