IPv6 Security [Was: Re: misunderstanding scale]

Luke S. Crawford lsc at prgmr.com
Thu Mar 27 17:19:13 UTC 2014

On 03/26/2014 11:14 PM, Owen DeLong wrote:
> Why not just use private VLAN layer 2 controls for the privacy you describe?

The technology I know of is what cisco calls 'protected ports' -  My 
understanding is that those simply mean you can't pass traffic to or 
from other 'protected ports' -   I use that capability when, say, 
putting a bunch of IPMIs on a private network, it works great, as if one 
of the IPMI ports is trying to talk to another, something is very wrong 
and it gets blocked.

They are commonly used in the dedicated server hosting world to do what 
you are describing, but they have a big downside when being used on the 
public side;    customer 1 can't talk to customer 2.    Now, this isn't 
usually a big deal, except in one very common case;  what if one entity 
buys two hosts?  now those two hosts can't talk to oneanother.

This is a very common problem for dedicated hosting providers (and why I 
give my dedicated hosts a vlan and a routed subnet, wasting IPv4.)

For my virtuals, though, I have a much more clever "switch"  as it's 
just some software running in the Dom0, so at least in the IPv4 world, 
filtering just their /32 in and out is a much better solution.

> Yes, you risk customer A spoofing customer B, but is that really a problem in your environment? Really? If so, one could argue you might want to consider getting a better class of customers.

You wouldn't feel uncomfortable if some other company could come in and 
not only spoof your IP, but receive the return traffic?   Keep in mind 
that they could do this in a way that is quite difficult to detect or 
trace, if they were clever about it.

I may trust my provider, to a certain extent, but I certainly don't 
trust everyone who gives my provider money.

More information about the NANOG mailing list