IPv6 Security [Was: Re: misunderstanding scale]
Luke S. Crawford
lsc at prgmr.com
Thu Mar 27 17:25:34 UTC 2014
>> It might make sense to just give everyone their own vlan and their own /64; that would, of course, bring its own problems and complexities (namely that I've gotta have the capability to deal with more customers than I can have native vlans - not impossible to get around, but significant added complexity.)
> I don’t see the point of that.
why not? After carefully considering everything you have told me, this
sounds like the way forward to do it the "IPv6 way" - privacy IPs
would work fine, and I could filter every port such that only packets
from that /64 were allowed out and only addresses to that /64 would be
allowed in. Nobody would be able to spoof or listen in on their
neighbor; yeah, my router would have to send a lot of RAs, but routers
that handle the amount of traffic my customers send are cheap. I have a
lot of customers, sure, but they are small.
Sure, it's going to cost me in routing complexity, but it looks like the
only thing I can do that will actually solve my problems and use IPv6
the way IPv6 is expecting to be used.
I'd then have to figure out how to make their ipv4 /32 work, but I can
think of several possibilities that might work. If nothing else, I
could give them one interface for IPv6 and one for IPv4, and leave the
IPv4 interface the current system.
More information about the NANOG