IPv6 Security [Was: Re: misunderstanding scale]

Luke S. Crawford lsc at prgmr.com
Thu Mar 27 17:25:34 UTC 2014


>> It might make sense to just give everyone their own vlan and their own /64;  that would, of course, bring its own problems and complexities (namely that I've gotta have the capability to deal with more customers than I can have native vlans -  not impossible to get around, but significant added complexity.)
>
> I don’t see the point of that.


why not?  After carefully considering everything you have told me, this 
sounds like the way forward to do it the "IPv6 way"   -  privacy IPs 
would work fine, and I could filter every port such that only packets 
from that /64 were allowed out and only addresses to that /64 would be 
allowed in.    Nobody would be able to spoof or listen in on their 
neighbor;  yeah, my router would have to send a lot of RAs, but routers 
that handle the amount of traffic my customers send are cheap.  I have a 
lot of customers, sure, but they are small.

Sure, it's going to cost me in routing complexity, but it looks like the 
only thing I can do that will actually solve my problems and use IPv6 
the way IPv6 is expecting to be used.

I'd then have to figure out how to make their ipv4 /32 work, but I can 
think of several possibilities that might work.  If nothing else, I 
could give them one interface for IPv6 and one for IPv4, and leave the 
IPv4 interface the current system.






More information about the NANOG mailing list