IPv6 Security [Was: Re: misunderstanding scale]

Jack Bates jbates at brightok.net
Thu Mar 27 18:14:30 UTC 2014


On 3/27/2014 12:19 PM, Luke S. Crawford wrote:
>
> This is a very common problem for dedicated hosting providers (and why 
> I give my dedicated hosts a vlan and a routed subnet, wasting IPv4.)
>
Implement what some DSL access providers do. Unnumbered interfaces with 
/32 routing to the vlan. The last I checked, I think a J can even get 
the /32 route from radius when using autoconfig with radius auth. We did 
similar things with IPv6, as well. proxy-arp/proxy-nd to handle the 
cross talk.

IOS 12.1 7206 confirmed. No autoconf, but static subinterfaces for each 
vlan (q-in-q supported or atm), unnumbered to loopback. DHCPv4 and 
static routing works. IPv6 had issues, but could handle static /64 per 
subint.

ASR/J MX, autoconfig w/ radius backend, manual subint/unit, or 
combination. DHCPv4 confirmed, static host routes confirmed. IPv6 not 
confirmed. Radius static host route establishment not confirmed. Still 
testing.



Jack



More information about the NANOG mailing list