![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: IPv6 Deployment for the LAN
From: Karl Auer <kauer () biplane com au>
Date: Sun, 18 Oct 2009 14:51:00 +1100
On Sat, 2009-10-17 at 20:55 -0400, Ray Soucy wrote:
making use of SLAAC. The concern here is that older hosts with less than OK implementations will still enable IPv6 without regard for the stability and security concerns associated with IPv6.
Some hosts - very dumb ones or very old ones, probably embedded stacks - may do SLAAC even with a prefix other than 64 bits! Once a stack is broken,, anything is possible, so I'm not sure you win much here. Zig to avoid one dud, you'll have to zag to avoid thenext, and before you know it your life is nothing but dodging. Take the high ground instead. Better to find and cure/replace/isolate broken hosts than break your entire network just to accommodate them. If you start doing the "wrong thing" to accommodate broken hosts, you will never find peace. Zig to avoid one dud; you'll have to zag to avoid the next and before you know it your life is nothing but dodging. Take the high ground instead. Do the advertisements "right", advise sysadmins that hosts should not do SLAAC, and (if you are really concerned about broken hosts) collect MAC address information from your switches and do an automated test of reachability on all SLAAC addresses. You can generate the addresses yourself easily enough from the prefix and the MAC. None should be reachable, and any that are - well, you now know where they are and can take appropriate action. And then block all SLAAC addresses at your routers or firewalls, that'll larn 'em :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer () biplane com au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: IPv6 Deployment for the LAN, (continued)
- Re: IPv6 Deployment for the LAN Ron Broersma (Oct 19)
- Re: IPv6 Deployment for the LAN Ray Soucy (Oct 19)
- Re: IPv6 Deployment for the LAN David W. Hankins (Oct 21)
- Re: IPv6 Deployment for the LAN Karl Auer (Oct 21)
- Re: IPv6 Deployment for the LAN David W. Hankins (Oct 22)
- Re: IPv6 Deployment for the LAN Karl Auer (Oct 22)
- Re: IPv6 Deployment for the LAN David W. Hankins (Oct 22)
- Re: IPv6 Deployment for the LAN Karl Auer (Oct 21)
- Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: IPv6 Deployment for the LAN Iljitsch van Beijnum (Oct 21)
- Re: IPv6 Deployment for the LAN Ray Soucy (Oct 21)
- Re: IPv6 Deployment for the LAN Cord MacLeod (Oct 21)
- Re: IPv6 Deployment for the LAN Karl Auer (Oct 21)
- Re: IPv6 Deployment for the LAN Joe Maimon (Oct 22)
- Re: IPv6 Deployment for the LAN Owen DeLong (Oct 22)
- Re: IPv6 Deployment for the LAN Joe Maimon (Oct 23)