nanog mailing list archives
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
From: Douglas Otis <dotis () mail-abuse org>
Date: Wed, 26 Jan 2011 18:36:28 -0800
On 1/25/11 6:00 PM, Fernando Gont wrote:
First, it should be noted ND over ARP offers ~16M to 2 reduction in traffic. Secondly, services offered within a facility can implement Secure Neighbor Discovery, since a local network's data link layer, by definition, is isolated from the rest of the Internet. While ICMPv6 supports ND and SeND using standard IPv6 headers, only stateful ICMPv6 Packets Too Big messages should be permitted. Nor is Vista, ISATAP, or Teredo wise choices for offering Internet services. At least there are Java implementations of Secure Neighbor Discovery.On 24/01/2011 08:42 p.m., Douglas Otis wrote:It seems efforts related to IP address specific policies are likely doomed by the sheer size of the address space, and to be pedantic, ARP has been replaced with multicast neighbor discovery which dramatically reduces the overall traffic involved.This has nothing to do with the number of entries required in the Neighbor Cache.Secondly, doesn't Secure Neighbor Discovery implemented at layer 2 fully mitigate these issues? I too would be interested in hearing from Radia and Fred.It need not. Also, think about actual deployment of SEND: for instance, last time I checked Windows Vista didn't support it.
When one considers what is needed to defend a facility's resources, Secure Neighbor Discovery seems desirable since it offers hardware supported defenses from a wide range of threats. While it is easy to understand a desire to keep specific IP addresses organized into small segments, such an approach seems at greater risk and more fragile in the face of frequent renumbering. In other words, it seems best to use IPv6 secure automation whenever possible.
The make before break feature of IPv6 should also remove most impediments related to renumbering. In other words, fears expressed about poorly considered address block assignments also seem misplaced.
-Doug
Current thread:
- Using IPv6 with prefixes shorter than a /64 on a LAN Carlos Martinez-Cagnazzo (Jan 24)
- Message not available
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Chris Nicholls (Jan 24)
- Message not available
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN bmanning (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Phil Regnauld (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Carlos Martinez-Cagnazzo (Jan 24)
- Message not available
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN bmanning (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Douglas Otis (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Douglas Otis (Jan 26)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 26)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Phil Regnauld (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Michael Loftis (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Patrick Sumby (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Jack Bates (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Roland Dobbins (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Ricky Beam (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Randy Carpenter (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mark Smith (Jan 25)