nanog mailing list archives

Re: v6 subnet size for DSL & leased line customers

From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Wed, 26 Dec 2007 21:19:54 +0100


On 26 dec 2007, at 19:22, Tony Li wrote:

This doesn't resolve the real underlying problem: Ethernet isinherently insecure. MAC addresses can be forged, protocols (ARP,ND) can be forged and at this point, there's not much that we can doabout it. Architecturally, we need authentication over each andevery control plane packet sent. Getting there without invoking thefull complexity of a public key infrastructure is still an unsolvedproblem, AFAIK.

Actually, for this particular purpose, this is mostly a solvedproblem, although there is of course no free lunch.

Many switches can enforce a MAC/port relationship, so that MACaddresses can't be spoofed.

Neighbor discovery and router advertisements can be secured with SEND(SEcure Neighbor Discovery). This happens through CGAs,cryptograpically generated addresses. Basically, the lower 64 bits ofthe IPv6 address contains a hash over a public key. This makes itpossible to prove ownership over an address.

The not free part is that you need to configure certificates for trustrelationships = the routers that may be default gateways.

Current thread:

Re: v6 subnet size for DSL & leased line customers, (continued)
- - - Re: v6 subnet size for DSL & leased line customers Iljitsch van Beijnum (Dec 24)
    - Re: v6 subnet size for DSL & leased line customers Kevin Loch (Dec 24)
    - Re: v6 subnet size for DSL & leased line customers Owen DeLong (Dec 24)
    - Re: v6 subnet size for DSL & leased line customers sthaug (Dec 25)
    - Re: v6 subnet size for DSL & leased line customers Stephen Sprunk (Dec 25)
    - Re: v6 subnet size for DSL & leased line customers Iljitsch van Beijnum (Dec 25)
    - Re: v6 subnet size for DSL & leased line customers Leo Bicknell (Dec 26)
    - Re: v6 subnet size for DSL & leased line customers Florian Weimer (Dec 26)
    - Message not available
    - Re: v6 subnet size for DSL & leased line customers Florian Weimer (Dec 26)
    - Re: v6 subnet size for DSL & leased line customers Tony Li (Dec 26)
    - Re: v6 subnet size for DSL & leased line customers Iljitsch van Beijnum (Dec 26)
    - Re: v6 subnet size for DSL & leased line customers Leo Bicknell (Dec 26)
    - Re: v6 subnet size for DSL & leased line customers Iljitsch van Beijnum (Dec 27)
    - Re: v6 subnet size for DSL & leased line customers sthaug (Dec 27)
    - Re: v6 subnet size for DSL & leased line customers Iljitsch van Beijnum (Dec 27)
    - Re: v6 subnet size for DSL & leased line customers sthaug (Dec 27)
    - Re: v6 subnet size for DSL & leased line customers Iljitsch van Beijnum (Dec 27)
    - Re: v6 subnet size for DSL & leased line customers Mark Smith (Dec 27)
    - Re: v6 subnet size for DSL & leased line customers Mark Smith (Dec 27)
    - Re: v6 subnet size for DSL & leased line customers Leo Bicknell (Dec 27)
    - Re: v6 subnet size for DSL & leased line customers Christopher Morrow (Dec 27)

(Thread continues...)