Re: IPv6 Confusion

[Nathan Ward <nanog () daork net>]

On 19/02/2009, at 11:20 AM, Adrian Chadd wrote:

> On Thu, Feb 19, 2009, Nathan Ward wrote:
>
> > So, those people don't use DHCP in IPv4 if this is a concern, so I'm
> > guessing they are not hoping to use DHCPv6 either.
> > Static configuration of IP addressing information and other
> > configuration will work just fine for them.
> >
> > I wonder, do they use ARP?
>
> In the corporate world, you get wonderful L2/L3 features in switches,
> such as:
>
> * helper address stuff, to run centralised DHCP servers
> * dhcp sniffing/filtering
> * per port L2/L3 filters
> * dynamic arp inspection
>
> which are used on corporate LANs to both build out scalable address
> management platforms (ie, no need to run a DHCP server on each subnet,
> nor one DHCP server with seperate vlan if's to provide service),  
> control
> access and mitigate security risks.
>
> I don't know what the IPv6 LAN "snooping" functionality is across
> vendors but the last time I checked this out (say, 2-3 years ago)
> it was pretty lacking.

Yep. You asked your vendors to support equivalent IPv6 things at the  
time though, so when you roll out IPv6 the support is ready, right?

The point is that these deficiencies exist in IPv4, and I'm not sure  
how you would solve them in IPv6 (assuming you can make all the  
changes you want, and get instant industry-wide support) any better  
than you solve them in IPv4.

My view is that this is an ethernet switch thing, not a problem with  
the L3 protocols.

Are there IETF documents on the above L2/L3 features for dealing with  
these problems in IPv4? I have not seen any. There probably should be  
some though..

> > The things you are talking about are about protecting against
> > misconfiguration, not about protecting against malicious people.
>
> See above.


Yep.

--
Nathan Ward