Re: IPv6 Deployment for the LAN

[Mark Smith <nanog () 85d5b20a518b8f6864949bd940457dc124746ddc nosense org>]

On Sun, 18 Oct 2009 09:03:12 +0100
Andy Davidson <andy () nosignal org> wrote:

> On 18 Oct 2009, at 01:55, Ray Soucy wrote:
> > The only solution that lets us expand our roll out IPv6 to the edge  
> > without major changes to the production IPv4 network seems to point  
> > to making use of DHCPv6, so the effort has been focused there.
> [...]
> > Needless to say, the thought of being able to enable IPv6 on a per- 
> > host basis is met with far less resistance than opening up the  
> > floodgates and letting SLAAC take control.
>
> Hi, Roy --
>
> Good summary, thanks for the write-up.
>
> I reluctantly just use SLAAC on our own office LANs because, we're  
> still quite a small and nimble team, therefore we can secure our  
> network against our SLAAC security concerns by locking down access to  
> the network.  I realise this isn't going to work for everyone, as it  
> doesn't fit well for the security needs of your much larger campus  
> network.  It also doesn't work for some of our customers who have DHCP  
> in their toolbox for provision certain hosting environments.
>
> DHCPv6 today lacks default-router option support, so you are left with  
> some pretty awful choices if you don't want to use the router  
> solicitation/advertisement, err, 'features' in SLAAC :

I'm curious what the issue is with not having a default-router option
in DHCPv6?

If it's because somebody could start up a rogue router and announce
RAs, I think a rogue DHCPv6 server is (or will be) just as much a
threat, if not more of one - I think it's more likely server OSes will
include DHCPv6 servers than RA "servers".


>   - Static route on the device
>     - Actually, you could use the *same* link-local address to keep  
> this the same on all devices on your network, which you continue to  
> support long after a "better" protocol comes along.  This reduces your  
> support overhead.
>
>   - end user runs some routing protocol
>     - I don't want to give my router the extra work though.  And it  
> feels like a stupid idea.  And end user OSes don't tend to have them  
> installed.
>
>   - Don't roll v6 beyond engineering teams, until something better  
> comes along
>     - Sadly, I think that this is the option people are taking. :-(
>
> I don't know the history of the process that led to DHCPv6 ending up  
> crippled, and I have to admit that it's not clear how I signal this  
> and to whom, but for the avoidance of doubt: this operator would like  
> his tools back please.  Support default-routing options for DHCPv6 !
>
> Andy
>
>
>
>
> -- 
> Regards, Andy Davidson    +44 (0)20 7993 1700    www.netsumo.com
> NetSumo Specialist ISP/networks consultancy, Whitelabel 24/7 NOC