Re: IPv6 Deployment for the LAN

[Kevin Loch <kloch () kl net>]

Nathan Ward wrote:
> On 19/10/2009, at 1:10 AM, Owen DeLong wrote:
>
> > On Oct 18, 2009, at 3:05 AM, Nathan Ward wrote:
> >
> > > On 18/10/2009, at 11:02 PM, Andy Davidson wrote:
> > >
> > > > On 18 Oct 2009, at 09:29, Nathan Ward wrote:
> > > >
> > > > > RA is needed to tell a host to use DHCPv6
> > > >
> > > > This is not ideal.
> > >
> > > Why?
> > > Remember RA does not mean SLAAC, it just means RA.
> >
> > Because RA assumes that all routers are created equal.
>
> RFC4191

In some cases different devices on a segment need a different
default router (for default).  This is the fundamental
problem with RA's, they shotgun the entire segment.

> > Because RA is harder to filter.
>
> DHCP in IPv4 was hard to filter before vendors implemented it, too.
>
> > Because the bifercated approach to giving a host router/mask 
> > information and address information
> >     creates a number of unnecessary new security concerns.
>
> Security concerns would be useful to explore. Can you expand on this?

What would be useful would be having the option to give a default
router to a dhcpv6 client, and having vrrpv6 work without RA's.
Why can't we have those options in our toolbox in addition to
this continuously evolving RA+hacks?

- Kevin