nanog mailing list archives
Re: IPv6 Deployment for the LAN
From: Karl Auer <kauer () biplane com au>
Date: Thu, 22 Oct 2009 11:12:14 +1100
On Wed, 2009-10-21 at 14:34 -0700, David W. Hankins wrote:
folks on this mailing list who have proposed you can predict SLAAC addresses based on prefix and MAC are confused; they are not taking into account the many clients that use temporary addresses by default when the A flag is set (these are intentionally not cryptographically predictable), or that clients may need to re-iterate their SLAAC algorithm if interfered with by a peer[...]
That was me. My suggestion was to use MAC information from switches to build candidate addresses and ping6 them; rogue SLAAC-using hosts would respond, allowing them to be located and fixed. The OP I was replying to was concerned about clients that would do SLAAC even when the RA told them not to. It seems to me that hosts advanced enough to be able to do CGA or use temporary addresses (not necessarily the same thing) are unlikely to be hosts that would fail to interpret an RA correctly. This approach would probably not be 100% successful - maybe the pings don't get through, maybe the rogue doesn't answer pings, whatever. But it would at least be a start. A host that doesn't answer *may* still be a problem, but a host that does answer is *definitely* a problem. IMHO, automatically locating even some of your dud hosts is better than having to locate all of them the hard way.
Ostensibly the solution to this problem is "per host RA", which has [...] This is of course a completely scalable and well thought out plan
Er - tap, tap - is this thing working? (Just testing my sarcasm detector :-)
To work around this problem, some DHCPv6 software implementers have elected to temporarily apply a fixed /64 bit prefix to all applied addresses until a prefix length can be made available in-band through some means. This does neatly work around the problem; the hosts may now speak to one another.
I don't understand this. Could you elaborate? It seems to me that the "simplest network imaginable" should still operate on link local addresses.
Dibbler is a solid software package.
Yes - and your note above tickles some vague memory that Dibbler has implemented something along those lines...
I am extremely skeptical that we'll ever reach where we're going if we get there one millimeter at a time all the while redrafting our plans over and over.
True - but that *is* pretty much how we got to where we are with IPv4 :-)
Someone has forgotten that the reason IPv4 deployed so pervasively is because it was so very trivially simple.
And some of its biggest disadvantages are there for the same reason. As Einstein said, things should be made a simple as possible - but no simpler. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer () biplane com au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: IPv6 Deployment for the LAN, (continued)
- Re: IPv6 Deployment for the LAN Matthew Moyle-Croft (Oct 28)
- Re: IPv6 Deployment for the LAN Owen DeLong (Oct 28)
- Re: IPv6 Deployment for the LAN Mark Smith (Oct 29)
- Message not available
- Re: IPv6 Deployment for the LAN Ray Soucy (Oct 18)
- Re: IPv6 Deployment for the LAN Ray Soucy (Oct 18)
- Re: IPv6 Deployment for the LAN trejrco (Oct 19)
- Re: IPv6 Deployment for the LAN Ron Broersma (Oct 19)
- Re: IPv6 Deployment for the LAN Ray Soucy (Oct 19)
- Re: IPv6 Deployment for the LAN Karl Auer (Oct 21)
- Re: IPv6 Deployment for the LAN David W. Hankins (Oct 22)
- Re: IPv6 Deployment for the LAN Karl Auer (Oct 22)
- Re: IPv6 Deployment for the LAN David W. Hankins (Oct 22)
- Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: IPv6 Deployment for the LAN Iljitsch van Beijnum (Oct 21)
- Re: IPv6 Deployment for the LAN Ray Soucy (Oct 21)
- Re: IPv6 Deployment for the LAN Cord MacLeod (Oct 21)