nanog mailing list archives
Re: NIST IPv6 document
From: Mikael Abrahamsson <swmike () swm pp se>
Date: Thu, 6 Jan 2011 16:52:41 +0100 (CET)
On Thu, 6 Jan 2011, Jack Bates wrote:
Not stateful firewalls. He's referring to neighbor learning based on incoming traffic to the router from the trusted side. ie, I received a packet from the server, so I will add his MAC to my neighbor table. There are many methods for learning MAC addresses, though. DHCP/MAC security with static ARP and other viable options have properly killed this problem in v4 by routers not looking for unknown neighbors.
When people start to talk about "trusted side" etc, I immediately think firewalls and not plain routing. I don't trust anyone, neither my customers, nor Internet.
I guess it might make sense to have the host register address usage (in the SLAAC case) with the router, and the router having a mechanism to broadcast/multicast to everybody that "I lost my state mac/ip table, please re-register" so they can do it again.
It's how it works, but not how it should work. In the last years, v4 has seen some nice implementations that specifically are designed (especially for eyeball networks who have vast pools of space) to keep routers from sending unsolicited arp requests and maintaining only a valid pool of mappings.
In the DHCP case this is easy, yes.I perfer to have only LL on the link towards the customer operated CPE, thus I don't really need to keep lots of ND state per customer.
-- Mikael Abrahamsson email: swmike () swm pp se
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Re: NIST IPv6 document Jeff Wheeler (Jan 06)
- Re: NIST IPv6 document Joe Greco (Jan 06)
- Re: NIST IPv6 document Jeff Wheeler (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Re: NIST IPv6 document Joe Greco (Jan 06)
- Re: NIST IPv6 document Lamar Owen (Jan 06)
- Message not available
- Re: NIST IPv6 document Tim Chown (Jan 06)
- Re: NIST IPv6 document Mikael Abrahamsson (Jan 06)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Re: NIST IPv6 document Mikael Abrahamsson (Jan 06)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Re: NIST IPv6 document Lamar Owen (Jan 06)
- Re: NIST IPv6 document Jima (Jan 06)
- Re: NIST IPv6 document Jeff Kell (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document John Levine (Jan 05)
- Re: NIST IPv6 document Julien Goodwin (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)