Re: Automatic IPv6 due to broadcast

[Owen DeLong <owen () delong com>]

On Apr 23, 2012, at 8:23 AM, Chuck Anderson wrote:

> On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote:
> > On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote:
> >
> > > On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
> > > > On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
> > > > > Particularly good L2 switches also have
> > > > > DAI  or  "IP Source guard"  IPv4 functions,   which when properly
> > > > > enabled,  can foil certain L2 ARP  and IPv4 source  address spoofing
> > > > > attacks,  respectively.
> > > >
> > > > > e.g. Source IP address of packet does not match one of the DHCP leases
> > > > > issued to that port -- then drop the packet.
> > > >
> > > > Meh... I can see many cases where that might be more of a bug than feature.
> > > >
> > > > Especially in environments where loops may be possible and the DHCP lease might
> > > > have come over a different path than the port in question during some network event.
> > >
> > > You're only supposed to use those features on the port directly
> > > connected to the end-system, or to a few end-systems via an unmanaged
> > > office switch that doesn't have redundant uplinks.  I.e. edge ports.
> >
> > In a lot of cases, enforcing that all address assignments are via DHCP can still be
> > counter-productive. Especially in IPv6.
>
> If a specific managed environment provides DHCPv6 and doesn't provide
> SLAAC, and the policies of said environment forbid static addressing,
> how can enforcing the use of DHCPv6 be counter-productive?

That's a lot of ifs. I said in a lot of cases. I didn't say in all cases.

If you satisfy all of your ifs, then it's not one of the cases of which I speak.

Owen