nanog mailing list archives
Re: Estonian IPv6 deployment report
From: Tarko Tikan <tarko () lanparty ee>
Date: Sat, 27 Dec 2014 18:27:08 +0200
hey,
How do you protect customers from each other? There are many nasty IPv6 attacks you can do when on a shared VLAN.
Split-horizon (switchport protected in Cisco world). Customers can't send packets directly to each other, all communication has to go via BNG router. Obviously we protect L2 as well like limiting number of MACs per customers, make sure BNG MAC cannot be learned from customer ports etc. We don't use any L3 (both v4 and v6) inspection in ANs, everything happens in BNG.
It's actually much better and logical for v6 as it is for v4. In v4 world you have to implement proxy-arp, in v6 world there is no need for customers to send packets to each others link-local WAN addresses and packets sent to PD addresses are by default routed via BNG.
-- tarko
Current thread:
- Estonian IPv6 deployment report Tarko Tikan (Dec 22)
- Re: Estonian IPv6 deployment report Pavel Odintsov (Dec 22)
- Re: Estonian IPv6 deployment report Anders Löwinger (Dec 27)
- Re: Estonian IPv6 deployment report Tarko Tikan (Dec 27)
- Re: Estonian IPv6 deployment report Anders Löwinger (Dec 28)
- Re: Estonian IPv6 deployment report Tarko Tikan (Dec 28)
- Re: Estonian IPv6 deployment report Tarko Tikan (Dec 27)
- Re: Estonian IPv6 deployment report Enno Rey (Dec 27)
- Re: Estonian IPv6 deployment report Anders Löwinger (Dec 28)
- RE: Estonian IPv6 deployment report Phil Bedard (Dec 27)