nanog mailing list archives

Re: IPv6 Security [Was: Re: misunderstanding scale]

From: "Luke S. Crawford" <lsc () prgmr com>
Date: Wed, 26 Mar 2014 16:25:57 -0700

On 03/26/2014 03:49 PM, Matt Palmer wrote:

On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:

There are many ways to skin this cat; stateless autoconfig looks
like it mostly works, but privacy extensions seem to be the default
in many places; outgoing IPv6 from those random addresses will trip
my BCP38 filters.


Your what-now?  You do realise SLAAC works entirely within a single /64,
which shouldn't be difficult to decide is either routable or not in one hit,
right?

If you give every customer their own vlan and /64, sure. That can bedone, and there are many advantages to doing it that way. But it'squite a bit more complex than my current setup.

The way I'm setup now, I've got an IPv4 address block on a vlan, and anIPv6/64 on the same vlan. I have many customers on that vlan. Eachcustomer has one (or more) IPv4 /32 addresses and one IPv6 /128addresses. (if the customer wants more IPv6, we just route a /64 to the/128 they are allowed.) There are firewall rules that only allowappropriate packets in and out of the interface. These rules areimportant for privacy as well as preventing spoofing; they preventsniffing of most traffic bound for other guests.

This is in production on many of my hosts, and because I give every userboth an IPv4 and an IPv6 address, this mostly works. My setup scriptswire down both the v4 and v6 addresses before I hand it off to the user;if the user wants re-install, well, they can wire down the IPv6address by hand if they want it, and IPv4 works regardless.

It is valid to say that I'm trying to use IPv6 the way I use IPv4, andperhaps that is the wrong thing to do. Perhaps IPv6 needs to be thoughtof in a different way from IPv4; Perhaps in IPv6, a /64 should be thesmallest block I give to a user, and the smallest block I filter on, andI just need to eat the network complexity costs inherent to giving eachuser a vlan.

My original comment and complaint, though, was in response to theassertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6does not fill the role that DHCPv4 fills, if you care about tying an IPto a MAC and you want that connection to persist across OS installs bycustomers.

Current thread:

Re: IPv6 Security [Was: Re: misunderstanding scale], (continued)
- - - Re: IPv6 Security [Was: Re: misunderstanding scale] Mark Tinka (Mar 24)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Owen DeLong (Mar 24)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Paul Ferguson (Mar 24)
    - RE: IPv6 Security [Was: Re: misunderstanding scale] Naslund, Steve (Mar 24)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Lee Howard (Mar 25)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Lamar Owen (Mar 25)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Luke S. Crawford (Mar 26)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Jack Bates (Mar 26)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Mohacsi Janos (Mar 26)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Matt Palmer (Mar 26)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Luke S. Crawford (Mar 26)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Timothy Morizot (Mar 26)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Chuck Anderson (Mar 26)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Owen DeLong (Mar 26)
    - Re: IPv6 Security sthaug (Mar 27)
    - Re: IPv6 Security Henri Wahl (Mar 27)
    - Re: IPv6 Security Owen DeLong (Mar 27)
    - Re: IPv6 Security sthaug (Mar 27)
    - Re: IPv6 Security Karl Auer (Mar 27)
    - Re: IPv6 Security Owen DeLong (Mar 27)
    - Re: IPv6 Security [Was: Re: misunderstanding scale] Owen DeLong (Mar 26)

(Thread continues...)