nanog mailing list archives

Re: Dual stack IPv6 for IPv4 depletion

From: manning <bmanning () karoshi com>
Date: Thu, 9 Jul 2015 20:42:15 -0700

hum.. let me postulate.  

my lan, my kids, my guests, the drive-bys, …  the LG stuff, the Apple stuff, the whitebox stuff, appliances … smart 
meters, switches, thermostats, toilets, water flow controls, …  
Microsoft can talk to the x-box, but i have no desire for them t see/know anything else on the entertainment lan at the 
house….

manning
bmanning () karoshi com
PO Box 12317
Marina del Rey, CA 90295
310.322.8102



On 9July2015Thursday, at 13:00, Naslund, Steve <SNaslund () medline com> wrote:

Yes, and that is a problem.  Usually because it is not granular enough and there are a lot of ways to get onto 
another VLAN (physical access and packet trickery).  It is a pretty weak form of security policy.

Now, if we assume that VLAN based security is weak and that most homes do not generate enough broadcast traffic to be 
an issue, what exactly is the reason that a residential customer needs a lot of VLANs?  Answer, they probably don't.  
A lot of residential users have a CPE device that does wireless, routing, and DHCP assignments all in one.  No need 
to create a guest VLAN on that type of device.  You simply assign an ACL that keeps the guest from reaching any 
internal IP.  Why would your refrigerator (or car, toaster, TV, whatever) need to be on a separate subnet when the 
whole point is to create a network where all of your stuff communicates?

Us engineers need to make sure we don't generalize that a lot of residential users do to their networks what we do to 
ours.  We MIGHT have a reason for several subnets to simulate different stuff.  I am still waiting for a valid 
example of a residential situation where VLANs are a useful addition.  Oh, and don't even try the QoS argument.  I 
will tell you that LLDP identification of the device and applying QoS policy based on the identification is much more 
effective and transparent to the end user.

Steven Naslund
Chicago IL

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Tyler Applebaum
Sent: Thursday, July 9, 2015 3:38 PM
To: Naslund, Steve
Cc: nanog () nanog org
Subject: RE: Dual stack IPv6 for IPv4 depletion

Do people actually use VLANs for security? It's nice to implement them for organizational purposes and to prevent 
broadcast propagation.

Current thread:

RE: Dual stack IPv6 for IPv4 depletion, (continued)
- - - RE: Dual stack IPv6 for IPv4 depletion Matthew Huff (Jul 09)
    - RE: Dual stack IPv6 for IPv4 depletion Tony Finch (Jul 09)
    - RE: Dual stack IPv6 for IPv4 depletion Naslund, Steve (Jul 09)
    - Re: Dual stack IPv6 for IPv4 depletion Owen DeLong (Jul 09)
    - RE: Dual stack IPv6 for IPv4 depletion Naslund, Steve (Jul 09)
    - RE: Dual stack IPv6 for IPv4 depletion Tyler Applebaum (Jul 09)
    - Re: Dual stack IPv6 for IPv4 depletion Jared Mauch (Jul 09)
    - RE: Dual stack IPv6 for IPv4 depletion Matthew Huff (Jul 09)
    - RE: Dual stack IPv6 for IPv4 depletion Naslund, Steve (Jul 09)
    - Re: Dual stack IPv6 for IPv4 depletion Ricky Beam (Jul 09)
    - Re: Dual stack IPv6 for IPv4 depletion manning (Jul 09)
    - RE: Dual stack IPv6 for IPv4 depletion Naslund, Steve (Jul 09)
    - Re: Dual stack IPv6 for IPv4 depletion Mark Tinka (Jul 10)
    - Re: Dual stack IPv6 for IPv4 depletion Mark Tinka (Jul 10)
    - Re: Dual stack IPv6 for IPv4 depletion Owen DeLong (Jul 09)
    - RE: Dual stack IPv6 for IPv4 depletion Naslund, Steve (Jul 09)
    - Re: Dual stack IPv6 for IPv4 depletion Randy Carpenter (Jul 09)
    - Re: Dual stack IPv6 for IPv4 depletion Owen DeLong (Jul 09)
    - RE: Dual stack IPv6 for IPv4 depletion Naslund, Steve (Jul 09)
    - Re: Dual stack IPv6 for IPv4 depletion Randy Carpenter (Jul 09)
    - RE: Dual stack IPv6 for IPv4 depletion Naslund, Steve (Jul 09)

(Thread continues...)