[101281] in North American Network Operators' Group
Re: v6 subnet size for DSL & leased line customers
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed Dec 26 16:42:06 2007
Date: Wed, 26 Dec 2007 16:40:02 -0500
From: Leo Bicknell <bicknell@ufp.org>
To: North American Network Operators Group <nanog@merit.edu>
Mail-Followup-To: North American Network Operators Group <nanog@merit.edu>
In-Reply-To: <2190AC11-888D-4BD8-8C62-A9070D74A0E3@muada.com>
Errors-To: owner-nanog@merit.edu
--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Wed, Dec 26, 2007 at 09:19:54PM +0100, Iljitsch van=
Beijnum wrote:
> Many switches can enforce a MAC/port relationship, so that MAC =20
> addresses can't be spoofed.
Which gets to the crux of my question.
If you're a shop that uses such features today (MAC/Port tracking,
DHCP snooping, etc) to "secure" your IPv4 infrastructure does IPv6
RA's represent a step backwards from a security perspective? Would
IPv6 deployment be hindered until there is DHCPv6 snooping and
DHCPv6 is able to provide a default gateway, a-la how it is done
today in IPv4?
It would be very interesting to me if the answer was "it's moot
because we're going to move to CGA's as a step forward"; it would
be equally interesting if the answer is "CGA isn't ready for prime
time / we can't deploy it for xyz reason, so IPv6 is less secure
than IPv4 today and that's a problem."
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
--HcAYCG3uE/tztfnV
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
iD8DBQFHcsoxNh6mMG5yMTYRAlPyAJwNsMFiNewO6cZkkuNIod2WBf6CCwCcC8UJ
MjPIG0ZtQ37EyNuaeSPa5II=
=Nsdd
-----END PGP SIGNATURE-----
--HcAYCG3uE/tztfnV--
