[118278] in North American Network Operators' Group
Re: IPv6 Deployment for the LAN
daemon@ATHENA.MIT.EDU (Chuck Anderson)
Sun Oct 18 04:53:10 2009
Date: Sun, 18 Oct 2009 04:52:17 -0400
From: Chuck Anderson <cra@WPI.EDU>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <DA36C2C3-AADB-4EC5-87B7-DB9073CAE7A5@daork.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Oct 18, 2009 at 09:29:41PM +1300, Nathan Ward wrote:
> Perhaps, but if you're operating a LAN segment you're going to want to
> filter rouge RA and DHCPv6 messages from your network, just like you do
> with DHCP in IPv4.
> Filtering RA and DHCPv6 are done in very similar ways.
Unfortunately, no. Many/most LAN switches don't support filtering
IPv6 traffic yet. Of those that do, most only support TCP/UDP ports
but not ICMPv6 types or RA specifically. Therefore, right now it is
probably easier to find support to filter DHCPv6 (udp source port 547)
than it is to find support to filter RA. This is a real problem even
for people who are not using IPv6 right now and have no desire to use
IPv6 yet, because Rogue RAs will redirect all IPv6 traffic to a rogue
box on the LAN, breaking access to dual-stack servers on the Internet.
The impact is worse when you start trying to roll out IPv6 dual-stack
to selected servers on your own LAN.
