[134502] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Mikael Abrahamsson)
Thu Jan 6 10:53:58 2011
Date: Thu, 6 Jan 2011 16:52:41 +0100 (CET)
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Jack Bates <jbates@brightok.net>
In-Reply-To: <4D25E34D.7090100@brightok.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, 6 Jan 2011, Jack Bates wrote:
> Not stateful firewalls. He's referring to neighbor learning based on
> incoming traffic to the router from the trusted side. ie, I received a
> packet from the server, so I will add his MAC to my neighbor table.
> There are many methods for learning MAC addresses, though. DHCP/MAC
> security with static ARP and other viable options have properly killed
> this problem in v4 by routers not looking for unknown neighbors.
When people start to talk about "trusted side" etc, I immediately think
firewalls and not plain routing. I don't trust anyone, neither my
customers, nor Internet.
I guess it might make sense to have the host register address usage (in
the SLAAC case) with the router, and the router having a mechanism to
broadcast/multicast to everybody that "I lost my state mac/ip table,
please re-register" so they can do it again.
> It's how it works, but not how it should work. In the last years, v4 has
> seen some nice implementations that specifically are designed
> (especially for eyeball networks who have vast pools of space) to keep
> routers from sending unsolicited arp requests and maintaining only a
> valid pool of mappings.
In the DHCP case this is easy, yes.
I perfer to have only LL on the link towards the customer operated CPE,
thus I don't really need to keep lots of ND state per customer.
--
Mikael Abrahamsson email: swmike@swm.pp.se
