[135591] in North American Network Operators' Group
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
daemon@ATHENA.MIT.EDU (Douglas Otis)
Wed Jan 26 21:37:17 2011
Date: Wed, 26 Jan 2011 18:36:28 -0800
From: Douglas Otis <dotis@mail-abuse.org>
To: Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <4D3F8054.8040107@gont.com.ar>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/25/11 6:00 PM, Fernando Gont wrote:
> On 24/01/2011 08:42 p.m., Douglas Otis wrote:
>> It seems efforts related to IP address specific policies are likely
>> doomed by the sheer size of the address space, and to be pedantic, ARP
>> has been replaced with multicast neighbor discovery which dramatically
>> reduces the overall traffic involved.
> This has nothing to do with the number of entries required in the
> Neighbor Cache.
>> Secondly, doesn't Secure Neighbor
>> Discovery implemented at layer 2 fully mitigate these issues? I too
>> would be interested in hearing from Radia and Fred.
> It need not. Also, think about actual deployment of SEND: for instance,
> last time I checked Windows Vista didn't support it.
First, it should be noted ND over ARP offers ~16M to 2 reduction in
traffic. Secondly, services offered within a facility can implement
Secure Neighbor Discovery, since a local network's data link layer, by
definition, is isolated from the rest of the Internet. While ICMPv6
supports ND and SeND using standard IPv6 headers, only stateful ICMPv6
Packets Too Big messages should be permitted. Nor is Vista, ISATAP, or
Teredo wise choices for offering Internet services. At least there are
Java implementations of Secure Neighbor Discovery.
When one considers what is needed to defend a facility's resources,
Secure Neighbor Discovery seems desirable since it offers hardware
supported defenses from a wide range of threats. While it is easy to
understand a desire to keep specific IP addresses organized into small
segments, such an approach seems at greater risk and more fragile in the
face of frequent renumbering. In other words, it seems best to use IPv6
secure automation whenever possible.
The make before break feature of IPv6 should also remove most
impediments related to renumbering. In other words, fears expressed
about poorly considered address block assignments also seem misplaced.
-Doug
