[152278] in North American Network Operators' Group
Re: Automatic IPv6 due to broadcast
daemon@ATHENA.MIT.EDU (Chuck Anderson)
Mon Apr 23 11:24:48 2012
Date: Mon, 23 Apr 2012 11:23:14 -0400
From: Chuck Anderson <cra@WPI.EDU>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <C728DAD4-BD9C-4F05-9794-3F3D143EC3BF@delong.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote:
>
> On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote:
>
> > On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
> >> On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
> >>> Particularly good L2 switches also have
> >>> DAI or "IP Source guard" IPv4 functions, which when properly
> >>> enabled, can foil certain L2 ARP and IPv4 source address spoofing
> >>> attacks, respectively.
> >>>
> >>
> >>> e.g. Source IP address of packet does not match one of the DHCP leases
> >>> issued to that port -- then drop the packet.
> >>>
> >>
> >> Meh... I can see many cases where that might be more of a bug than feature.
> >>
> >> Especially in environments where loops may be possible and the DHCP lease might
> >> have come over a different path than the port in question during some network event.
> >
> > You're only supposed to use those features on the port directly
> > connected to the end-system, or to a few end-systems via an unmanaged
> > office switch that doesn't have redundant uplinks. I.e. edge ports.
>
> In a lot of cases, enforcing that all address assignments are via DHCP can still be
> counter-productive. Especially in IPv6.
If a specific managed environment provides DHCPv6 and doesn't provide
SLAAC, and the policies of said environment forbid static addressing,
how can enforcing the use of DHCPv6 be counter-productive?
