[170397] in North American Network Operators' Group
Re: IPv6 Security [Was: Re: misunderstanding scale]
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Mar 27 02:18:14 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <53336205.2010206@prgmr.com>
Date: Wed, 26 Mar 2014 23:14:55 -0700
To: "Luke S. Crawford" <lsc@prgmr.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 26, 2014, at 4:25 PM, Luke S. Crawford <lsc@prgmr.com> wrote:
> On 03/26/2014 03:49 PM, Matt Palmer wrote:
>> On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
>>> There are many ways to skin this cat; stateless autoconfig looks
>>> like it mostly works, but privacy extensions seem to be the default
>>> in many places; outgoing IPv6 from those random addresses will trip
>>> my BCP38 filters.
>>=20
>> Your what-now? You do realise SLAAC works entirely within a single =
/64,
>> which shouldn't be difficult to decide is either routable or not in =
one hit,
>> right?
>=20
> If you give every customer their own vlan and /64, sure. That can be =
done, and there are many advantages to doing it that way. But it's =
quite a bit more complex than my current setup.
>=20
> The way I'm setup now, I've got an IPv4 address block on a vlan, and =
an IPv6/64 on the same vlan. I have many customers on that vlan. =
Each customer has one (or more) IPv4 /32 addresses and one IPv6 /128 =
addresses. (if the customer wants more IPv6, we just route a /64 to the =
/128 they are allowed.) There are firewall rules that only allow =
appropriate packets in and out of the interface. These rules are =
important for privacy as well as preventing spoofing; they prevent =
sniffing of most traffic bound for other guests.
Why not just use private VLAN layer 2 controls for the privacy you =
describe?
Yes, you risk customer A spoofing customer B, but is that really a =
problem in your environment? Really? If so, one could argue you might =
want to consider getting a better class of customers.
Owen
