[170449] in North American Network Operators' Group
Re: IPv6 Security [Was: Re: misunderstanding scale]
daemon@ATHENA.MIT.EDU (Luke S. Crawford)
Thu Mar 27 13:25:57 2014
Date: Thu, 27 Mar 2014 10:25:34 -0700
From: "Luke S. Crawford" <lsc@prgmr.com>
To: Owen DeLong <owen@delong.com>
In-Reply-To: <836694A3-D37D-495C-83DC-AEDD045E1FC4@delong.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>> It might make sense to just give everyone their own vlan and their own /64; that would, of course, bring its own problems and complexities (namely that I've gotta have the capability to deal with more customers than I can have native vlans - not impossible to get around, but significant added complexity.)
>
> I don’t see the point of that.
why not? After carefully considering everything you have told me, this
sounds like the way forward to do it the "IPv6 way" - privacy IPs
would work fine, and I could filter every port such that only packets
from that /64 were allowed out and only addresses to that /64 would be
allowed in. Nobody would be able to spoof or listen in on their
neighbor; yeah, my router would have to send a lot of RAs, but routers
that handle the amount of traffic my customers send are cheap. I have a
lot of customers, sure, but they are small.
Sure, it's going to cost me in routing complexity, but it looks like the
only thing I can do that will actually solve my problems and use IPv6
the way IPv6 is expecting to be used.
I'd then have to figure out how to make their ipv4 /32 work, but I can
think of several possibilities that might work. If nothing else, I
could give them one interface for IPv6 and one for IPv4, and leave the
IPv4 interface the current system.
