[177057] in North American Network Operators' Group
Re: Estonian IPv6 deployment report
daemon@ATHENA.MIT.EDU (Tarko Tikan)
Sat Dec 27 11:27:18 2014
X-Original-To: nanog@nanog.org
Date: Sat, 27 Dec 2014 18:27:08 +0200
From: Tarko Tikan <tarko@lanparty.ee>
To: nanog@nanog.org
In-Reply-To: <549EDB11.2040807@abundo.se>
X-SA-Exim-Mail-From: tarko@lanparty.ee
Errors-To: nanog-bounces@nanog.org
hey,
> How do you protect customers from each other?
>
> There are many nasty IPv6 attacks you can do when on a shared VLAN.
Split-horizon (switchport protected in Cisco world). Customers can't
send packets directly to each other, all communication has to go via BNG
router. Obviously we protect L2 as well like limiting number of MACs per
customers, make sure BNG MAC cannot be learned from customer ports etc.
We don't use any L3 (both v4 and v6) inspection in ANs, everything
happens in BNG.
It's actually much better and logical for v6 as it is for v4. In v4
world you have to implement proxy-arp, in v6 world there is no need for
customers to send packets to each others link-local WAN addresses and
packets sent to PD addresses are by default routed via BNG.
--
tarko
