On Tue, Oct 14, 2008 at 03:10:06PM +0800, Kadirvel Chockalingam Vanniarajan wrote: > 1) Is there a way for a IPv6 client to distinguish between a authoritative RA > vs non-authoritative RA? I guess not but I may be wrong. I refer to an > unauthorized host sending out RA to be non-authoritative RA.
There isn't. In DHCPv4 operations, most operators implement link layer filters, where the potential for nefarious peers on the switch fabric is possible. Server-replies come only from servers with these filters. A similar method is required with RA, and currently with DHCP (but some of us think we know how we can put an end to that). There is a subtle difference; DHCP filters are just UDP port limitations. RA filters have to peer into ND packet fields. In the balance, this factor makes IPv6 suck equally to IPv4. > 2) In an enterprise-level deployments, IPv6 deployments will typically happen > on top of existing subnet segmentation which was driven by IPv4 subnet > logistics. If this being the case, expecting RA to be configured by the > network administrator on each one of the routers sounds to be a management > nightmare. You are correct. There are people that configure end-hosts, the helpdesk, the Unix sysadmins presiding over large clusters, and there are router operators. They are, today, organized in different groups reporting to different directors in most network companies. These groups don't generally communicate well. In many companies, they often share a kind of rivalry. RA creates a new organization model where two groups are partially responsible for host configuration. I can only imagine what their internal customers will feel, as each will no doubt point fingers at the other. The end result is increased support costs, even if they create new structures of unified staff. In the balance, this factor makes IPv6 suck more than IPv4. > 3) RA-based address assignment is typically meant for scenarios over fewer > subnets (like public hotspots/ISPs?) wherein requiring another infrastructure > server (like DHCPv6 stateful server) will be a overkill. I think public hotspots/ISPs are out of scope for RA. The only environ I can conceive it might be used is in a simple unmanaged dual stack home or meeting network; where DHCPv4 can cross the bridge to complete the client's configuration, and where the network is itself identifying a single home-user, or temporary and so the potential for abuse is limited. The simple reason is that even public hotspots or ISPs need to be able to respond to abuse complaints, or else they will be observed as being 'safe harbors' for criminals, and people will not peer or give them transit, to reduce their own costs responding to abuse complaints. This maybe won't be a problem until after blackhats start using IPv6 for attacks. In the balance, and combined with the lack of DHCPv6 deployment, this factor makes IPv6 suck more than IPv4. -- Ash bugud-gul durbatuluk agh burzum-ishi krimpatul. Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/ -- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins
pgpjgsAzOrk7q.pgp
Description: PGP signature
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------