On Sep 9, 2010, at 9:48 PM, Mikael Abrahamsson wrote: > On Thu, 9 Sep 2010, Fred Baker wrote: >> Does that solve all problems? obviously not. It does limit the impact of >> certain classes of attacks. IP Source Guard, a feature from my company and >> also from some others, is essentially the same thing for IPv4, and appears >> to be popular in certain quarters. > > Exactly. DHCPv4 inspection, forced-forwarding etc, all these make IPv4 > deployable in low-cost L2 switch environment. This is the reason the same > ISPs deploying the above would like to run completely without RAs (or at > least block RAs from all customer ports) and rely completely on DHCPv6 for > address hand-out, because then the L2 device can inspect this and implement > filters.
In context, you might want to read http://tools.ietf.org/html/draft-ietf-savi-dhcp "SAVI Solution for DHCP", Jun Bi, Jianping Wu, Guang Yao, Fred Baker, 7-Sep-10 http://tools.ietf.org/html/draft-ietf-savi-fcfs "FCFS-SAVI: First-Come First-Serve Source-Address Validation for Locally Assigned Addresses", Erik Nordmark, Marcelo Bagnulo, Eric Levy-Abegnoli, 12-Jul-10 http://tools.ietf.org/html/draft-ietf-savi-send "SEND-based Source-Address Validation Implementation", Marcelo Bagnulo, Alberto Garcia-Martinez, 13-May-10 We're not limited to controlling a host to a DHCP-assigned address; we can also observe the device's behavior and protect addresses it allocates using SLAAC and SEND. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------