On 2010-09-22 14:03, Doug Barton wrote:
> On 9/21/2010 4:16 PM, Brian E Carpenter wrote:
>> we already have an IPv6 legacy
>
> As much as I wish it were otherwise, I don't think there is yet enough
> of a deployment at this point to really make this a show-stopper.
>
> But even if we do, I don't see any reason we couldn't have a no-ND
> solution in a greenfield deployment.
Yes, of course we could, after a certain amount of work on
DHCPv6 specs and products. Somebody who cares should probably write
up a draft on excatly what's needed. But my point is that any such
network still needs to deal with hosts that choose to generate ND and
RS packets. As I understood Mikael, he wanted to remove all snooping
of such packets from layer 2 devices. Well, if you do that, those
packets will still be there, and if they are a security risk, the
risk will still be there. And you'd probably still need to watch out
for rogue RA packets, because some hosts might be vulnerable to
them.
So I can certainly see how we could make ND/RA redundant for certain
types of managed network, but I don't see how we can behave as if
they don't exist, at least from a security viewpoint.
>
> Even the topic of this sub-thread indicates the disconnect between a
> still-large percentage of the operator community and the ND/RA zealots.
> The fact that it keeps coming up over and over should (at some point) be
> a sign that people who actually want to deploy IPv6 would like to be
> able to do it on a DHCP-only basis. No one is saying yank ND/RA out of
> the spec, just make it optional.
Once again, it isn't optional for certain types of deployment, and the same
is true for DHCPv6 of course. I don't think our set of RFC 2119 keywords
can quite capture this scenario-dependency.
Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
