On 2010-09-22 14:03, Doug Barton wrote: > On 9/21/2010 4:16 PM, Brian E Carpenter wrote: >> we already have an IPv6 legacy > > As much as I wish it were otherwise, I don't think there is yet enough > of a deployment at this point to really make this a show-stopper. > > But even if we do, I don't see any reason we couldn't have a no-ND > solution in a greenfield deployment.
Yes, of course we could, after a certain amount of work on DHCPv6 specs and products. Somebody who cares should probably write up a draft on excatly what's needed. But my point is that any such network still needs to deal with hosts that choose to generate ND and RS packets. As I understood Mikael, he wanted to remove all snooping of such packets from layer 2 devices. Well, if you do that, those packets will still be there, and if they are a security risk, the risk will still be there. And you'd probably still need to watch out for rogue RA packets, because some hosts might be vulnerable to them. So I can certainly see how we could make ND/RA redundant for certain types of managed network, but I don't see how we can behave as if they don't exist, at least from a security viewpoint. > > Even the topic of this sub-thread indicates the disconnect between a > still-large percentage of the operator community and the ND/RA zealots. > The fact that it keeps coming up over and over should (at some point) be > a sign that people who actually want to deploy IPv6 would like to be > able to do it on a DHCP-only basis. No one is saying yank ND/RA out of > the spec, just make it optional. Once again, it isn't optional for certain types of deployment, and the same is true for DHCPv6 of course. I don't think our set of RFC 2119 keywords can quite capture this scenario-dependency. Brian -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------