On Wed, 22 Sep 2010, Brian E Carpenter wrote:
RS packets. As I understood Mikael, he wanted to remove all snooping of such packets from layer 2 devices. Well, if you do that, those packets will still be there, and if they are a security risk, the risk will still be there. And you'd probably still need to watch out for rogue RA packets, because some hosts might be vulnerable to them.
I want to stop snooping them, yes, but I also want to filter them completely.
Right now if we were to deploy IPv6 in ETTH environment we would either do it with Link Local only between us and the WAN port on the customer (M and O bit set in RA), and use DHCPv6-PD to hand out IP addresses to the customer and the CPE router would need to be able to use the weak host model to send packets to the Internet. The L2 network would have to inspect/filter unwanted packets such as any packets not originated from the DHCPv6-PD prefix handed out, but it would still have to allow all LL traffic needed for the ND machinery to work. This model doesn't need anything changed for hosts/routers, but needs quite a lot of enhancements in the L2 network.
Another model is the one I proposed here, where DHCPv6 is allowed to configure everything on the host needed for Internet connectivity. This requires minor changes in the DHCPv6 implementation and also perhaps in the ND state machinery (remove all dynamics). It means the L2 network won't have to do any ND state machinery inspection at all, it only needs to look into DHCPv6.
So I can certainly see how we could make ND/RA redundant for certain types of managed network, but I don't see how we can behave as if they don't exist, at least from a security viewpoint.
Of course not. -- Mikael Abrahamsson email: swm...@swm.pp.se -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
