In your letter dated Tue, 31 May 2011 12:28:01 +0200 (CEST) you wrote: >On Tue, 31 May 2011, Philip Homburg wrote: >> No, ND is more clever than that. All traffic between prefixes that are >> on-link goes directly between the hosts. Even when the prefix is >> off-link it is possible for the router the send a redirect ICMP to cause >> further traffic to be directly between the hosts. > >I hope there is a recommendation in the standard to have a knob to turn >this off? With security functions like forced-forwarding and alike, I'd >definitely not want the hosts to try to communicate directly between each >other.
A prefix only becomes on-link if there is a prefix option that says so. Of course, absent secure ND, any host can fake a redirect ICMP. So you either SEND or L2 devices that filter ICMPs. But you need that anyhow. >I was under the impression that if I don't announce an on-link prefix at >all, and just do DHCPv6, there hosts would not try to communicate with >each other directly (ie there is no routing to support this function). >You're saying my presumption is not true? If the prefix is not announced as on-link then hosts have to send their packets to a default router until they get a redirect. >Why would a host try to do ND for something that is not on-link according >to its routing table? I was not implying that hosts would that without a router announcing the prefix as on-link. I just wanted to make clear that IPv6 *supports* direct communication between hosts that use addresses from different prefixes. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------