On Wed, 22 Jun 2011, Mark Smith wrote:
It may be getting to the point where it'd probably be easier to address these issues by taking away hosts' ability to multicast to other hosts on the same segment i.e. switch to an NBMA/hub-and-spoke mode of LAN operation, allowing the designated routers to also act as traffic sanitisers for on-link inter-host traffic.
I agree, that's the deployment model I advocate for hostile scenarios. Use DHCPv6 for stateful addressing, advertise default GW via RA, don't advertise any on-link prefix, and make sure hosts can't L2 communicate at all with each other by means of enforcement in switches (or just separate them into different L2 domains).
-- Mikael Abrahamsson email: swm...@swm.pp.se -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
