Mark and Mikael, > -----Original Message----- > From: v6ops-boun...@ietf.org [mailto:v6ops-boun...@ietf.org] > On Behalf Of Mikael Abrahamsson > Sent: Wednesday, June 22, 2011 4:42 AM > To: ipv6@ietf.org > Cc: v6...@ietf.org > Subject: Re: [v6ops] Question regarding RA-Guard evasion (ND > and extension headers) > > On Wed, 22 Jun 2011, Mark Smith wrote: > > > It may be getting to the point where it'd probably be > easier to address > > these issues by taking away hosts' ability to multicast to > other hosts > > on the same segment i.e. switch to an NBMA/hub-and-spoke > mode of LAN > > operation, allowing the designated routers to also act as traffic > > sanitisers for on-link inter-host traffic.
That's just how ISATAP works when the advertising ISATAP routers do not advertise on-link IPV6 prefixes. However, the advertising ISATP routers can also send ICMPv6 Redirects - which is really still in keeping with your characterization of "traffic sanitiser". > I agree, that's the deployment model I advocate for hostile > scenarios. Use > DHCPv6 for stateful addressing, advertise default GW via RA, don't > advertise any on-link prefix, That's exactly the model I had in mind for ISATAP. > and make sure hosts can't L2 > communicate at > all with each other by means of enforcement in switches (or > just separate > them into different L2 domains). This would certainly enforce a true hub-and-spokes, but may be overly restrictive in some environments. For example, if a host has a way of knowing at L2 that a packet has come from a trusted router and not an anonymous node on the link then there may not be such a strong requirement for L2 segregation. ISATAP provides such a means. Thanks - Fred fred.l.temp...@boeing.com > -- > Mikael Abrahamsson email: swm...@swm.pp.se > _______________________________________________ > v6ops mailing list > v6...@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------