On Jun 22, 2011, at 8:25 PM, Mark Smith wrote: > You're right, with Ethernet being the wrong protocol.
Well, let's be clear here: Ethernet is apparently the wrong protocol *for you*. You should be running 802.1x, not plain ethernet, because you have specific needs that make plain ethernet an inappropriate choice for you. But that wasn't what I was talking about. IPv6 has to work on ethernet. IPv6 multicast is useful, and we (at least, some of us) want it to work. The solution to the rogue RA problem is not to get rid of ethernet (or at least, so I claim). Moreover, even supposing we could get rid of ethernet in the sense that you mean, that would simply paper over the problem, not solve it. If we want a secure network, we have to use secure protocols. Firewalls are a great second-level defense (and your hub-and-spoke model is basically a firewall). But they do not make your network secure: they simply make it harder to attack. So if in fact it is impossible for RA to be adequately secured on an ethernet, then we need to fix RA, or come up with a different solution, not slap a bandage on it and call it done. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
