On Wed, 13 Jul 2011, Florian Weimer wrote:
Think as an ISP. We do not stateful firewall our customers, and we
might be forced to have requipment in the customer /64, at least
initially.
Could you rephrase that?
Our central (for some definition of central) equipment might have to be
the default gw of the devices residing in the customer /64.
To scale, I of course want to have a LL onmly between my central equipment
and a CPE, and DHCPv6-PD it a /56 and don't have to care about how many
devices the customer has in his/her home, but a lot of people say
requiring a CPE to deploy IPv6 is a showstopper so that most likely will
not happen initially.
If you're in the IPv4 consumer market, I'm pretty sure you provide
stateful filtering for customers. (The filter probably resides on the
CPE.) It's possible to do things differently with IPv6, but customers
will probably not like it.
No, we do not provide stateful filtering. We a lot of the time don't even
provide a CPE. Customer can connect their computer directly into the wall
RJ45 and get an IPv4 address today.
When looking at deploying IPv6 in this scenario, we'd like to put each
customer in a separate /64 so we don't have to deal with a lot of the
security issues seen when sharing L2 domain between several customers, but
we'd still have to limit the amount of IPv6 addresses the customer can
have "active" due to ND table size limitations (if our central equipment
is the default gw on the customer LAN). This is even without any ddos
discussion, this is just normal operations.
--
Mikael Abrahamsson email: swm...@swm.pp.se
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
