Re: IPv6 first hop security on a budget?

2017-11-10 Thread joel jaeggli 
On 11/11/17 09:14, Fernando Gont wrote:
> On 05/05/2017 08:27 PM, Joel Whitehouse wrote:
>> What's a good budget option for switching a small lab or office ipv6
>> with RA Guard, DHCP6 snooping, and ICMP6 snooping?
>>
> 
> If you do deploy this, please take a look at the issues discussed in
> RFC7113. Similar stuff is likely to apply to DHCPv6 snooping et al.

experiences vary, if you're looking to experience them first hand, warts
implementation details and all, juniper ex2300c, cisco 3560cx are both
small variants of both providers lower-end layer2/3 switches and are
relatively inexpensive, fairly feature rich platforms.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960cx_3650cx/software/release/15-2_3_e/configuration/guide/b_1523e_consolidated_2960cx_3560cx_cg/b_consolidated_152ex_2960-X_cg_chapter_011.pdf

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/router-advertisement-guard-edit-fo.html

joel

> Thanks!
> 
> Best regards,
>

Re: IPv6 first hop security on a budget?

2017-11-10 Thread Saku Ytti 
Not suggesting there is no use case of RA Guard, DHCP6 Snooping, ICMP6
snooping, as I deployed IPv4 equivalent pretty much the day they were
available on 3560.

You might want to consider de-perimeterisation. Do you offer way to
connect to intranet from Internet? If so, why not use same method in
office, and have equivalent 0 trust on office infra? Additional
benefit is OPEX reduction by not having users submit tickets 'X works
from VPN but not from office' and vice versa.

On 6 May 2017 at 08:27, Joel Whitehouse  wrote:
> What's a good budget option for switching a small lab or office ipv6 with RA
> Guard, DHCP6 snooping, and ICMP6 snooping?



-- 
  ++ytti

Re: IPv6 first hop security on a budget?

2017-11-10 Thread Fernando Gont 
On 05/05/2017 08:27 PM, Joel Whitehouse wrote:
> What's a good budget option for switching a small lab or office ipv6
> with RA Guard, DHCP6 snooping, and ICMP6 snooping?
> 

If you do deploy this, please take a look at the issues discussed in
RFC7113. Similar stuff is likely to apply to DHCPv6 snooping et al.

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint:  31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

RE: IPv6 first hop security on a budget?

2017-05-08 Thread Krunal Shah 
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-x-series-switches/data_sheet_c78-728232.html






Krunal Shah
Network Analyst, IP & Transport Network Engineering
O: 416-855-1805
ks...@primustel.ca







-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Joel Whitehouse
Sent: Friday, May 05, 2017 7:27 PM
To: nanog@nanog.org
Subject: IPv6 first hop security on a budget?

What's a good budget option for switching a small lab or office ipv6 with RA 
Guard, DHCP6 snooping, and ICMP6 snooping?




This electronic message contains information from Primus Management ULC 
("PRIMUS") , which may be legally privileged and confidential. The information 
is intended to be for the use of the individual(s) or entity named above. If 
you are not the intended recipient, be aware that any disclosure, copying, 
distribution or use of the contents of this information is prohibited. If you 
have received this electronic message in error, please notify us by telephone 
or e-mail (to the number or address above) immediately. Any views, opinions or 
advice expressed in this electronic message are not necessarily the views, 
opinions or advice of PRIMUS. It is the responsibility of the recipient to 
ensure that any attachments are virus free and PRIMUS bears no responsibility 
for any loss or damage arising in any way from the use thereof.The term 
"PRIMUS" includes its affiliates.

Pour la version en français de ce message, veuillez voir
http://www.primustel.ca/fr/legal/cs.htm