On Feb 10, 2009, at 9:01 AM, TJ wrote:
My pleasure, now everyone - feel free to ring up your local
sales/support rep and "encourage" their product to implement
this ...
please!
What about "DHCPv6 / DHCPV6-PD" sniffing (and using that info to
create L3
filter rules in L2 devices), is a s
>> My pleasure, now everyone - feel free to ring up your local
>> sales/support rep and "encourage" their product to implement this ...
>> please!
>
>What about "DHCPv6 / DHCPV6-PD" sniffing (and using that info to create L3
>filter rules in L2 devices), is a standard needed or is it obvious to
>ve
On Mon, 9 Feb 2009, TJ wrote:
My pleasure, now everyone - feel free to ring up your local
sales/support rep and "encourage" their product to implement this ...
please!
What about "DHCPv6 / DHCPV6-PD" sniffing (and using that info to create L3
filter rules in L2 devices), is a standard needed
>> http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01
>Thanks for pointing us to this. It's encouraging to know that it is being
worked on.
My pleasure, now everyone - feel free to ring up your local sales/support
rep and "encourage" their product to implement this ... please!
/TJ
> Indeed, this is a problem.
> RA Guard is a very straight-forward, hopefully
soon-to-be-widely-supported,
> defense.
> http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01
Thanks for pointing us to this. It's encouraging to know that it is
being worked on.
Ray
>> So Cisco (and other vendors) needs to introduce two things for LAN
>> switching. DHCPv6 snooping, and more importantly, RA suppression (or
>> RA snooping).
>
>For IOS, have you tried the command:
>
>int gi0/1
> ipv6 nd ra suppress
>
That stops your router from sending any RAs.
Does nothing to p
>A big one is a solution to address the security concerns with IPv6 RA
>(Router Advertisement) and rogue DHCPv6. On IPv4 networks we have the
option
>of using DHCP snooping to suppress unauthorized DHCP servers from handing
>out address information. With IPv6, any host can announce itself as a
rout
On Monday 09 February 2009 10:21:24 pm Soucy, Ray wrote:
> So Cisco (and other vendors) needs to introduce two
> things for LAN switching. DHCPv6 snooping, and more
> importantly, RA suppression (or RA snooping).
For IOS, have you tried the command:
int gi0/1
ipv6 nd ra suppress
Cheers,
Mark.
> It's scenario 2 I'm worried about, all those machanisms haven't been
> implemented for IPv6 as far as I know and if you're only doing 2.2-2.5
> then you're open to the IPv6 security issue I described.
We've been seeing problems with this for the last year or so (since
Vista started showing up)
On Mon, 9 Feb 2009, Pekka Savola wrote:
I may be missing something. "only have ethernet and IP". Why is
plain-ethernet with each subscriber provisioned in a separate router's
vlan subinterface insufficient? There is no security issue because each
subscriber only sees its own traffic.
It's
On Sat, 7 Feb 2009, Mikael Abrahamsson wrote:
But I wasn't talking (A)DSL. DSL is last century. I am talking VDSL2/ETTH.
Security model there is to only have ethernet and IP, no PPP/ATM, no L2TPv3
or PPPoE. Let's skip the terms BRAS/LNS etc. Anything that terminates tunnels
is expensive (apart
>I didn't know where to jump in in the current discussion and what I wanted
>to discuss was quite general, so I thought I'd create a new thread instead.
And the right move, IMHO! (FWIW)
>So, anyone saying IPv6 is ready for prime-time whereever IPv4 is used, has
a
>very simplified view of the wor
for fuller
deployment of IPv6 to residential customers.
John
From: Mikael Abrahamsson [swm...@swm.pp.se]
Sent: Saturday, February 07, 2009 1:12 PM
To: John Lee
Cc: nanog@nanog.org
Subject: RE: IPv6 delivery model to end customers
On Sat, 7 Feb 2009, John
On Sat, 7 Feb 2009, John Lee wrote:
My IPv4 only deployment in 2001 used DSLAMs that had limited number of
active CPEs and DS3/T3 upstreams to the network. We used front end
Fore/Marconi ATM switches in front of Redback aggregation switches
connecting to Cisco 6509s and then GSR 12012s as the
Michael,
>From my work in access networks they are:
IPv6 native support for:
Routed Access - Ethernet or Wireless, global prefix under the main or dot1Q isl
encapsulated sub-interfaces.
For DSL and ATM PVCs routed RFC 2684 encapsulation with a different IPv6 prefix
for each one of the PVCs.
If you didn't see it in last thread,
http://geekmerc.livejournal.com/699.html may provide some information
for you, but I can tell from your concerns that your current choice of
edge layouts is different than mine. As such, more below.
Mikael Abrahamsson wrote:
Now, take for instance the resid
On 7/02/2009, at 8:45 PM, Mikael Abrahamsson wrote:
So, what is the security problem with IPv6 in an IPv4 network? Well,
imagine an IPv4 network where security is done via ARP inspection,
DHCP snooping and L3 ACLs. Now, insert rogue customer who announces
itself via RA/DHCPv6 and says it's
17 matches
Mail list logo
