Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: ipv6

Re: IPv6 link-layer security (Was: Dual stack hotspot/captive portal)

 

 

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded


martin at millnert

Feb 24, 2011, 7:23 AM

Post #1 of 2 (528 views)
Permalink
Re: IPv6 link-layer security (Was: Dual stack hotspot/captive portal)

On Thu, 2011-02-24 at 03:20 +0100, Mikael Abrahamsson wrote:
> DHCPv6 is basically a must in any security minded network (otherwise
> you have to do /64 single broadcast domain per user). All clients will
> have to support it eventually to work properly.

DHCPv6 is obviously not sufficient in itself to provide a security
minded network. You need various forms of state and filtering in your
access equipment on top of it to create a virtual separation of users in
the broadcast domain (ND state/filtering, RA guard (RFC 6105), etc).

OTOH, actually doing a single broadcast domain per user removes these
issues, simplifies logging, etc. This with potentially a great deal less
lines of code required in access switches, unless you push L3 routing
out to the access devices themselves, in which case you get other
bonuses such as more optimal routing, and can overcome multiple paths
problems of larger Ethernet domains as well (STP, etc).

In the case of WLAN access points, they too can do create a logical
broadcast domain per user if they do link layer encryption with unique
keys.

While a single broadcast domain per user is no one-stop solution for all
types of network, it is certainly an alternative that should be
seriously considered in many situations, especially if you are able to
redesign from the ground up, without having IPv4 constraints limit your
networks potential.

Regards,
Martin


swmike at swm

Feb 24, 2011, 8:52 AM

Post #2 of 2 (488 views)
Permalink
Re: IPv6 link-layer security (Was: Dual stack hotspot/captive portal) [In reply to]

On Thu, 24 Feb 2011, Martin Millnert wrote:

> While a single broadcast domain per user is no one-stop solution for all
> types of network, it is certainly an alternative that should be
> seriously considered in many situations, especially if you are able to
> redesign from the ground up, without having IPv4 constraints limit your
> networks potential.

Even IPv4 networks can be designed this way. There are plenty equipment
which supports having an IPv4 subnet divided up in several different
broadcast domains.

RFC3069.

--
Mikael Abrahamsson email: swmike [at] swm

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.