On Thu, 9 Sep 2010, Brian E Carpenter wrote:
I can't see why that would be a problem for an operator who uses DHCPv6 as their supported mechanism.
I'm sure there are a lot in the IETF that agrees with you that they don't understand why it's a problem, because the IETF has historically been totally uninterested in security in development.
If one uses RA, then things like RA guard, RA inspection etc (SAVI) has to work to do this securely in L2 aggregation. If DHCPv6 could be used alone, then no intelligence for RA needs to be done, you just filter/drop it and a lot of problems goes away.
It's the lack of understanding about deployment issues in the IETF that is making IPv6 hard to deploy for ISPs today. We're not lazy, it's just that 15 years of non-work on security for IPv6 has to be done in a few years, this took 5+ years to get right on IPv4 (and it's still not done right by a lot of vendors, most likely due to lack of standards).
SAVI is a great step forward, but it seems quite complicated due to the fact that the issues SAVI tries to adress doesn't seem to have been considered at all when IPv6 (or IPv4) was designed.
-- Mikael Abrahamsson email: [email protected] -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
