Mikael, On 2010-09-12 09:14, Mikael Abrahamsson wrote: > On Sun, 12 Sep 2010, Brian E Carpenter wrote: > >> Is there a writeup of the model as a whole? If not, it would be >> immensely useful (and maybe this discussion belongs on v6ops or opsawg). > > I've asked Fred if he knows of a write-up/whitepaper, Cisco has > customers with extensive deployments of this. > > Looking a bit, I found > <http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap5.html>. > The interesting parts are around "Port Security Considerations", "DHCP > protection", "ARP spoofing protection", and the likes.
Thanks for that. Now, what is needed for those techniques to be fully deployable for IPv6, except work by the vendor(s)? Is there any work needed on the basic IPv6 standards? If not, this is exactly the sort of issue that we are starting to discuss in the newest push in v6ops(@ietf.org) and its v4v6tran sub-discussion. See draft-lee-v4v6tran-problem, draft-carpenter-v4v6tran-framework, and several other drafts matching *v4v6tran*. > But as Fred also mentioned, SAVI WG is working in specifically this area > <https://datatracker.ietf.org/wg/savi/charter/> Sure. Are you holding your breath? > There also is no "one model" for this, there are multiple variants. Some > rely on MAC 1:1 re-write to do a lot of the L2 protection needed > (Ericsson Ethernet DSLAMs and ETTH nodes do this for instance). Some let > end users choose MAC addresses and rely on MAC uniqueness, and try to do > the rest by inspecting policy traffic as it flows along and implement > different filters. > > Also regarding this "belonging" on other lists. I'm not sure. Deployment > models need to be understood by people proposing and critiquing work > being done in all related WGs. Having people dismiss other peoples > opinions/ideas because they don't understand a deployment model and > rationale behind why someone is proposing something is causing > unneccessary friction on the lists. I've multiple times been thinking > "why the hell am I doing this, my forehead is bloody enough as it is" > and throwing my hands up and leaving, but I try to dig in and continue. > > I hope others do the same thing, we need to get IPv6 deployable. Yes, and thank you for persisting. Brian -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
