Re: DHCPv6 vs ND strikes again

Tue, 21 Sep 2010 19:35:21 -0700 

On 9/21/2010 7:29 PM, Brian E Carpenter wrote:

On 2010-09-22 14:03, Doug Barton wrote:

On 9/21/2010 4:16 PM, Brian E Carpenter wrote:

we already have an IPv6 legacy


As much as I wish it were otherwise, I don't think there is yet enough
of a deployment at this point to really make this a show-stopper.

But even if we do, I don't see any reason we couldn't have a no-ND
solution in a greenfield deployment.


Yes, of course we could, after a certain amount of work on
DHCPv6 specs and products. Somebody who cares should probably write
up a draft on excatly what's needed. But my point is that any such
network still needs to deal with hosts that choose to generate ND and
RS packets. As I understood Mikael, he wanted to remove all snooping
of such packets from layer 2 devices. Well, if you do that, those
packets will still be there, and if they are a security risk, the
risk will still be there. And you'd probably still need to watch out
for rogue RA packets, because some hosts might be vulnerable to
them.

So I can certainly see how we could make ND/RA redundant for certain
types of managed network, but I don't see how we can behave as if
they don't exist, at least from a security viewpoint.



Even the topic of this sub-thread indicates the disconnect between a
still-large percentage of the operator community and the ND/RA zealots.
The fact that it keeps coming up over and over should (at some point) be
a sign that people who actually want to deploy IPv6 would like to be
able to do it on a DHCP-only basis. No one is saying yank ND/RA out of
the spec, just make it optional.


Once again, it isn't optional for certain types of deployment, and the same
is true for DHCPv6 of course. I don't think our set of RFC 2119 keywords
can quite capture this scenario-dependency.



I think you and I are in more agreement than disagreement, and I am not 
saying that the path forward from here is trivial; just that it is 
wanted. :)



Doug

--

        ... and that's just a little bit of history repeating.
                        -- Propellerheads

        Improve the effectiveness of your Internet presence with
        a domain name makeover!    http://SupersetSolutions.com/

--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------





























					Reply via email to