Mark and Mikael, > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Mikael Abrahamsson > Sent: Wednesday, June 22, 2011 4:42 AM > To: [email protected] > Cc: [email protected] > Subject: Re: [v6ops] Question regarding RA-Guard evasion (ND > and extension headers) > > On Wed, 22 Jun 2011, Mark Smith wrote: > > > It may be getting to the point where it'd probably be > easier to address > > these issues by taking away hosts' ability to multicast to > other hosts > > on the same segment i.e. switch to an NBMA/hub-and-spoke > mode of LAN > > operation, allowing the designated routers to also act as traffic > > sanitisers for on-link inter-host traffic.
That's just how ISATAP works when the advertising ISATAP routers do not advertise on-link IPV6 prefixes. However, the advertising ISATP routers can also send ICMPv6 Redirects - which is really still in keeping with your characterization of "traffic sanitiser". > I agree, that's the deployment model I advocate for hostile > scenarios. Use > DHCPv6 for stateful addressing, advertise default GW via RA, don't > advertise any on-link prefix, That's exactly the model I had in mind for ISATAP. > and make sure hosts can't L2 > communicate at > all with each other by means of enforcement in switches (or > just separate > them into different L2 domains). This would certainly enforce a true hub-and-spokes, but may be overly restrictive in some environments. For example, if a host has a way of knowing at L2 that a packet has come from a trusted router and not an anonymous node on the link then there may not be such a strong requirement for L2 segregation. ISATAP provides such a means. Thanks - Fred [email protected] > -- > Mikael Abrahamsson email: [email protected] > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
