On 2011-07-13 10:57 , Mikael Abrahamsson wrote: [..] > No, we do not provide stateful filtering. We a lot of the time don't > even provide a CPE. Customer can connect their computer directly into > the wall RJ45 and get an IPv4 address today. > > When looking at deploying IPv6 in this scenario, we'd like to put each > customer in a separate /64 so we don't have to deal with a lot of the > security issues seen when sharing L2 domain between several customers, > but we'd still have to limit the amount of IPv6 addresses the customer > can have "active" due to ND table size limitations (if our central > equipment is the default gw on the customer LAN). This is even without > any ddos discussion, this is just normal operations.
Why not deploy it like a lot of folks have been deploying IPv6 for over a decade already: - a /64 link to the router/host of the user (<link>::1 is you, <link>::2 is them) - a route, be it /64, /56 or /48 to <link>::2 aka the user That link can be a real Ethernet link or a tunnel. AVM Fritz!Box supports this and various other vendors also find this great. The "ND" issue now lies at the CPE device of the user, who will most likely not be able to handle 1GB/s anyway when somebody wants to DDoS them off the net... Greets, Jeroen (who saw 500mbit coming sourced from 6to4 on Monday... and indeed most home networks don't have 500mbit connectivity yet...) -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
