IPv6 in the enterprise
Mark Smith
nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Fri Apr 22 02:32:58 CEST 2011
On Thu, 21 Apr 2011 09:49:38 +0200
"S.P.Zeidler" <spz at serpens.de> wrote:
> Thus wrote Mikael Abrahamsson (swmike at swm.pp.se):
>
> > On Thu, 21 Apr 2011, S.P.Zeidler wrote:
> >
> > >>Could you please elaborate on what you do when you are "fixing it up"?
> > >
> > >Changing resolv.conf on its clients.
> >
> > That doesn't make sense either for IPv4 or IPv6. You can use
> > function IP addresses for both.
>
> In IPv4 that's not necessary since the IP address is not bound to the
> hardware.
>
> > >>I would create a dedicated resolver address (a subnet with the
> > >>address ::53 being the resolver) and then I would move this address
> > >>around when the service changes physical hardware, perhaps even
> > >>having it in multiple places (anycast).
> > >
> > >That is an instance of not using SLAAC, yes.
> >
> > That's an instance of not *only* using EUI64 addresses, with SLAAC
> > you can use ANY address on the subnet that is not already taken.
>
> Sorry I was too terse, obviously. That in an instance of not using SLAAC
> for the address of the resolver that is actually getting used for this
> service.
>
> The original premise was that all hosts including servers should use
> SLAAC. I gave an example where even a very small setup reaches the point
> where that is annoying.
>
No it wasn't. It was about why are people using GUA addresses as
default gateway addresses on end-nodes when the IPv6 RFCs specify using
link-local addresses for that purpose.
RFC4861 says the RAs MUST be sourced from a link-local address, which
is then used as the next-hop address for the RA announcing router if
the router lifetime is non-zero.
I'd think people using GUAs as default router addresses on end-nodes
implies they aren't using RAs either. RAs do significantly more than
just announce a candidate default router, so that's where the
sorts of future issues may arise when you want to use RAs to automate
e.g. changing ND cache timeouts on end-nodes.
So I think the following combination would continue to use link-local's
as end-node default router addresses and preserve RA functionality,
while accommodating the other functions that people are using GUAs to
achieve -
- default router has both GUA and link-local addresses on it's
interface (this is nothing special, and what happens by default today)
- interface link-local address is something simple like fe80::1, and
used as the source address for RAs
- if you need to provide a minimal level of mitigation against the
recent "random RA" attack, configure end-host firewall rules to
ignore any RAs other than those originating from fe80::1. (of course,
this doesn't stop somebody spoofing those, but then there are plenty
of other spoofing/impersonation attacks available if you're on link.
RA guard or IPv6 SEND would be the better answers to this RA attack)
- I think currently using ping6 for default router troubleshooting is an
issue, whether you use simple link-local addresses and have to lookup
the outbound interface or whether you use a fairly long GUA. As Erik
Kline suggested, a ping6 shorthand command line option such as "%0"
or "%default" for pinging the default router would eliminate that
problem.
Regards,
Mark.
More information about the ipv6-ops
mailing list