IPv6 in the enterprise

Mark Smith nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Fri Apr 22 02:32:58 CEST 2011 

On Thu, 21 Apr 2011 09:49:38 +0200
"S.P.Zeidler" <spz at serpens.de> wrote:

> Thus wrote Mikael Abrahamsson (swmike at swm.pp.se):
> 
> > On Thu, 21 Apr 2011, S.P.Zeidler wrote:
> > 
> > >>Could you please elaborate on what you do when you are "fixing it up"?
> > >
> > >Changing resolv.conf on its clients.
> > 
> > That doesn't make sense either for IPv4 or IPv6. You can use
> > function IP addresses for both.
> 
> In IPv4 that's not necessary since the IP address is not bound to the
> hardware.
> 
> > >>I would create a dedicated resolver address (a subnet with the
> > >>address ::53 being the resolver) and then I would move this address
> > >>around when the service changes physical hardware, perhaps even
> > >>having it in multiple places (anycast).
> > >
> > >That is an instance of not using SLAAC, yes.
> > 
> > That's an instance of not *only* using EUI64 addresses, with SLAAC
> > you can use ANY address on the subnet that is not already taken.
> 
> Sorry I was too terse, obviously. That in an instance of not using SLAAC
> for the address of the resolver that is actually getting used for this
> service.
> 
> The original premise was that all hosts including servers should use
> SLAAC. I gave an example where even a very small setup reaches the point
> where that is annoying.
> 

No it wasn't. It was about why are people using GUA addresses as
default gateway addresses on end-nodes when the IPv6 RFCs specify using
link-local addresses for that purpose.

RFC4861 says the RAs MUST be sourced from a link-local address, which
is then used as the next-hop address for the RA announcing router if
the router lifetime is non-zero.

I'd think people using GUAs as default router addresses on end-nodes
implies they aren't using RAs either. RAs do significantly more than
just announce a candidate default router, so that's where the
sorts of future issues may arise when you want to use RAs to automate
e.g. changing ND cache timeouts on end-nodes.

So I think the following combination would continue to use link-local's
as end-node default router addresses and preserve RA functionality,
while accommodating the other functions that people are using GUAs to
achieve -

- default router has both GUA and link-local addresses on it's
  interface (this is nothing special, and what happens by default today)

- interface link-local address is something simple like fe80::1, and
  used as the source address for RAs

- if you need to provide a minimal level of mitigation against the
  recent "random RA" attack, configure end-host firewall rules to
  ignore any RAs other than those originating from fe80::1. (of course,
  this doesn't stop somebody spoofing those, but then there are plenty
  of other spoofing/impersonation attacks available if you're on link.
  RA guard or IPv6 SEND would be the better answers to this RA attack)

- I think currently using ping6 for default router troubleshooting is an
  issue, whether you use simple link-local addresses and have to lookup
  the outbound interface or whether you use a fairly long GUA. As Erik
  Kline suggested, a ping6 shorthand command line option such as "%0"
  or "%default" for pinging the default router would eliminate that
  problem.


Regards,
Mark.

More information about the ipv6-ops mailing list