IPv6 link-layer security (Was: Dual stack hotspot/captive portal)

Martin Millnert martin at millnert.se
Thu Feb 24 16:23:52 CET 2011


On Thu, 2011-02-24 at 03:20 +0100, Mikael Abrahamsson wrote:
> DHCPv6 is basically a must in any security minded network (otherwise
> you have to do /64 single broadcast domain per user). All clients will
> have to support it eventually to work properly.

DHCPv6 is obviously not sufficient in itself to provide a security
minded network. You need various forms of state and filtering in your
access equipment on top of it to create a virtual separation of users in
the broadcast domain (ND state/filtering, RA guard (RFC 6105), etc).

OTOH, actually doing a single broadcast domain per user removes these
issues, simplifies logging, etc. This with potentially a great deal less
lines of code required in access switches, unless you push L3 routing
out to the access devices themselves, in which case you get other
bonuses such as more optimal routing, and can overcome multiple paths
problems of larger Ethernet domains as well (STP, etc).

In the case of WLAN access points, they too can do create a logical
broadcast domain per user if they do link layer encryption with unique
keys.

While a single broadcast domain per user is no one-stop solution for all
types of network, it is certainly an alternative that should be
seriously considered in many situations, especially if you are able to
redesign from the ground up, without having IPv4 constraints limit your
networks potential.

Regards,
Martin




More information about the ipv6-ops mailing list