ipv6 next-hop link-local

S.P.Zeidler spz at serpens.de
Sun Feb 27 09:20:36 CET 2011 

Thus wrote Mark Smith (nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org):

> On Wed, 23 Feb 2011 08:40:48 +0100
> "S.P.Zeidler" <spz at serpens.de> wrote:
> 
> > So you have a unique local prefix, for what exactly?
> 
> For the same purposes as link locals are or can be used for today, with
> the difference being that the inbound/outbound interface doesn't have
> to be specified, as the ambiguity of which interface the address
> exists on has been eliminated.

ie manually configured peer addresses for high security impact uses?

Obviously not, because "changeable" and "manually configured" don't
co-exist well.

> > Since you will come up with something totally different after a power
> > outage, when you need extra hassles least, you cannot use it to
> > identify a fileserver, appserver, etc; basically, you can not -use-
> > these addresses for anything that is not based on dynamic polling.
> 
> Dynamic or Multicast DNS (a.k.a. Bonjour, Avahi etc.) would provide name
> resolution for them if you where using them for more general
> applications communication. It would be possible to make generating and
> configuring the unique link local subnet ID manual, however I think
> it'd be worth making it automated and agreed, so that IPv6 on the local
> link autoconfigures itself (to easily facilitate the the IPv6 "dentist's
> office" scenario).
>
> They'd be functionally like ULAs, except that they wouldn't be routable
> off-link (a useful security property), and have a separately designated
> prefix so that if necessary they can be identified in places where the
> identifying the type of prefix and it's reachability is useful or
> necessary.

So you have basically a zeroconf situation, but with hosts with multiple
network interfaces onto distinct security zone networks, and you combine
security measures at network prefix level with dynamic prefixes.

These combinations do not strike me as particularily .. wise.

If you do not have scope, how do you know you're not putting access to the
patient database (staying with the dentists office, here) onto the wlan
that's open so waiting patients can keep themselves amused?

regards,
	spz
-- 
spz at serpens.de (S.P.Zeidler)

More information about the ipv6-ops mailing list