Mark Kamichoff prox at prolixium.com
Wed Nov 16 15:55:40 CET 2011

On Wed, Nov 16, 2011 at 09:41:12AM +0100, Shane Kerr wrote:
> > To further complicate the issue, firewall policies can also throw a
> > wrench into this.  In the case of stateless DHCPv6 each server might
> > still use EUI-64 (not even thinking about privacy extensions!) for
> > the last 64-bits of the address.  Firewall policies will then have
> > to rely on DNS since it would be absurd to swap out a NIC and have
> > to update firewall configuration.  With stateful DHCPv6 and the
> > server assigning IPv6 addresses to servers, firewall policies would
> > still have to rely on DNS or the addition of each server would
> > require a reservation during provisioning to always be guaranteed to
> > receive the same address.
> I'm curious... how is this any different from IPv4?

The above is based on the assumption that very few organizations use
DHCPv4 assignment of IPv4 addresses for servers in DCs and the majority
of firewall policies are built based on IPv4 addresses and prefixes, not
DNS names.

Although I'm sure there are some exceptions, in general I believe this
to be a correct assumption for enterprises.  Perhaps I am wrong?

- Mark

Mark Kamichoff
prox at prolixium.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20111116/77f8fa5a/attachment.bin 

More information about the ipv6-ops mailing list