IPv6 Firewall on CPEs - Default on or off
Lorenzo Colitti
lorenzo at google.com
Mon Dec 3 02:42:36 CET 2012
On Mon, Dec 3, 2012 at 10:29 AM, Andre Tomt <andre at tomt.net> wrote:
> Most newer devices do support DHCPv6 addressing* so I don't see too many
> downsides of giving the managed addresses the full, unfiltered experience,
> leaving the others only outbound + return traffic. Other than making CPE's
> support something like it of course.
>
Then filter all addresses with ff:fe in the middle bits?
> * Most devices I've seen not supporting DHCPv6 addressing have so many
> problems with IPv6 that they dont belong on a public IPv6 network anyway.
DHCPv6 has limitations such as reduced capabilities for host to implement
privacy addresses, reduced reliability compared to SLAAC in multihoming
scenarios, etc. Whatever you do in the filtering realm, please don't tie it
to DHCPv6.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20121203/eee19d1c/attachment.htm>
More information about the ipv6-ops
mailing list