Hosting provider allocation advice
Bernhard Schmidt
berni at birkenwald.de
Thu Oct 15 20:04:13 CEST 2009
On Thu, Oct 15, 2009 at 12:32:53PM +0200, Wouter de Jong wrote:
Hi,
> 3 - Managed and Umanaged Hosting (Co-location).
> These servers are in 'shared' subnets, ranging from /23 to /26,
> and each customer get's assigned at least 1 IP from this subnet
> and more if they can justify. For customers needing 'large' subnets,
> we'd route a different subnet to their server of choice.
>
> Here, I'm not sure what to do...
>
> You should at least assign a /64 per customer, but how would one do that
> when they are in shared subnets/vlans... ?
As Gert already said, "unshare that VLAN".
If this is not possible, I (probably not the only one) thought of the
following approach that at least one company is using already:
a) do not use global addresses on the transport VLAN at all
b) assign a /64 or /48 per customer, route it to their link-local
address
customer configuration won't change, they can still statically configure
their own prefix on their ethernet port and learn the default gateway
from RA (or set a static route, but that needs a link-local next-hop as
well).
c) (optional) set a static neighbor entry for the LL addr to their MAC
d) (optional) set port security to only allow the MAC on their port
e) (optional) enable private VLAN
This solves a number of spoofing issues (attackers in the same VLAN
cannot redirect traffic to the customer by spoofing ND and thus cannot
spoof TCP) and is compatible with private VLAN. However, attackers can
still send packets from the wrong source address, so any address based
billing is suspectible to attack.
Fixing that won't be possible without L2 infrastructure that can so some
filtering (e.g. IPv6 ACL) per customer port.
Bernhard
More information about the ipv6-ops
mailing list