Hosting provider allocation advice

Garry Dolley gdolley at arpnetworks.com
Mon Oct 26 08:32:56 CET 2009 

On Fri, Oct 16, 2009 at 02:23:39PM +0200, Bernhard Schmidt wrote:
> * if you use private VLANs your customer boxes can only speak to each other 
> using the router. Since there is no transfer network they won't see any 
> (global) address as directly connected, using the router all the time.

If you route a prefix (say /48) to their LL, can't the customer then
configure their own /56, /64, etc...  on their equipment and then
the equipment would talk to each other directly, not going through
the router?

If each piece of gear was on its own VLAN, then yes, I would see how
they all have to talk through the router, but I don't think anyone
would set up something like that ;)

> You can usually set the link-local address of the router to be something 
> like FE80::1. With HSRPv6 this is even a necessity.

This is interesting.  I've started setting up some customer
interfaces using LL and then routing their prefix to them, and it
has worked out well.  But I didn't think of making the LL on the
router side of their VLAN simply FE80::1.  I suppose that'd work :)

Have you had any issues with this?  It makes the router
configuration a tad bit easier to manage.

> Totally regardless of how you manage your routing (to link-local or not), 
> if your customers can send RA to each other you are just screwed. But if 
> they can send traffic to each other you are an easy target for spoofing 
> attacks anyway. So you are just having the very same security problems you 
> already have with IPv4 with IPv6 as well.

Yup.  If customer A can in any way see customer B traffic, you're
going to always have some security issue there.  

My setup always puts different customers onto different VLANs.
Issues of backups, intra-VLAN traffic and billing, max VLANs per
switch, etc... are all easier to solve then the issues that would
arise if I share customer traffic.



-- 
Garry Dolley
ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
Data center, VPS, and IP Transit solutions
Member Los Angeles County REACT, Unit 336 | WQGK336
Blog http://scie.nti.st

More information about the ipv6-ops mailing list