Opinions on link local matching GUA
Eric Vyncke (evyncke)
evyncke at cisco.com
Thu Sep 13 00:14:29 CEST 2012
Honestly, I have hard time to see any security implication here... in order to attack a LLA, you need to be local and being local a ICMP to FF02::1 will exhibit all LLA addresses on the link anyway. So, no information leak from GUA to LLA.
Inferring the GUA from LLA for a router is also trivial: listen to RA.
But, I would go one step further and rather use FE80::router-id on all interfaces, this would avoid renumbering (could be useful as well when doing iBGP with LLA). Could also append the OID of the interface
-éric
> -----Original Message-----
> From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:ipv6-ops-
> bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Tim Densmore
> Sent: mercredi 12 septembre 2012 22:44
> To: IPv6 operators forum
> Subject: Opinions on link local matching GUA
>
> Hi Folks,
>
> Is there a common opinion about whether or not changing link local addresses
> from EUI to an address that matches your interface GUA (meaning 2001::1234:1
> = FE80::1234:1 or something along those lines) is a good or bad practice? To
> me, it seems like an easy way to be able to remember which LL is on which
> interface of which device, but I imagine there are security implications I'm
> overlooking, as well.
>
> Opinions?
>
> Thanks,
>
> TD
More information about the ipv6-ops
mailing list