Opinions on link local matching GUA

Eric Vyncke (evyncke) evyncke at cisco.com
Thu Sep 13 00:14:29 CEST 2012


Honestly, I have hard time to see any security implication here... in order to attack a LLA, you need to be local and being local a ICMP to FF02::1 will exhibit all LLA addresses on the link anyway. So, no information leak from GUA to LLA.

Inferring the GUA from LLA for a router is also trivial: listen to RA.

But, I would go one step further and rather use FE80::router-id on all interfaces, this would avoid renumbering (could be useful as well when doing iBGP with LLA). Could also append the OID of the interface

-éric

> -----Original Message-----
> From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:ipv6-ops-
> bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Tim Densmore
> Sent: mercredi 12 septembre 2012 22:44
> To: IPv6 operators forum
> Subject: Opinions on link local matching GUA
> 
> Hi Folks,
> 
> Is there a common opinion about whether or not changing link local addresses
> from EUI to an address that matches your interface GUA (meaning 2001::1234:1
> = FE80::1234:1 or something along those lines) is a good or bad practice?  To
> me, it seems like an easy way to be able to remember which LL is on which
> interface of which device, but I imagine there are security implications I'm
> overlooking, as well.
> 
> Opinions?
> 
> Thanks,
> 
> TD



More information about the ipv6-ops mailing list