IPv6 Deployment for the LAN

[nanog at daork.net (Nathan Ward)]

On 18/10/2009, at 9:52 PM, Chuck Anderson wrote:

> On Sun, Oct 18, 2009 at 09:29:41PM +1300, Nathan Ward wrote:
>> Perhaps, but if you're operating a LAN segment you're going to want  
>> to
>> filter rouge RA and DHCPv6 messages from your network, just like  
>> you do
>> with DHCP in IPv4.
>> Filtering RA and DHCPv6 are done in very similar ways.
>
> Unfortunately, no.  Many/most LAN switches don't support filtering
> IPv6 traffic yet.  Of those that do, most only support TCP/UDP ports
> but not ICMPv6 types or RA specifically.  Therefore, right now it is
> probably easier to find support to filter DHCPv6 (udp source port 547)
> than it is to find support to filter RA.  This is a real problem even
> for people who are not using IPv6 right now and have no desire to use
> IPv6 yet, because Rogue RAs will redirect all IPv6 traffic to a rogue
> box on the LAN, breaking access to dual-stack servers on the Internet.
> The impact is worse when you start trying to roll out IPv6 dual-stack
> to selected servers on your own LAN.

This is true for now until we get switches with code to do this, and  
also doesn't change my point.

--
Nathan Ward