Re: Node Requirements: Elevating DHCPv6 from MAY to SHOULD

[Philip Homburg <pch-6man@u-1.phicoh.com>]

In your letter dated Tue, 31 May 2011 12:28:01 +0200 (CEST) you wrote:
>On Tue, 31 May 2011, Philip Homburg wrote:
>> No, ND is more clever than that. All traffic between prefixes that are 
>> on-link goes directly between the hosts. Even when the prefix is 
>> off-link it is possible for the router the send a redirect ICMP to cause 
>> further traffic to be directly between the hosts.
>
>I hope there is a recommendation in the standard to have a knob to turn 
>this off? With security functions like forced-forwarding and alike, I'd 
>definitely not want the hosts to try to communicate directly between each 
>other.

A prefix only becomes on-link if there is a prefix option that says so.

Of course, absent secure ND, any host can fake a redirect ICMP. So you either
SEND or L2 devices that filter ICMPs. But you need that anyhow.

>I was under the impression that if I don't announce an on-link prefix at 
>all, and just do DHCPv6, there hosts would not try to communicate with 
>each other directly (ie there is no routing to support this function). 
>You're saying my presumption is not true?

If the prefix is not announced as on-link then hosts have to send their
packets to a default router until they get a redirect.

>Why would a host try to do ND for something that is not on-link according 
>to its routing table?

I was not implying that hosts would that without a router announcing the 
prefix as on-link. I just wanted to make clear that IPv6 *supports* direct
communication between hosts that use addresses from different prefixes.