Re: Node Requirements: Elevating DHCPv6 from MAY to SHOULD

[Philip Homburg <pch-6man@u-1.phicoh.com>]

In your letter dated Tue, 31 May 2011 13:06:20 +0200 (CEST) you wrote:
>Absolutely, but if there is another way than to announce the on-link 
>prefix than might make hosts communicate directly to each other on a 
>subnet, that's news to me and I find this extremely interesting from a 
>security standpoint.
>
>For me, if I have:
>
>R1 X::1/64
>H2 X::2/128
>H3 X::3/128
>
>R1 doesn't announce any on-link prefix, so H2 and H3 use R1 to communicate 
>between each other (they just have their own /128 in their routing table 
>and default route pointing to R1 LL address learnt via RA).
>
>Now, what I interpreted you saying is that R1 can tell H2 that H3 is 
>on-link by means of an ICMP redirect. This has security (and functional) 
>implications in that any L2 network they might have that disallows H2 and 
>H3 to communicate between each other even though they're in the same vlan, 
>will make this completely stop working if R1 doesn't have a knob to 
>disallow it from sending redirects that might indicate that H2 and H3 is 
>on the same L2 domain (on-link).

RFC-4861 (Neighbor Discovery for IP version 6 (IPv6)):
"8.3.  Host Specification
[...]
"If the Target and Destination Addresses are the same, the host MUST treat the
"Target as on-link.

I have no idea why you want hosts on the same vlan and then use L2 filtering
to prevent them from communicating directly. But yes, if the router would
then start sending redirects, it would create a mess.