Re: [v6ops] control and security of DHCP
Ray Hunter <v6ops@globis.net> Tue, 14 January 2014 18:11 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 412981AE167 for <v6ops@ietfa.amsl.com>; Tue, 14 Jan 2014 10:11:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gbiGJpTvX5-9 for <v6ops@ietfa.amsl.com>; Tue, 14 Jan 2014 10:11:35 -0800 (PST)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id ECD061AE176 for <v6ops@ietf.org>; Tue, 14 Jan 2014 10:11:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 0DFF687149A; Tue, 14 Jan 2014 19:11:19 +0100 (CET)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4NUcMxZ+F9En; Tue, 14 Jan 2014 19:11:18 +0100 (CET)
Received: from Rays-iMac.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id E0AF3871499; Tue, 14 Jan 2014 19:11:18 +0100 (CET)
Message-ID: <52D57DC5.9080603@globis.net>
Date: Tue, 14 Jan 2014 19:11:17 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.8 (Macintosh/20130427)
MIME-Version: 1.0
To: Nick Hilliard <nick@foobar.org>
References: <1808340F7EC362469DDFFB112B37E2FCDA31A30EB1@SRVHKE02.rdm.cz> <52CFB8D5.70900@gmail.com> <B54D5283-8880-434A-A3C0-9BFF0081E13B@gmail.com> <20140110.124610.74672987.sthaug@nethelp.no> <60C5513D-B8DA-48D6-82D3-53E148F9F7BA@gmail.com> <52D0157D.6040009@foobar.org> <alpine.DEB.2.02.1401101651580.20074@uplift.swm.pp.se> <D1FC3C0B-CC5D-44BC-B753-2F1BD94A48FA@nominum.com> <CAKD1Yr1C0jRNq-ta=HeGFusC8VFGGg1ffDFLoroUoiHmX-KYiA@mail.gmail.com> <52D18F22.1070708@foobar.org> <CAKD1Yr2PrG_Rit2YCAkep4_-LUSqNpEU-t+ttRsLPpSbYVLoig@mail.gmail.com> <1389490607.51957.YahooMailNeo@web161904.mail.bf1.yahoo.com> <52D2A8EF.2040901@foobar.org> <52D4E794.3070109@globis.net> <52D57214.1070505@foobar.org>
In-Reply-To: <52D57214.1070505@foobar.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] control and security of DHCP
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 18:11:36 -0000
> Nick Hilliard <mailto:nick@foobar.org> > 14 January 2014 18:21 > > private vlans are troublesome, to say the least. In a virtualised > environment, you need multi-switch support for specific types of pvlans. > This places vendor restrictions on the types of kit you need to deploy. > > Nick > ------------------------------------------------------------------------ Yes. I've read posts from a number of DC operators who have expressly chosen for PVLANs compared to deploying dedicated L3 ports per server/ customer in multi-tenant environments, driven by a desire to save on very scarce public IPv4 addresses. That of course will likely bring problems migrating to IPv6 in the future e.g. DAD is probably not going to be able to detect duplicate addresses via multicast. Hence my suggestion of prefix length >> 64 + PVLAN + DHCPv6 + DHCPv6 setting default router + HSRPv6/VRRPv3 to exactly mirror the IPv4 setup. It would also mean that any failovers are likely to be very similar for both IPv4 and IPv6 paths, and that HSRPv6//VRRPv3 generally has more features (track/ preempt/ MD5 authentication) which RA clearly doesn't have (yet), which I see as clear operational advantages. My opinion is that combination is a pretty valid use case for transitioning a multi-tenant IPv4 environment to IPv6 using dual stack, and which requires the additional functionality you want. Otherwise people running IPv4 PVLANs are going to get painted into a corner. So what security are you suggesting to deploy to ensure that your set up remains sufficiently isolated between customers, even though they share a L2 LAN? I'm not saying necessarily that RA should be the only game in town, but it is there today. And we all know how hard it is to prevent attacks by on-link attackers (not just RA). -- Regards, RayH
- Re: [v6ops] DHCPv6/SLAAC Interaction Operational … Pete Vickers
- Re: [v6ops] DHCPv6/SLAAC Interaction Operational … Alexandru Petrescu
- Re: [v6ops] control and security of DHCP (was: DH… Alexandru Petrescu
- Re: [v6ops] control and security of DHCP joel jaeggli
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP (was: DH… Gert Doering
- Re: [v6ops] DHCPv6/SLAAC Interaction Operational … Gert Doering
- Re: [v6ops] control and security of DHCP Owen DeLong
- Re: [v6ops] control and security of DHCP Brian E Carpenter
- Re: [v6ops] control and security of DHCP Mark Andrews
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] DHCPv6/SLAAC Interaction Operational … Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Tore Anderson
- Re: [v6ops] control and security of DHCP Lorenzo Colitti
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Tore Anderson
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Tim Chown
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Vízdal Aleš
- Re: [v6ops] control and security of DHCP Vízdal Aleš
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Vízdal Aleš
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Gert Doering
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Pete Vickers
- Re: [v6ops] control and security of DHCP Gert Doering
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP sthaug
- Re: [v6ops] control and security of DHCP Pete Vickers
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Templin, Fred L
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Tore Anderson
- Re: [v6ops] control and security of DHCP Gert Doering
- Re: [v6ops] control and security of DHCP joel jaeggli
- Re: [v6ops] control and security of DHCP Gert Doering
- Re: [v6ops] control and security of DHCP Simon Perreault
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP joel jaeggli
- Re: [v6ops] control and security of DHCP joel jaeggli
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Tore Anderson
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Gert Doering
- Re: [v6ops] control and security of DHCP Templin, Fred L
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Lorenzo Colitti
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] link types for both RA and DHCP 'was:… Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Lorenzo Colitti
- Re: [v6ops] control and security of DHCP Lorenzo Colitti
- Re: [v6ops] control and security of DHCP Mark ZZZ Smith
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Mark ZZZ Smith
- Re: [v6ops] link types for both RA and DHCP 'was:… Templin, Fred L
- Re: [v6ops] control and security of DHCP Ray Hunter
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Ray Hunter
- Re: [v6ops] control and security of DHCP Owen DeLong
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Lorenzo Colitti
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Ray Hunter
- Re: [v6ops] control and security of DHCP Owen DeLong
- Re: [v6ops] control and security of DHCP Mark ZZZ Smith
- Re: [v6ops] control and security of DHCP Mark ZZZ Smith
- Re: [v6ops] control and security of DHCP Tim Chown
- Re: [v6ops] control and security of DHCP Templin, Fred L
- Re: [v6ops] control and security of DHCP Owen DeLong