Re: [v6ops] control and security of DHCP
Ray Hunter <v6ops@globis.net> Tue, 14 January 2014 19:23 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 239191AE139 for <v6ops@ietfa.amsl.com>; Tue, 14 Jan 2014 11:23:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.521
X-Spam-Level:
X-Spam-Status: No, score=-0.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_26=0.6, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltoNf9Qdpyv7 for <v6ops@ietfa.amsl.com>; Tue, 14 Jan 2014 11:23:53 -0800 (PST)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 86A471ADFB1 for <v6ops@ietf.org>; Tue, 14 Jan 2014 11:23:52 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id B3CC987149F; Tue, 14 Jan 2014 20:23:40 +0100 (CET)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJVHAqCKSMCo; Tue, 14 Jan 2014 20:23:40 +0100 (CET)
Received: from Rays-iMac.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 8F80987006A; Tue, 14 Jan 2014 20:23:40 +0100 (CET)
Message-ID: <52D58EBB.1070008@globis.net>
Date: Tue, 14 Jan 2014 20:23:39 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.8 (Macintosh/20130427)
MIME-Version: 1.0
To: Owen DeLong <owen@delong.com>
References: <1808340F7EC362469DDFFB112B37E2FCDA31A30EB1@SRVHKE02.rdm.cz> <52CFB8D5.70900@gmail.com> <B54D5283-8880-434A-A3C0-9BFF0081E13B@gmail.com> <20140110.124610.74672987.sthaug@nethelp.no> <60C5513D-B8DA-48D6-82D3-53E148F9F7BA@gmail.com> <52D0157D.6040009@foobar.org> <alpine.DEB.2.02.1401101651580.20074@uplift.swm.pp.se> <D1FC3C0B-CC5D-44BC-B753-2F1BD94A48FA@nominum.com> <CAKD1Yr1C0jRNq-ta=HeGFusC8VFGGg1ffDFLoroUoiHmX-KYiA@mail.gmail.com> <52D18F22.1070708@foobar.org> <CAKD1Yr2PrG_Rit2YCAkep4_-LUSqNpEU-t+ttRsLPpSbYVLoig@mail.gmail.com> <1389490607.51957.YahooMailNeo@web161904.mail.bf1.yahoo.com> <52D2A8EF.2040901@foobar.org> <52D4E794.3070109@globis.net> <52D57214.1070505@foobar.org> <52D57DC5.9080603@globis.net> <807E80E4-40CA-49CD-AC7D-F512D5B51B23@delong.com>
In-Reply-To: <807E80E4-40CA-49CD-AC7D-F512D5B51B23@delong.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] control and security of DHCP
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 19:23:58 -0000
> Owen DeLong <mailto:owen@delong.com> > 14 January 2014 19:17 > On Jan 14, 2014, at 10:11 , Ray Hunter<v6ops@globis.net> wrote: > >>> Nick Hilliard<mailto:nick@foobar.org> >>> 14 January 2014 18:21 >>> >>> private vlans are troublesome, to say the least. In a virtualised >>> environment, you need multi-switch support for specific types of pvlans. >>> This places vendor restrictions on the types of kit you need to deploy. >>> >>> Nick >>> ------------------------------------------------------------------------ >> Yes. >> >> I've read posts from a number of DC operators who have expressly chosen for PVLANs compared to deploying dedicated L3 ports per server/ customer in multi-tenant environments, driven by a desire to save on very scarce public IPv4 addresses. > > Which might make sense when the customers are on separate hardware. Agreed. But if you can emulate a L2 LAN, or a L3 router, you can presumably also emulate a PVLAN. > When the customers are separate virtuals on the same hardware, PVLANs become a bit less useful, though at that point, dedicated L3 ports in the virtual switch on the host become much more feasible, though you still have the network addressing cost issue if you're tied to IPv4. Right.. >> That of course will likely bring problems migrating to IPv6 in the future e.g. DAD is probably not going to be able to detect duplicate addresses via multicast. > > Depends on how the PVLANs treat link-scoped IPv6 multicast. Yes. There's no standard AFAIK. > >> Hence my suggestion of prefix length>> 64 + PVLAN + DHCPv6 + DHCPv6 setting default router + HSRPv6/VRRPv3 to exactly mirror the IPv4 setup. > > Not sure how that really helps. Why is a longer prefix length allegedly useful in this context? > > Owen > > The context of this thread was a request for DHCPv6 to be able to set the default router, and avoid using RA. That's an interesting topic. I'm happy to continue the discussion about prefix length in detail, but shall we do that another time? Is it sufficient for now to say that in a virtual environment, I think it's even more important to contain resource depletion problems and potential cross-contamination between environments? The memory used to contain e.g. an ND table on one virtual LAN switch or router is almost certainly allocated from a shared pool that may not be well protected from overflowing. And it's going to be very easy to fill up the TCP session tables in e.g. machine firewalls using ip6tables, if a single rogue source on the local DC LAN can spoof source addresses from the equivalent of an entire continent today. -- Regards, RayH
- Re: [v6ops] DHCPv6/SLAAC Interaction Operational … Pete Vickers
- Re: [v6ops] DHCPv6/SLAAC Interaction Operational … Alexandru Petrescu
- Re: [v6ops] control and security of DHCP (was: DH… Alexandru Petrescu
- Re: [v6ops] control and security of DHCP joel jaeggli
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP (was: DH… Gert Doering
- Re: [v6ops] DHCPv6/SLAAC Interaction Operational … Gert Doering
- Re: [v6ops] control and security of DHCP Owen DeLong
- Re: [v6ops] control and security of DHCP Brian E Carpenter
- Re: [v6ops] control and security of DHCP Mark Andrews
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] DHCPv6/SLAAC Interaction Operational … Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Tore Anderson
- Re: [v6ops] control and security of DHCP Lorenzo Colitti
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Tore Anderson
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Tim Chown
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Vízdal Aleš
- Re: [v6ops] control and security of DHCP Vízdal Aleš
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Vízdal Aleš
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Gert Doering
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Pete Vickers
- Re: [v6ops] control and security of DHCP Gert Doering
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] control and security of DHCP sthaug
- Re: [v6ops] control and security of DHCP Pete Vickers
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Templin, Fred L
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Tore Anderson
- Re: [v6ops] control and security of DHCP Gert Doering
- Re: [v6ops] control and security of DHCP joel jaeggli
- Re: [v6ops] control and security of DHCP Gert Doering
- Re: [v6ops] control and security of DHCP Simon Perreault
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP joel jaeggli
- Re: [v6ops] control and security of DHCP joel jaeggli
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Tore Anderson
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Gert Doering
- Re: [v6ops] control and security of DHCP Templin, Fred L
- Re: [v6ops] control and security of DHCP Mikael Abrahamsson
- Re: [v6ops] control and security of DHCP Lorenzo Colitti
- Re: [v6ops] control and security of DHCP Alexandru Petrescu
- Re: [v6ops] link types for both RA and DHCP 'was:… Alexandru Petrescu
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Lorenzo Colitti
- Re: [v6ops] control and security of DHCP Lorenzo Colitti
- Re: [v6ops] control and security of DHCP Mark ZZZ Smith
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Mark ZZZ Smith
- Re: [v6ops] link types for both RA and DHCP 'was:… Templin, Fred L
- Re: [v6ops] control and security of DHCP Ray Hunter
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Ted Lemon
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Ray Hunter
- Re: [v6ops] control and security of DHCP Owen DeLong
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Lorenzo Colitti
- Re: [v6ops] control and security of DHCP Nick Hilliard
- Re: [v6ops] control and security of DHCP Ray Hunter
- Re: [v6ops] control and security of DHCP Owen DeLong
- Re: [v6ops] control and security of DHCP Mark ZZZ Smith
- Re: [v6ops] control and security of DHCP Mark ZZZ Smith
- Re: [v6ops] control and security of DHCP Tim Chown
- Re: [v6ops] control and security of DHCP Templin, Fred L
- Re: [v6ops] control and security of DHCP Owen DeLong