Home page logo

nanog logo nanog mailing list archives

Re: IPv6 end user addressing
From: Jimmy Hess <mysidia () gmail com>
Date: Mon, 8 Aug 2011 23:37:11 -0500

On Mon, Aug 8, 2011 at 10:43 PM, Chris Adams <cmadams () hiwaay net> wrote:
Even on a server lan you'll occasionally want to plug in a PC for
diagnostics without having to poke in an IP address by hand.
Actually, nobody should be plugging any random device into my server
LANs, and I certainly don't want to encourage it by having it work (even
if just for IPv6).

If you must not have someone plugging into your server LAN without
permission, you
turn unused ports off, or preferably, place them in a VLAN island with
no topological
connection to anything.

Because it's going to be easier to turn the port back on, than to give someone a
128-bit IP6 address,  IPv6 netmask, IPv6 DNS servers, and IPv6 default gateway
address set to manually key into their machine.

If someone can get to a live port,  assuming it's not protected by
802.1x port security or similar;   IPv6 will  "just work" for  fe80::
network link-local connectivity,   whether you  deploy stateless
auto-config or not,  which is enough connectivity to find and mess
with servers in the LAN.

And probably enough connectivity to say "that's too much connectivity",
if the LAN is indeed restricted.

Similar to how IPv4 has rfc3927,  except IPv6 link local addresses
get assigned, even to devices that have global IPv6 IPs,
so the link local 'subnet' is active even on fully connected devices.

Chris Adams <cmadams () hiwaay net>



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]