This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ipv6-wg@ripe.net/
[ipv6-wg] New draft document available: Requirements For IPv6 in ICT Equipment
- Previous message (by thread): [ipv6-wg] New draft document available: Requirements For IPv6 in ICT Equipment
- Next message (by thread): [ipv6-wg] New draft document available: Requirements For IPv6 in ICT Equipment
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jan Zorz @ go6.si
jan at go6.si
Fri Oct 8 10:11:36 CEST 2010
Joao hi, Thnx for comments. Please see my thoughts inline. On 7.10.10 11:11, João Damas wrote: > Apple is an organisation. It does not take decisions. People at Apple do. In > this case, you need to talk to Stuart Cheshire. Anyone knows or have contact with Stuart Cheshire @Apple? >> >>> - ULA optional: I don't exactly see how a host could support IPv6 at all >>> and not do ULA. It's just Yet Another Prefix. >> >> Agree. Moving to mandatory. >> > > +1 ack. >>> Enterprise switch: - RA-guard: your enemy is not -unsolicited- RA, your >>> enemy is -unauthorized- RA. As in, the laptop your sales guy brought in >>> announcing itself as the gateway to the world, even if RA was solicited. >> >> AFAIK RA-guard prevents RA packets being sent from ports, that are >> "declared" as "hosts" ports and connected hosts not authorized to send RA >> as such. >> > > how is a host-based mechanism based on prevention of outgoing packets ever > going to work? I mean, it can prevent accidents (perhaps, it is not a > guarantee, look at usual list of ad-hoc Wifi SSIDs at any event) but it sure > won't prevent intentional unauthorised RAs. Distinguishing authorised from > non-authorised is of course no simple matter, probably needing pre-auth, > which kind of takes the automation out of the equation. It's almost like the > IPv6 designers didn't have access to real networks during protocol > development (no DHCP initially, silly TLA/SLA crap...) This is meant to work on switch ports level. You declare "router" port and let RA packets go through only on that physical port, "snooping" for RA pachets in the switch and blocking RA packets on all ather ports... >>> Firewall (etc): - an application firewall that speaks BGP? at all? >>> usefully? I've seen (D)DoS blackholing devices that speak BGP, otherwise >>> that part of routing is not really best run on firewalls. >> >> That's why it says "if requested". I agree that BGP is not best run on >> firewall, but some people practice that idea, mainly because of >> cutting-costs and for small-mid companies it might work out well ofr most >> of the time. >> > > is this one v6 specific? No. Same story on v4. Thnx, /jan
- Previous message (by thread): [ipv6-wg] New draft document available: Requirements For IPv6 in ICT Equipment
- Next message (by thread): [ipv6-wg] New draft document available: Requirements For IPv6 in ICT Equipment
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]