On Mon, Aug 8, 2011 at 10:43 PM, Chris Adams <cmadams@hiwaay.net> wrote:
Even on a server lan you'll occasionally want to plug in a PC for diagnostics without having to poke in an IP address by hand. Actually, nobody should be plugging any random device into my server LANs, and I certainly don't want to encourage it by having it work (even if just for IPv6).
If you must not have someone plugging into your server LAN without permission, you turn unused ports off, or preferably, place them in a VLAN island with no topological connection to anything. Because it's going to be easier to turn the port back on, than to give someone a 128-bit IP6 address, IPv6 netmask, IPv6 DNS servers, and IPv6 default gateway address set to manually key into their machine. If someone can get to a live port, assuming it's not protected by 802.1x port security or similar; IPv6 will "just work" for fe80:: network link-local connectivity, whether you deploy stateless auto-config or not, which is enough connectivity to find and mess with servers in the LAN. And probably enough connectivity to say "that's too much connectivity", if the LAN is indeed restricted. Similar to how IPv4 has rfc3927, except IPv6 link local addresses get assigned, even to devices that have global IPv6 IPs, so the link local 'subnet' is active even on fully connected devices.
Chris Adams <cmadams@hiwaay.net>
Regards, -- -JH