On Sun, Dec 20, 2015 at 10:54:49PM -0500, Chuck Church wrote:
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Matt Palmer
Depends on how many devices you have on it. Once you start filling your home with Internet of Unpatchable Security Holes devices, having everything on a single ethernet >segment might start to get a little... noisy.
Thankfully, IPv6 has well-defined multicast scopes, which makes it trivially easy to do cross-L2-segment service discovery without needing to resort to manually berking around >with firewall rules.
If your home is full of unpatched or compromised hosts, and they're using these well-defined multicast scopes, doesn't that mean they can now communicate and infect one another?
No, multicast for discovery doesn't necessarily mean that the application traffic can also pass. The discovery multicast packets could be filtered at any point within the network, also. However, access control isn't what you asked about. You claimed that multiple L2 segments broke service discovery, and I refuted that point.
For years I've seen people on this list insist on "NAT/PAT != firewall". Well, a router routing everything it sees is even less of a firewall.
Correct. However, nowhere did I suggest that a router should be routing absolutely everything it sees.
I'm really not trying to be argumentative here,
And yet, you're doing an awfully good job of being argumentative, about a subject you really don't seem to know a whole lot about.
but I'm just having a hard time believing Joe Sixpack will be applying business networking principals such as micro-segmenting to a home network with 3 to 7 devices on it. If anything, these complexities we keep adding/debating such as DHCP vs RA, prefix delegation, etc are only slowing down the general deployment of IPv6.
Yes, it's a pity that people who refuse to learn about the new features that IPv6 provides keep trying to shoehorn IPv6 into their legacy mindset, but there's not a whole lot the rest of us can do about that. - Matt