11 Nov
2011
11 Nov
'11
3:10 p.m.
On 11/11/2011 1:11 PM, Valdis.Kletnieks@vt.edu wrote:
Would it be*nice* to have RA Guard and DHCP6 snooping in place? Yes. Is it totally impossible to deploy IPv6 until they're fully baked? Not at all - just need to be aware of the issues and be prepared to mitigate. Sure it raises the risk level slightly - but we judge the risks of not being well-positioned for IPv6 to be*much* higher.
From a DSLAM perspective, the security stuff was annoying and often just broke IPv6 all together. I am still a fan of 1 vlan per user and q-in-q. It does have issues in dorm type scenarios where you might not want to bring local traffic all the way back to l3 termination, though. Jack