On Tue, Jun 14, 2011 at 12:41, Ray Soucy <rps@maine.edu> wrote:
The energy in this thread should be focused on switch vendors to actually implement L2 security features for IPv6, which is usually an easy upgrade; rather than calling for all host implementations of IPv6 to work differently; which will take a decade to implement and be a band-aid at best; not a good long-term design for the protocol.
There was a thread on this subject over on ipv6-ops (Hello to the list and RA guard evasion technique) recently which outlined some of the problems currently facing vendors and implementing those 'easy upgrade' L2 security features. Due to the current state of host stacks with regards to fragment reassembly it's almost impossible to implement easily on a layer 2 device without exposing yourself to other DoS possibilities. There're also some I-Ds which cover the issues: http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-00.txt http://tools.ietf.org/id/draft-gont-6man-nd-extension-headers-00.txt ~Matt