Joao hi, Thnx for comments. Please see my thoughts inline. On 7.10.10 11:11, João Damas wrote:
Apple is an organisation. It does not take decisions. People at Apple do. In this case, you need to talk to Stuart Cheshire.
Anyone knows or have contact with Stuart Cheshire @Apple?
- ULA optional: I don't exactly see how a host could support IPv6 at all and not do ULA. It's just Yet Another Prefix.
Agree. Moving to mandatory.
+1
ack.
Enterprise switch: - RA-guard: your enemy is not -unsolicited- RA, your enemy is -unauthorized- RA. As in, the laptop your sales guy brought in announcing itself as the gateway to the world, even if RA was solicited.
AFAIK RA-guard prevents RA packets being sent from ports, that are "declared" as "hosts" ports and connected hosts not authorized to send RA as such.
how is a host-based mechanism based on prevention of outgoing packets ever going to work? I mean, it can prevent accidents (perhaps, it is not a guarantee, look at usual list of ad-hoc Wifi SSIDs at any event) but it sure won't prevent intentional unauthorised RAs. Distinguishing authorised from non-authorised is of course no simple matter, probably needing pre-auth, which kind of takes the automation out of the equation. It's almost like the IPv6 designers didn't have access to real networks during protocol development (no DHCP initially, silly TLA/SLA crap...)
This is meant to work on switch ports level. You declare "router" port and let RA packets go through only on that physical port, "snooping" for RA pachets in the switch and blocking RA packets on all ather ports...
Firewall (etc): - an application firewall that speaks BGP? at all? usefully? I've seen (D)DoS blackholing devices that speak BGP, otherwise that part of routing is not really best run on firewalls.
That's why it says "if requested". I agree that BGP is not best run on firewall, but some people practice that idea, mainly because of cutting-costs and for small-mid companies it might work out well ofr most of the time.
is this one v6 specific?
No. Same story on v4. Thnx, /jan