08-02-2012 04:32 AM - edited 03-07-2019 08:07 AM
Hello,
Has someone got an opinion on advantages and disadvantages IPv6 auto-configuration in ISP environment ?
Regards,
08-02-2012 03:06 PM
Hello Kamil,
I believe we need more information to understand your question. What exact kind of IPv6 autoconfiguration in an ISP environment do you have in mind? Are you asking about IPv6 stateless autoconfiguration, or do you focus on DHCPv6 Prefix Delegation? Or perhaps do you have a different mechanism in mind? Also, where exactly in an ISP environment do you see this mechanism being deployed?
Thank you!
Best regards,
Peter
08-03-2012 01:24 AM
Hello Peter,
Thanks for your insight.
What I meant was IPv6 stateless auto-configuration.
We provide a layer two connection in our Data Centre with SVI termination on our side being used as DG to the back-end customer. The SVI is being redistributed in to the core of network.
SVI terminates with IPv4 and IPv6 - both are providing a pool of the IP addresses for the client's usage - no DHCP involved at all, the IPs are manually assigned on the end-customer's side - until now, when our client has asked us for IPv6 stateless auto-configuration.
Therefore my questions:
1. Are there any known security implications of such a configuration - IPv6 auto-config in ISP environment? I would assume that since this is a layer 2 "pipe" with SVI on the top, IPv6 addresses will be traversing only along this "pipe" towards client's network...
2. I would expect the end customer to have IPv6 auto-configuration inside their enterprise
3. Is it an appropriate and recommended methodology to deploy IPv6 auto-configuration in ISP scenarios?
Thank you again.
Regards,
Kamil
08-09-2012 01:54 PM
Hello Kamil,
I apologize for answering so lately.
1. Are there any known security implications of such a configuration - IPv6 auto-config in ISP environment? I would assume that since this is a layer 2 "pipe" with SVI on the top, IPv6 addresses will be traversing only along this "pipe" towards client's network...
Please take my answer here with a grain of salt as I do not work in an ISP environment.
From the perspective of the ISP alone, there are no obvious security issues related to client IPv6 address autoconfiguration because you as an ISP do not use it yourself, you just offer this service to a client. That means that you cannot be influenced by whatever setting the client chooses, nor should you be affected by any client router also offering IPv6 autoconfig service. In fact, it is very probable that you are already allowing the client to use IPv6 autoconfig because the default setting on Cisco routers is to send the Router Advertisements as soon as the IPv6 routing is configured and the interface is assigned an IPv6 address.
2. I would expect the end customer to have IPv6 auto-configuration inside their enterprise
Not necessarily. The IPv6 autoconfig is a per-link feature, meaning that each interface of a router can offer (or decline to offer) this functionality individually and independently of other interfaces. If you offer IPv6 autoconfig to your client, you are only offering this functionality to client's devices directly attached to your own router. If the client has another router, networks behind it are not using your IPv6 autoconfig services but rather that router's services.
3. Is it an appropriate and recommended methodology to deploy IPv6 auto-configuration in ISP scenarios?
I do not feel qualified to authoritatively answer this question. In general, however, the connection between an ISP and the customer is a link where only provider and customer routers reside, and in my opinion, it is not appropriate for routers to depend on autoconfiguration.
Best regards,
Peter
08-10-2012 01:47 AM
Hello Peter,
Thanks for your valuable input.
1. We block the NDs from sending towards our clients by default, this is a legacy of our previous Network Manager's policy as it does not seem an appriopriate techniques for ISP to offer IPv6 stateless autoconfig even despite the fact a client's network is totally isolated vlan - perhaps I am wrong and other ISP offer such a service in their portfolio.
2. This makes perfect sense, but as far as I know, our client has a dummy layer 2 switch which by defauly have all the ports in the same vlan leading to the servers farm, hence he cannot create and IPv6 routing on his side - unlucky.
3. I totally agree with you.
Many thanks.
Regards,
Kamil.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide