On Mar 26, 2014, at 4:25 PM, Luke S. Crawford <l...@prgmr.com> wrote:
> On 03/26/2014 03:49 PM, Matt Palmer wrote: >> On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote: >>> There are many ways to skin this cat; stateless autoconfig looks >>> like it mostly works, but privacy extensions seem to be the default >>> in many places; outgoing IPv6 from those random addresses will trip >>> my BCP38 filters. >> >> Your what-now? You do realise SLAAC works entirely within a single /64, >> which shouldn't be difficult to decide is either routable or not in one hit, >> right? > > If you give every customer their own vlan and /64, sure. That can be done, > and there are many advantages to doing it that way. But it's quite a bit > more complex than my current setup. > > The way I'm setup now, I've got an IPv4 address block on a vlan, and an > IPv6/64 on the same vlan. I have many customers on that vlan. Each > customer has one (or more) IPv4 /32 addresses and one IPv6 /128 addresses. > (if the customer wants more IPv6, we just route a /64 to the /128 they are > allowed.) There are firewall rules that only allow appropriate packets in > and out of the interface. These rules are important for privacy as well as > preventing spoofing; they prevent sniffing of most traffic bound for other > guests. Why not just use private VLAN layer 2 controls for the privacy you describe? Yes, you risk customer A spoofing customer B, but is that really a problem in your environment? Really? If so, one could argue you might want to consider getting a better class of customers. Owen
