Main Content

IPv6 Microsegmentation Done Right

About the Talk

April 29, 2015 11:45 AM

Las Vegas, NV

Las Vegas, NV

Layer-2 security (aka first-hop security) is as problematic in IPv6 as it was in IPv4 almost a decade ago. We need to fight the same problems that we had to solve in IPv4 world (DHCP spoofing, ND spoofing instead of ARP spoofing) and a few new ones unique to IPv6 world (RA guard, fragmented headers).

What if we'd stop relying on large failure domains built with 40-year-old technology that still emulates thick coaxial cable (Ethernet), admit that many network edge devices support IPv6 routing as well as L2 forwarding, and limit Ethernet to where it was designed to be used: data link layer between adjacent devices.

Is it possible to build a layer-3-only IPv6 network without assigning a /64 prefix to every host and exploding the IPv6 forwarding tables? This presentation will explore alternative solutions that work well in large-scale production environments.

Ratings and Recommendations

This Talk hasn't been rated yet. Sign In to rate Talks.

comments powered by Disqus