We’re All Brothers on Link-Local

I was listening to excellent opening presentation Enno Rey had at Troopers 2014 IPv6 security summit (he claimed he was ranting, but it sounded more like some of my polite blog posts) and when I’ve seen this slide I could literally hear a blog post clicking together in my head.

In short: IPv6 has many shortcomings, but this might not be one of them.

The Layer-2 Subnet Model Is Broken

You probably know my opinion on the current layer-2 networking model – apart from being a single failure domain, it’s also a single security domain.

We can either accept that fact (and work on hardening the end-systems), split our oversized layer-2 domains into smaller ones (where all hosts in a smaller domain become totally equivalent from the security perspective), or implement a properly hardened network that:

  • Authenticates users before allowing them to connect to the network;
  • Assigns addresses to users in an auditable fashion;
  • Enforces source address checks on every packet sent by the user.
Come to think of it, we do have such a network implementation. It’s called Fibre Channel.

Of course, the networking industry took another approach:

  • Pretending the problem doesn’t exist until enough users started screaming;
  • Explaining how solving the problem breaks existing applications and is thus unreasonable;
  • Implementing layers of kludges on top of broken architecture (large-scale Ethernet subnets), resulting in overly complex solutions like SAVI.

Obviously, it’s not just the vendors’ problem. Plenty of customers are buying the cheapest possible switches and later complaining how securing them properly is impossible. Unfortunately, some of the really expensive switches aren’t any more secure ;)

Some Got It Right

There’s a single company (AFAIK – I hope you’ll prove me wrong in the comments) that handles the layer-2/layer-3 boundary correctly, restoring the original meaning of data-link layer (before bridges were invented): Microsoft’s Hyper-V Network Virtualization connects VMs straight to a layer-3 virtual switch that block all rogue RA messages and terminates all ND exchanges. Amazon VPC and Juniper Contrail do something very similar, but only for IPv4.

Finally, there’s always the option of putting every single user in its own subnet. Good luck with that – your ops people and the switch vendors (who will run out of TCAM) will love you.

Need More Information?

  • IPv6 webinars cover a wide range of IPv6 topics, including IPv6 security;
  • The Data Center Fabrics webinar includes information on forwarding tables (including the size of the IPv6 forwarding table) in numerous data center switches from top-10 vendors.


  1. You could always run PPPoE on your local subnets.... ;-)
  2. One could run L2 mac forced-forwarding (protected ports, private VLAN edge, whatever you want to call it) with "ip local proxy-arp" and "ipv6 nd prefix no-onlink." This forces all traffic through the first-hop router. This protects from rogue DHCP and RA.
  3. PPPoE can't be considered as it requires the same ammount of handpower to configure every connected port to prevent forged packets as 802.1x. and 802.1x is better to my opinion.
Add comment