IPv6 Microsegmentation in Data Center Environments

The proponents of microsegmentation solutions would love you to believe that it takes no more than somewhat-stateful packet filters sitting in front of the VMs to get rid of traditional subnets. As I explained in my IPv6 Microsegmentation talk (links below), you need more if you want to have machines from multiple security domains sitting in the same subnet – from RA guard to DHCPv6 and ND inspection.

It’s also possible to solve the problem by reducing the size of layer-2 domains to what they were initially supposed to be: links between adjacent nodes (host-to-router links). Would that work in a data center environment supporting VM mobility? Watch the video from the IPv6 microsegmentation webinar to find out.

More information

It looks like I’m the only one talking about IPv6 microsegmentation – all the top hits on Google are links to one or another version of my presentation:

There’s another CliffsNotes version of my webinar floating around the Internet, but as the author took great care to mention me only in passing without including any links whatsoever, I won’t link to his version either. Happy hunting.


  1. It pops up in more than one place it is just has many different faces :-) https://tools.ietf.org/html/draft-jjmb-v6ops-unique-ipv6-prefix-per-host-00 and https://datatracker.ietf.org/doc/draft-herbert-nvo3-ila/ are good examples. Well, and then in large-scale WiFi networks (for the events with low volume of linux hosts, because apparently linux is buggy) I've been clearing the onlink bit and blocking P2P.... :-)
Add comment