IPv6 Microsegmentation Done Right

March 16, 2015 (at 1:45 p.m.)

Layer-2 security (aka first-hop security) is as problematic in IPv6 as it was in IPv4 almost a decade ago. We need to fight the same problems that we had to solve in IPv4 world (DHCP spoofing, ND spoofing instead of ARP spoofing) and a few new ones unique to the IPv6 world (rogue RAs, fragmented headers).

What if we'd stop relying on large failure domains built with 40-year-old technology that still emulates thick coaxial cable (Ethernet), admit that many network edge devices support IPv6 routing as well as L2 forwarding, and limit Ethernet to where it was designed to be used: data link layer between adjacent devices.

Is it possible to build a layer-3-only IPv6 network without assigning a /64 prefix to every host and exploding the IPv6 forwarding tables? This presentation will explore alternative solutions that work well in large-scale production environments.

Ivan Pepelnjak

Ivan Pepelnjak, CCIE#1354 Emeritus, has been designing and implementing large-scale service provider and enterprise networks as well as teaching and writing books about advanced technologies since 1990. He’s the author of several Cisco Press books, prolific blogger and writer, occasional consultant, and creator of a series of highly successful webinars.