#2 - use SLAAC and don't care ============================= Consumer hosts will get random IPv6 addresses out of your Carrier Ethernet /64 prefix. Can you afford the "don't care" part of it?
We provide a static /64 with SLAAC per connection, but allow static addresses within that /64 as well. Connections are provisioned as individual router subinterfaces, so user-to-address mapping happens on subnet level and URPF prevents spoofing. This naturally works only as long as you have a single customer/connection per VLAN, not so much with group-VLANs (which are shared by several connections). With SLAAC you can dig the MAC address from the IPv6-address, if necessary (MAC-spoofing can be a problem, but that's the case with DHCP and IPv4-world as well. ND-attacks are an issue as well.) The shortcomings with this approach include: - doesn't work with group-VLANs - the end-user has to configure DNS-servers manually ____________________________________ Tero Toikkanen Network Engineer Nebula Oy