[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (v6ops) WG Last Call: draft-ietf-v6ops-renumbering-procedure-00.txt (fwd)

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: (v6ops) WG Last Call: draft-ietf-v6ops-renumbering-procedure-00.txt (fwd)
From: Pekka Savola <pekkas@netcore.fi>
Date: Thu, 24 Jun 2004 00:23:41 +0300 (EEST)
Cc: Eliot Lear <lear@cisco.com>, <v6ops@ops.ietf.org>
In-reply-to: <4E3DBBB8-C36D-11D8-96AB-000A95CD987A@muada.com>

On Mon, 21 Jun 2004, Iljitsch van Beijnum wrote:
> > No, we assume that the network is in a nominal state prior to 
> > renumbering.  The issue you raise below would indicate that perhaps 
> > this *isn't* the case.  In which case your problems are bigger than 
> > renumbering.
> 
> My point is that if you have two prefixes from two ISPs (which I think 
> is the most common situation in renumbering, and it's certainly common 
> enough to be worthy of discussion in a renumbering draft) and both ISPs 
> do ingress filtering (which is also something that can't be discounted) 
> then "turning on" both prefixes at the same time without additional 
> measures is going to lead to problems as packets routed to ISP A may 
> have a source address from the prefix from ISP B (or vice versa) and 
> thus be dropped due to ingress filtering.

I think the document as it is has two assumptions about this:

 (1) you either renumber inside an ISP, or

 (2) you multihome to at least two different ISPs, and may be:
   a) switching from the first to the second ("transitional 
multihoming")
   b) switching from the first to the third, but keeping the second

(1) requires no ingress filtering magic.  Either of options in (2) 
*already* require that there is a mechanism in place, like 
draft-huitema-multi6-xxx (e.g., source-based routing at the edges), to 
ensure the right packets go to the right place.  This requirement 
would exist without renumbering as well.

In your earlier mail, you wrote:

> The draft only talks about ingress filtering with regard to
> security, which IMNSHO is stupid because there are no attacks that
> are possible with spoofed addresses that aren't possible with
> unspoofed addresses.

Not quite so, or at least requiring a clarification.  Remember that
the *sites* should also check that no packets with their IP addresses 
are coming from the Internet to them, using their addresses.  This is 
also called "ingress filtering", but was probably not the nuance 
mentioned in the draft.

I think the point you're making is subtle, and I'm not sure if I 
understand it myself.  Doesn't ingress filtering by the ISP block the 
site from performing e.g., certain kinds of 3rd party bombing DoS 
attacks?  This is something that's prevented (from a particular 
direction) with ingress filtering.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- Re: (v6ops) WG Last Call: draft-ietf-v6ops-renumbering-procedure-00.txt (fwd)
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: Dominant IPv6 Network deployment for Transition by Users
Next by Date: moving when all the scenarios are not yet complete [RE: DSTM]
Previous by thread: Re: (v6ops) WG Last Call: draft-ietf-v6ops-renumbering-procedure-00.txt (fwd)
Next by thread: Re: (v6ops) WG Last Call: draft-ietf-v6ops-renumbering-procedure-00.txt (fwd)
Index(es):
- Date
- Thread