[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-wbeebee-ipv6-cpe-router-04 comments
On Thu, 26 Mar 2009, Mikael Abrahamsson wrote:
This sound like a huge security problem, how are those implications handled?
Wouldn't the L2 device in the CO need to be able to inspect all these
messages and drop ones which are not assigned to that specific customer by
the ISP?
Perhaps you're assuming that multiple customers are sharing the same
subnet? In the case where customers do NOT share subnets, I fail to see
how this adds a security problem that didn't already exist before. In
IPv4, if a DSL provider gives a customer a /28 instead of /30 for the WAN
link, that customer could easily hang multiple CPE routers off of their
WAN-side ethernet switch now and they could talk to each other. Some of
our customers use their WAN subnet as a DMZ and their routers are
firewalls. But the communication on the WAN subnet between customer
devices stays on the local ethernet switch and shouldn't traverse the DSL
loop. I don't think we should cripple that capability for IPv6.
Antonio Querubin
whois: AQ7-ARIN