[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
comments on draft-ietf-v6ops-v6inixp-01.txt
- To: v6ops@ops.ietf.org
- Subject: comments on draft-ietf-v6ops-v6inixp-01.txt
- From: Nick Hilliard <nick@inex.ie>
- Date: Tue, 28 Jul 2009 12:42:34 +0100
- User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090223 Thunderbird/3.0b2
Hello,
a couple of comments on the v6inixp draft.
- the text needs some style editing and a quick run-over with a
spell-checker. I'm happy to do this, but am just an ietf egg and don't know
what procedure to follow. The draft text as-is does not look like the
canonical text source.
- it would probably be useful to mention that RA should be disabled on all
peering lan client routers and if possible, should be blocked at a fabric
level with some incantation of draft-ietf-v6ops-ra-guard.
- the ixp should maintain a list of
- section 6: there is no standard defined for TCP MD5 security for ipv6
packets, although there are several interoperable implementations out there
in practice. RFC 2385 assumes ipv4.
- it may be good to suggest the use of GTSM in addition to MD5 / ipsec.
Does anyone actually use ipsec for securing bgp sessions? I hear only
occasional talk and have never come across it in practice.
- is it worth suggesting that ipv4 bgp afi over ipv6 transport and ipv6 bgp
afi over ipv4 transport should be explicitly frowned upon for route
servers? It adds complication for no gain whatever.
- security considerations - at face value none. Mind you, I could see small
exchange customers getting very upset if their IXP wasn't using MLD
snooping and one of their 1G or 10G customers decided to shift a couple of
hundred megs of multicast traffic in a moment of experimental exuberance.
- section 2: (minor) ipv4 requires both 0x0800 (ipv4) and 0x0806 (arp)
- I'm still wrangling with myself about the value of an ipv6 ND sponge. Is
it better for an end-user DoS attacker to trash an ipv6 lan by causing
persistent icmp6 multicast flooding, or by filling up the ipv6 neighbor
cache on all connected routers with ipv6 address entries associated the mac
address of an ipv6 ND sponge? Has anyone actually measured this in
practice? Is the reaction vendor specific? My worry is that attacks of
this form will happen one day and right now we are not ready.
- is it worth recommending that the IXP use l3 ipv6 filters to permit only
link-local traffic from their assigned (or chosen) address for the purposes
of BGP and icmp6 only? What I'm thinking of here is how to deal with
people who will do broken stuff like configuring tunnels using their IXP
assigned address.
Nick