[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on draft-ietf-v6ops-v6inixp-01.txt

To: Nick Hilliard <nick@inex.ie>
Subject: Re: comments on draft-ietf-v6ops-v6inixp-01.txt
From: Roque Gagliano <roque@lacnic.net>
Date: Tue, 28 Jul 2009 20:21:39 -0300
Cc: v6ops@ops.ietf.org
In-reply-to: <4A6EE42A.7020809@inex.ie>
References: <4A6EE42A.7020809@inex.ie>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi nick,

Thank you very much for the comments. My responses inline.

Roque.

On Jul 28, 2009, at 8:42 AM, Nick Hilliard wrote:

Hello,

a couple of comments on the v6inixp draft.
- the text needs some style editing and a quick run-over with aspell-checker. I'm happy to do this, but am just an ietf egg anddon't know what procedure to follow. The draft text as-is does notlook like the canonical text source.

as I mentioned in the WG I had several editorial text to change, Iwill go ahead and foward you the text before submission if that is ok.

- it would probably be useful to mention that RA should be disabledon all peering lan client routers and if possible, should be blockedat a fabric level with some incantation of draft-ietf-v6ops-ra-guard.


In section 4 it says:
" Configuring default routes in an IXP
   LAN without an agreement within the parties is normally against IXP
   policies.  For that reason, eventhough routers should ignore them,
   rogue ICMPv6 route advertisements may be monitored in order to
   prevent configuration errors. "

is that what you where looking for?

- the ixp should maintain a list of


I cannot find this peace of text in the document.

- section 6: there is no standard defined for TCP MD5 security foripv6 packets, although there are several interoperableimplementations out there in practice. RFC 2385 assumes ipv4.

I just checked RFC2385 ad could not find a reference to IPv4 specificinfo.

- it may be good to suggest the use of GTSM in addition to MD5 /ipsec. Does anyone actually use ipsec for securing bgp sessions? Ihear only occasional talk and have never come across it in practice.

ok will add reference to GTSM. I remember the IPv6 round table inNANOG in LA, and NTT mentioned that they used IPSEC in Japan....thatis as close as I got

- is it worth suggesting that ipv4 bgp afi over ipv6 transport andipv6 bgp afi over ipv4 transport should be explicitly frowned uponfor route servers? It adds complication for no gain whatever.


The current text implicitly mentions this point:

"A good practice is to have IPv6 SAFI (Subsequent Address Family
   Identifiers) information carried over sessions established also on
   top of the IPv6 IP/TCP stack and independently of the IPv4 sessions.
   This configuration allows that in the event of IPv6 reachability

issues to any IPv6 peer, the IPv6 session will be turned down andthe

   IPv4 session to the same peer will not be affected. "

is this enough?

- security considerations - at face value none. Mind you, I couldsee small exchange customers getting very upset if their IXP wasn'tusing MLD snooping and one of their 1G or 10G customers decided toshift a couple of hundred megs of multicast traffic in a moment ofexperimental exuberance.

MLD snooping will only help you to check the associations to thesolicited-node multicast group for ND. I believe you are referring toPIM snooping, which is not defined in any RFC nor supported in manyequipments.

- section 2: (minor) ipv4 requires both 0x0800 (ipv4) and 0x0806 (arp)

ok, I was particularly mention how to differentiate between v4 and v6data traffic

- I'm still wrangling with myself about the value of an ipv6 NDsponge. Is it better for an end-user DoS attacker to trash an ipv6lan by causing persistent icmp6 multicast flooding, or by filling upthe ipv6 neighbor cache on all connected routers with ipv6 addressentries associated the mac address of an ipv6 ND sponge? Has anyoneactually measured this in practice? Is the reaction vendorspecific? My worry is that attacks of this form will happen one dayand right now we are not ready.

so what you are proposing is that we should be able to limit thenumber of IPv6 addresses for a given MAC addresses that is advertisedthrough ND to the switch in order to avoid the flooding of unsolicitedNeighbor advertisement messages that could eventually fill someone'scache entries? Looks like a nice question to the list.

- is it worth recommending that the IXP use l3 ipv6 filters topermit only link-local traffic from their assigned (or chosen)address for the purposes of BGP and icmp6 only? What I'm thinkingof here is how to deal with people who will do broken stuff likeconfiguring tunnels using their IXP assigned address.

but the IXP assigned address is Global Unicast , not link-local. I cansee that filtering unicast link-local could be done but I do not seethe relationship to BGP and tunnels. I know that some people have talkabout terminating BGP session in link-loca addresses to avoid problemwhen renumbering, but never seeing done and.

r.

Nick


- -------------------------------------------------------------
Roque Gagliano
LACNIC
roque@lacnic.net
GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkpviAQACgkQnk+WSgHpbO5tCACff/FUocahlYsBC1NIs/WY1NUk
nNIAoJo7InY1mRAAMY0YdcvKIXAMm4TZ
=FE83
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt
  - From: Nick Hilliard <nick@inex.ie>

References:
- comments on draft-ietf-v6ops-v6inixp-01.txt
  - From: Nick Hilliard <nick@inex.ie>

Prev by Date: Re: [shim6] about draft-ietf-v6ops-cpe-simple-security-07
Next by Date: Fwd: Simple Security - Layered Filtering should be in the document
Previous by thread: comments on draft-ietf-v6ops-v6inixp-01.txt
Next by thread: Re: comments on draft-ietf-v6ops-v6inixp-01.txt
Index(es):
- Date
- Thread