[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New Version Notification for draft-ietf-v6ops-v6inixp-02

Dear Martin/ Masataka,

I am proposing the following text for version 03.

----------------
   IPv6 prefixes for IXP LANs are typically publicly well known and
   taken from dedicated IPv6 blocks for IXP assignments reserved for
   this purpose by the different RIRs.The current practice that applies
   to IPv4 about publishing IXP allocations to the DFZ (Default Free
   Zone) should also apply to the IPv6 allocation.  When considering the
   routing of the IXP LANs two options are identified:

   o  IXPs may decide that LANs should not to be globally routed in
      order to limit the possible origins of a Distributed Denial of
      Service (DDoS) attack to its particpant' AS boundries.  In this
      configuration participants may route these prefixes inside their
      networks (e. g. using BGP no-export communities or routing the IXP
      LANs within the participants' IGP) to perform fault management.
      Using this configuration, the monitoring of the IXP LANs from
      outside of its participants' AS boundaries is not possible.

   o  IXP may decide that LAN should be globally routed.  In this case,
      IXP LANs monitoring from outside its participants' AS boundries is
      possible but the IXP LANs will be vulnerable to DDoS from outside of 
      those boundaries.

   IXP external services (such as dns, web pages, ftp servers) need to
   be globally routed and due to strict prefix length filtering this
   could be the reason to request more than one /48 assignment from a
   RIR (i.e. requesting one /48 for the IXPs LANs that is not globally
   routed and a different /48 for the IXP external services that is
   globally routed).
---------------------

What do you think?

Roque

On Oct 2, 2009, at 10:02 AM, MAWATARI Masataka wrote:

Hi all,


* On Thu, 1 Oct 2009 13:53:23 +0200
* Martin Pels <martin.pels@ams-ix.net> wrote:

Hi,

On Tue, 8 Sep 2009 23:25:37 -0300
Roque Gagliano <roque@lacnic.net> wrote:

Hi,

I issued a new ID of the draft with the changes that came up at the  
Stockholm meeting. Changes were:
- I explained why ULA is not a good idea.
- I added that addressing can use two different /48, one for the
LANs and the second one for the internal services and not necessarily
one / 47, as comments at the meeting.

In section 3 you added the following: "IPv6 prefixes for IXP LAN's are
typically publicly well known.".

I suggest changing this to something like: "IPv6 prefixes for IXP LANs
are typically taken from dedicated IPv6 blocks for IXP assignments,
reserved for this purpose by the different RIRs."


Thanks for your effort about IPv6 IXP operation.


If modifying as above, add notions that IXP can select PI address policy
either routed or un-routed in the global table.

(routed)
  pros
  - AS boundry monitoring IXP segment is possible.
  cons
  - Attacking IXP segment from non IXP participants is possible.

(un-routed)
  pros
  - Attacking IXP segment from non IXP participants is impossible.
  cons
  - AS boundry monitoring IXP segment is impossible.


Are there any other pros/cons?


Regards,
Masataka MAWATARI


-------------------------------------------------------------
Roque Gagliano
LACNIC
GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE

Attachment: PGP.sig
Description: This is a digitally signed message part