IETF Logo Mail Archive

Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes

Andrew 👽 Yourtchenko <ayourtch@gmail.com> Fri, 19 September 2014 17:14 UTC

Return-Path: <ayourtch@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FC021A03A8 for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 10:14:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JSc8nyQTMVub for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 10:14:49 -0700 (PDT)
Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30EC31A037B for <v6ops@ietf.org>; Fri, 19 Sep 2014 10:14:18 -0700 (PDT)
Received: by mail-ie0-f174.google.com with SMTP id y20so3966008ier.33 for <v6ops@ietf.org>; Fri, 19 Sep 2014 10:14:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=St/g8gHh4uB3B62jcYUjzU6ATgyT5sSHV1TuvlGHris=; b=mkm+vlIs8DHzQmC8HU2anPSBW2XREjx7uT3APU8Qaj8YR9PHEjePIeNpU1p+xLkPA4 YbAPcppGcBFtSY2cu73rSuHHUnYo3xmLnwW4IUvk6Lh8peaZEsI5MSjl0kougi+IxbpI UaWZ5zeX6PW2HUMzwkOq4nUTOX7iNemJpsEsnSto9MXHE9Q9x399n99QJ4iUGzkSA4tZ zjAmPsBivBwg9IECFR1oGYed+cYBKBFcK92JLwe0tkCDTVFKq8Qcmv1ykwLFU406o/LS w5j2MDDriLEfAVKoIsmkZ//+7q8oPdpJE+d+md9n8g7yTuzX5z7AVsKGgp3anWBdUdqe grLQ==
MIME-Version: 1.0
X-Received: by 10.50.41.104 with SMTP id e8mr56198963igl.35.1411146857083; Fri, 19 Sep 2014 10:14:17 -0700 (PDT)
Received: by 10.107.137.65 with HTTP; Fri, 19 Sep 2014 10:14:17 -0700 (PDT)
In-Reply-To: <201409191147.s8JBl1Fe016458@irp-lnx1.cisco.com>
References: <201409191147.s8JBl1Fe016458@irp-lnx1.cisco.com>
Date: Fri, 19 Sep 2014 19:14:17 +0200
Message-ID: <CAPi140O_WkcS9uFCSK0+tVDF3Z1sB4_UF5Zv9kpNEMh7m94Vww@mail.gmail.com>
From: Andrew 👽 Yourtchenko <ayourtch@gmail.com>
To: draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/R2O7wp4MffYiL9BBfwArc43rsPQ
Cc: v6ops@ietf.org
Subject: Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2014 17:14:50 -0000

A directed broadcast ping on IPv4 gives pretty much the same result.
Did you test the effects of that ?

Of course, private VLANs or (if we are talking VMs) or just using p2p
links with /128s would help this in the environments where the hosts
can not be trusted - and this of course is not virtual/physical
specific.

If we're talking specifically virtual environment, here's an approach
on how to use ebtables to isolate the hosts:

ebtables -P FORWARD DROP
ebtables -F FORWARD
ebtables -A FORWARD -i $uplinkPort -j ACCEPT # let the traffic flow
from uplink to any ports
ebtables -A FORWARD -o $uplinkPort -j ACCEPT # let the traffic flow
from any ports to uplink

(source: http://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges)

So looks like the question at hand is:

"Should IPv6 nodes respond to Ping to FF0x::1?"

Which can be rephrased differently to ease the start of the discussion:

"What are the legitimate uses of a ping to ff0x::1 ?"

Right ?

--a

On 9/19/14, fred@cisco.com <fred@cisco.com> wrote:
> A new draft has been posted, at
> http://tools.ietf.org/html/draft-elkins-v6ops-multicast-virtual-nodes.
> Please take a look at it and comment.
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email