Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes

[Nalini Elkins <nalini.elkins@insidethestack.com>]

On Sat, 20 Sep 2014, Nalini Elkins wrote:

>> So then, are you saying that the hosting company example we gave was for a 
>> particularly ignorant or incompetent firm?   That most hosting providers of IPv6

>No, I think the general thinking is that they're of average ignorance and 
>competency, which doesn't say much.

>The general advice both for IPv4 and IPv6 is not to put a huge amount of 
>nodes in the same L2 domain. This has been true for 30 years, that's why 
>IP replaced the L2 bridged protocols or lots-of-years-ago.

>If you're putting 284 nodes in the same broadcast domain, you're asking 
>for trouble. My advice is to separate customers into separate L2 domains, 
>or make sure your L2 infrastructure has some L3 functionality, for 
>instance private-vlan or other filtering.

It is an interesting question of whether 284 is too many or not.  I
think I prefer to start using a term "administrative domain" (or some such)
where those are the nodes that are under a single control for business
or security reasons.

So, "administrative domain" (AD) and "broadcast domain" (BD) should be the same.
For example, if I have three virtual servers (or nodes), then that is my 
administrative and broadcast domain.

If I have a 1,000 nodes under my control, then that is how many that
should be in my AD and BD.   IPv6 allows for large subnets so why not?

But, if I have only 1 node, then having more than one node in my BD
is too much.

>So while your draft describes a problem that might be there, asking for 
>nodes to not respond to link-local FF0x::1 ICMP ECHO REQUEST isn't the 
>correct solution.

Possibly not.  We wanted to raise the issue.  BTW, Pings, as you know,
are the precursor to much malicious activity.  It is something that
someone with ill intent is liable to do readily.  And, it provides
a huge amount of data on other nodes in a broadcast domain.

>Btw, how does the data center you've done testing on implement BCP38 so 
>that the customers can't originate packets for addresses they do not "own"?

No idea.  I can try spoofing packets for other prefixes and for my servers.

Interestingly, enough, from BCP38 is:

"The one MAC address that all devices share in common in normal operation is the media broadcast, or FF:FF:FF:FF:FF:FF.  In this case, a device will take the packet and send an interrupt for processing. Thus, a flood of these broadcast frames will consume all available resources on an end-system [9]. It is perhaps prudent that system administrators should consider ensuring that their border routers do not allow directed broadcast packets to be forwarded through their routers as a default."

On Linux, I believe when you do a PING, it is continuous until intentionally stopped.  So, doing a Ping to FF02::1 from a
Linux machine will create havoc without having ill intent.  That is, accidentally.




-- 
Mikael Abrahamsson    email: swmike@swm.pp.se