comments on draft-ietf-v6ops-v6inixp-01.txt
Nick Hilliard <nick@inex.ie> Tue, 28 July 2009 11:48 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5404B3A6ED0 for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 28 Jul 2009 04:48:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.105
X-Spam-Level:
X-Spam-Status: No, score=0.105 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_15=0.6, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0z5i1V3E-IUx for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 28 Jul 2009 04:48:08 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3336B3A6EB0 for <v6ops-archive@lists.ietf.org>; Tue, 28 Jul 2009 04:48:07 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1MVl4v-000300-1L for v6ops-data0@psg.com; Tue, 28 Jul 2009 11:42:45 +0000
Received: from [87.198.142.193] (helo=mail.acquirer.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <nick@inex.ie>) id 1MVl4p-0002ye-To for v6ops@ops.ietf.org; Tue, 28 Jul 2009 11:42:42 +0000
X-Envelope-To: <v6ops@ops.ietf.org>
Received: from cupcake.internal.acquirer.com (cupcake.internal.acquirer.com [10.228.100.105]) (authenticated bits=0) by mail.acquirer.com (8.14.3/8.14.3) with ESMTP id n6SBgYjS051796 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <v6ops@ops.ietf.org>; Tue, 28 Jul 2009 12:42:35 +0100 (IST) (envelope-from nick@inex.ie)
Message-ID: <4A6EE42A.7020809@inex.ie>
Date: Tue, 28 Jul 2009 12:42:34 +0100
From: Nick Hilliard <nick@inex.ie>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090223 Thunderbird/3.0b2
MIME-Version: 1.0
To: v6ops@ops.ietf.org
Subject: comments on draft-ietf-v6ops-v6inixp-01.txt
X-Company-Info-1: Internet Neutral Exchange Association Limited. Registered in Ireland No. 253804
X-Company-Info-2: Registered Offices: 1-2, Marino Mart, Fairview, Dublin 3
X-Company-Info-3: Internet Neutral Exchange Association Limited is limited by guarantee
X-Company-Info-4: Offices: 4027 Kingswood Road, Citywest, Dublin 24.
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
Hello, a couple of comments on the v6inixp draft. - the text needs some style editing and a quick run-over with a spell-checker. I'm happy to do this, but am just an ietf egg and don't know what procedure to follow. The draft text as-is does not look like the canonical text source. - it would probably be useful to mention that RA should be disabled on all peering lan client routers and if possible, should be blocked at a fabric level with some incantation of draft-ietf-v6ops-ra-guard. - the ixp should maintain a list of - section 6: there is no standard defined for TCP MD5 security for ipv6 packets, although there are several interoperable implementations out there in practice. RFC 2385 assumes ipv4. - it may be good to suggest the use of GTSM in addition to MD5 / ipsec. Does anyone actually use ipsec for securing bgp sessions? I hear only occasional talk and have never come across it in practice. - is it worth suggesting that ipv4 bgp afi over ipv6 transport and ipv6 bgp afi over ipv4 transport should be explicitly frowned upon for route servers? It adds complication for no gain whatever. - security considerations - at face value none. Mind you, I could see small exchange customers getting very upset if their IXP wasn't using MLD snooping and one of their 1G or 10G customers decided to shift a couple of hundred megs of multicast traffic in a moment of experimental exuberance. - section 2: (minor) ipv4 requires both 0x0800 (ipv4) and 0x0806 (arp) - I'm still wrangling with myself about the value of an ipv6 ND sponge. Is it better for an end-user DoS attacker to trash an ipv6 lan by causing persistent icmp6 multicast flooding, or by filling up the ipv6 neighbor cache on all connected routers with ipv6 address entries associated the mac address of an ipv6 ND sponge? Has anyone actually measured this in practice? Is the reaction vendor specific? My worry is that attacks of this form will happen one day and right now we are not ready. - is it worth recommending that the IXP use l3 ipv6 filters to permit only link-local traffic from their assigned (or chosen) address for the purposes of BGP and icmp6 only? What I'm thinking of here is how to deal with people who will do broken stuff like configuring tunnels using their IXP assigned address. Nick
- comments on draft-ietf-v6ops-v6inixp-01.txt Nick Hilliard
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt Roque Gagliano
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt Nick Hilliard
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt Martin Pels
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt Nick Hilliard
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt Martin Pels
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt Roque Gagliano
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt Martin Pels
- Re: comments on draft-ietf-v6ops-v6inixp-01.txt Roque Gagliano