[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: new draft on IPv6 CPE router available for review

Hi,

>Yes, I realise this, but I want my native IPv6 service 
>offering to require a "router" class device, even if it means 
>that this "router" only forwards traffic logically between the 
>WAN link-local interface and it's internal loopback address 
>(DHCPv6-PD assigned space).

There definitely are different use-cases with different requirements. 

You mentioned elsewhere that the scope of the document could be
expanded. What do the authors think about that? Should we sit down in
Dublin to discuss?

>> (1) CPE router:
>> - allowed to directly source packets to ISP core [host]---[CPE 
>> router]---[ISP]---[Internet]
>
>What adresses would be used between CPE router and ISP? I 
>would like it to be link-local only.

No comment for this (I would need to study more on what issues
link-local only could bring, but I trust others here are more
knowledgeable).

>> An example of case (1) would be a DSL box at home/small 
>office, and an 
>> example of case (2) would be a cellular device that:
>> - connects with point-to-point link to operator's access 
>concentrator 
>> (e.g. GGSN), and gets a /64 prefix for itself (SLAAC)
>> - uses DHCPv6 PD to get more prefixes, and announces these 
>prefixes to 
>> LAN
>> - possibly implements DHCPv6 relay in order to enable other 
>devices in 
>> LAN to utilize DHCPv6 PD as well
>
>Yes, that sounds about right, but what adress space is used on 
>the p-t-p link? Is that the /64? That would mean that the GGSN 
>IP adress in this space is globally reachable, with the 
>security implications that brings.

Yes, /64, which is per mobile allocated by the network as the mobile
usually acts as a host and needs a global address (it may implement
RFC4941 as well). The mobile node itself is well positioned to attack
GGSN, as by its nature it is on the same link with it, thus GGSN has to
prepare well for attacks on its subscriber-facing interfaces (probably
has all but necessary ports closed). For the attacks from the Internet,
there is a firewall between GGSN and Internet. 

I'm not sure if the GGSN even configures itself global address from the
prefixes it gives to subscribers (does router have to configure an
address for itself from the prefixes it sends out in RAs?). I was unable
to verify this right now.

Best regards,

	Teemu