[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Some comments on draft-ietf-v6ops-addcon-10.txt

To: <v6ops@ops.ietf.org>
Subject: Some comments on draft-ietf-v6ops-addcon-10.txt
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Date: Tue, 30 Sep 2008 15:38:26 +0200
Cc: "Gunter Van de Velde (gvandeve)" <gvandeve@cisco.com>, "Chip Popoviciu (cpopovic)" <cpopovic@cisco.com>

Gunter, Chip, Tim and others
 
A couple of quick points about this nice I-D (if not yet discussed before):
 
In section 2.4, you may want to add a sub-paragraph about infrastructure ACL which are easier to write and to maintain is aggretable prefixes are used for all intra-core interfaces. The goal is to put a one line ACL at the edge (to oversimplify) denying all the traffic destined to the SP infrastructure. A.2.2.2 briefly alludes to this but this should be expanded.
 
Very similar to the previous point: a specific prefix reserved for MIP (for the home addresses) would make perimeter filtering easier (for what perimeter means today...)
 
Also in section 3.2.3, I personally don't agree with the 'select a random ID' in order to make it more resistant to reconnaissance attacks... A 'random' ID makes things slightly more complex for the attacker (there are other ways to find targets) but also more complex for the network operators and it also increases the risk of typos in DNS or any other provisioning system. The I-D should present the balance to the reader.
  
Hope this helps
 
-éric

Prev by Date: RE: v4v6interim@ietf.org Mailing list
Next by Date: RE: v4v6interim@ietf.org Mailing list
Previous by thread: Revised sNATPT is just posted
Next by thread: some real life data
Index(es):
- Date
- Thread