[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ping-pong phenomenon with p2p links & /127 prefixes
-----BEGIN PGP SIGNED MESSAGE-----
Eric Vyncke (evyncke) wrote:
> [Changing slightly to a different angle]
> I agree with most people that pingable interfaces on all core routers are very useful/interesting to say the least (even if I do not operate a SP network, I get the idea :-)).
>>From the security perspective, having hidden/not reachable router interfaces is also very useful :)
> There are a couple of ways of achieving this: from an infrastructure ACL deployed at the edge (easier to do in IPv6 thanks to new addressing plan), to using ULA on the interfaces (+ a global as ICMP source), to using only LLA (and a few other techniques).
> Which technique is used nowadays in IPv6 network? I guess that infra ACL are used (parity with IPv4) or am I wrong?
Some enterprise customers using VPNs(IPsec and SSL) have this requirement.
In many cases NAT plus some evil routing technique is used to hide,
and ACL is used to deny reachability.
This is in IPv4 world. In IPv6 world, nobody has requested
VPN services and many VPN boxes still run only IPv4 so
I really don't have a clue yet to what we'll do.
We probably will not use ULA though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP SIGNATURE-----