Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-03.txt

[Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>]

On Sun, 10 Jan 2010 09:25:30 +0100 (CET)
Mikael Abrahamsson <swmike@swm.pp.se> wrote:

> On Sun, 10 Jan 2010, Mark Smith wrote:
> 
> > routers may be link layer peers. The cost difference between layer 2
> > forwarding and layer 3 forwarding also encourages minimising the layer
> > 3 resources.
> 
> I don't agree AT ALL, rather the opposite. I'd like to see rudimentary L3 
> switch quite close to the customer instead of these huge L2 clouds people 
> seem to like. Customers should not be in the same broadcast domain unless 
> quite a lot of security measures are taken (MAC rewrite etc). Basically 
> everything the customer can set themselves needs to be controlled in case 
> of shared L2.
> 
> The "security" I am talking about is the BCP38/SAVI kind, not anything 
> else. Doing that kind of security (defying spoofing, man in the middle, 
> etc) requires a lot of L2/L3 magic in a big L2 network, I'd rather avoid 
> that.
> 
> > "security reasons" is a nice generic term, but it doesn't really
> > explain anything. What specific "security reasons"? What if an ISP
> > doesn't want to provide "security", and would rather just be a dumb bit
> > pipe for their customers?
> 
> They still need to do basic BCP38.
> 
> > I also think it may not be that ISPs haven't wanted their customers to
> > talk L2 directly with each other, it think it's probably because they
> > haven't been able to. They've had legacy PPPoE infrastructures which
> > force hair pinning of traffic between layer 2 adjacent customer, or the
> > nature of the link layer technology, e.g. cable or ATM, hair pins the
> > traffic anyway and may not support simple link layer peer-to-peer
> > traffic exchange, without something like NHRP or setting up switched
> > virtual circuits.
> 
> Read my previous posts, I come from an ETTH background as of 10 years and 
> there we had shared L2 by means of L2 switches in every basement. When I 
> designed ADSL I did it with single vlan per customer and L3 switch in each 
> PoP.
> 
> > If a generic "complexity" argument is going to be used, then I'd argue 
> > that a prefix-redirect mechanism is much much simpler than PPPoE, PPP or 
> > DHCP. Single packet format, simple processing. It's not really any more 
> > complex that host-redirects and they're not complicated.
> 
> I don't see how this easily can be done and still adhere to BCP38. Guess 
> it would involve a lot more SAVI requirements on the L2 device aggregating 
> the customers.
> 

All fair points.

Hair pinning traffic via a router to perform the functions you
mention is one way to achieve these security goals. Having the layer 2
device, the point-of-interconnect for the customer, perform them is
another. While I agree with you about the layer violations of having
layer 2 devices looking at layer 3 fields, I also think that these
security functions should be performed as close as possible to the
customer. If it's bad traffic, it should be dropped as soon as possible

My argument is that if an SP chooses to have the layer 2 edge
device perform those security functions, then there is an opportunity
for more optimal traffic forwarding via a mechanism like a
prefix-redirect. You may not like that design, but you might not have
to be making decisions about the tradeoffs between backhaul cost, capex
and opex of aggregated-vs-per-POP layer 3 and the influence over
customer density and geography that other SPs around the world have to
make.

Regards,
Mark.