[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04

To: "Wes Beebee (wbeebee)" <wbeebee@cisco.com>, <v6ops@ops.ietf.org>
Subject: RE: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
From: "Wojciech Dec (wdec)" <wdec@cisco.com>
Date: Fri, 16 Apr 2010 11:49:18 +0200
In-reply-to: <C1BC57F9CF78404C9D75E08C703D3799D3C6C5@XMB-RCD-201.cisco.com>
References: <C7ECE929.2D6F%wdec@cisco.com> <C1BC57F9CF78404C9D75E08C703D3799D3C6C5@XMB-RCD-201.cisco.com>

-----Original Message-----
From: Wes Beebee (wbeebee) 
Sent: 15 April 2010 21:05
To: Wojciech Dec (wdec); v6ops@ops.ietf.org
Subject: RE: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04

RFC 4861 says (in section 4.1):

"Source Address
 An IP address assigned to the sending interface, or
 the unspecified address if no address is assigned
 to the sending interface."

I guess you'll always have a link-local address (if not a global unicast
address) on the WAN interface - so other than restricting this more in
the CPE router draft than what RFC 4861 allows, I see no show-stopper
issue with not allowing the unspecified address.  However, I would like
to see more discussion as to why you think this is necessary (ie. are
you denying RA's to "unauthorized" CPE routers?)

Woj> If one designs a system whereby RAs are used to trigger an
authorization event, it's practically a given that after authorization a
given address (used for sourcing the RSes) is to be bound to that
authorized CPE (it's MAC address). Security proposals are in place (BBF
and SAVI) to have the edge router drop packets which do not have such a
binding. As such it is pretty much critical to have the RSes use a
specific source address.

-Woj.

- Wes

Wes Beebee
Software Engineer
Product Development
wbeebee@cisco.com

United States
Cisco.com - http://www.cisco.com
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html

-----Original Message-----
From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On
Behalf Of Wojciech Dec (wdec)
Sent: Thursday, April 15, 2010 10:03 AM
To: v6ops@ops.ietf.org
Subject: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04

Hi,

Given that RS triggered access appears to be gaining ground (based on
the latest  draft-krishnan-rs-mark) it would appear that the CPE router
draft specify a bit more tightly the form of RS messages a CPE sends
when connecting to a network.
RFC4861 section 6.3.7 states:
" A host sends Router Solicitations to the all-routers multicast
   address.  The IP source address is set to either one of the
   interface's unicast addresses or the unspecified address."

Now, since the source address is very likely to be one of the identifier
keys for a CPE used for authorization, I would like to propose that an
RS sending rule be added to the CPE spec which would ensure that the IP
source address is NEVER the unspecified address, eg:

The IPv6 CE router MUST use one of its WAN interface unicast addresses
when sending RS messages.

Comments?

-Woj.

References:
- RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
  - From: Wojciech Dec <wdec@cisco.com>
- RE: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
  - From: "Wes Beebee (wbeebee)" <wbeebee@cisco.com>

Prev by Date: RE: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
Next by Date: Re: New Version Notification for draft-koodli-ipv6-in-mobile-networks-02
Previous by thread: RE: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
Next by thread: Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
Index(es):
- Date
- Thread