Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04

[Wojciech Dec <wdec@cisco.com>]

On 26/04/2010 15:33, "Philip Homburg" <pch-v6ops@u-1.phicoh.com> wrote:

> In your letter dated Mon, 26 Apr 2010 15:21:09 +0200 you wrote:
>>> The MAC address is available as the source ethernet address in the router
>>> solicitation.
>>> 
>>> How does having a link-local IPv6 address help?
>> 
>> It helps in being able to bind the MAC to an IPv6 address for that
>> subscriber. Coincidentally, this is exactly what is already in place for v4.
> 
> Why the link local address?

It can be any unicast address.

> 
>> Without such a binding, LL spoofing becomes an issue.
> 
> Can you be a bit more specific?
> 
> IPv4 doesn't have a link local address.

In IPv4 the binding is DHCP derived, something that is a bit harder to
assume with IPv6.
BTW IPv4 does have LLs too, but they happen not to be commonly used (at
least not by CPEs).

> 
> So what kind of traffic do you expect to and from the link-local address.
> There is of course the neighbor discovery stuff. But you probably have to
> filter that already to avoid customers talking directly to each other
> without going through the router.
> 
For the CPE the vital traffic is DHCP-PD signaling and this will be sourced
from a LL address. If one assumes that an RS is the trigger for user
authorization, securing the address binding at that same time is optimal and
useful in also securing any follow-on DHCP-PD assignment, besides any other
traffic that would suffer from spoofed LLs.
Note that the binding table will need to factor in the other unicast
addresses too.

Do you see any downside of the proposal?

-Woj.
-Woj.
>