[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04

To: Wojciech Dec <wdec@cisco.com>
Subject: Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
From: Philip Homburg <pch-v6ops@u-1.phicoh.com>
Date: Mon, 26 Apr 2010 16:28:22 +0200
Cc: v6ops@ops.ietf.org
In-reply-to: Your message of "Mon, 26 Apr 2010 16:06:10 +0200 ." <C7FB6A72.3390%wdec@cisco.com>

In your letter dated Mon, 26 Apr 2010 16:06:10 +0200 you wrote:
>>> It helps in being able to bind the MAC to an IPv6 address for that
>>> subscriber. Coincidentally, this is exactly what is already in place for v4
>.
>> Why the link local address?
>
>It can be any unicast address.

Yes, but in the context of an RS, that will be the link-local address. Or
are you thinking of requiring the use of a global IPv6 address as the
source of RS messages?

>>> Without such a binding, LL spoofing becomes an issue.
>> 
>> Can you be a bit more specific?
>> 
>> IPv4 doesn't have a link local address.
>
>In IPv4 the binding is DHCP derived, something that is a bit harder to
>assume with IPv6.
>BTW IPv4 does have LLs too, but they happen not to be commonly used (at
>least not by CPEs).

Can we stick to what is actually used in the context of CPEs?

I know that IPv4 LL address exist, but I have a hard time understanding how
you would use them to provide a customer with a working Internet connection.

So for IPv4, you need a binding between the global IPv4 address and the MAC
address.

For IPv6 you need to bind IPv6 addresses or prefixes to MAC addresses.

No need for link-local addresses.

>> So what kind of traffic do you expect to and from the link-local address.
>> There is of course the neighbor discovery stuff. But you probably have to
>> filter that already to avoid customers talking directly to each other
>> without going through the router.
>> 
>For the CPE the vital traffic is DHCP-PD signaling and this will be sourced
>from a LL address. If one assumes that an RS is the trigger for user
>authorization, securing the address binding at that same time is optimal and
>useful in also securing any follow-on DHCP-PD assignment, besides any other
>traffic that would suffer from spoofed LLs.
>Note that the binding table will need to factor in the other unicast
>addresses too.

If you already have a link identifier for the RS, why not use it as well for
the DPCP-PD? 

Are you really assigning DHCP-PD prefixes based on the link-local source
address in the solicit?

>Do you see any downside of the proposal?

I think there is a recent trent to just add all kind of extra requirements
for CPEs that are not there in the underlying protocols.

In my opinion, if you really need this, just get RFC-4861 changed to disallow
the use of an unspecified address as the source of an RS.

But I still have no clear picture how a customer can spoof things using his
link local address.

Follow-Ups:
- Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
  - From: Wojciech Dec <wdec@cisco.com>

References:
- Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
  - From: Wojciech Dec <wdec@cisco.com>

Prev by Date: Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
Next by Date: Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
Previous by thread: Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
Next by thread: Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
Index(es):
- Date
- Thread