[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ping-pong phenomenon with p2p links & /127 prefixes

To: Seiichi Kawamura <kawamucho@mesh.ad.jp>
Subject: Re: ping-pong phenomenon with p2p links & /127 prefixes
From: Truman Boyes <truman@suspicious.org>
Date: Tue, 17 Aug 2010 22:34:46 -0400
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Jared Mauch <jared@puck.nether.net>, v6ops@ops.ietf.org
In-reply-to: <4C6B2C84.1060007@mesh.ad.jp>
References: <9EA50843-72B1-4E16-AE0E-58AC32D9C8C9@cisco.com> <AANLkTi=x0P7T-KzaDOa7aEMrMzumYpTD=5semBCv=+Dp@mail.gmail.com> <615459EE-4132-4AFC-90EE-FF6772946B98@cisco.com> <20100816.225221.74734208.sthaug@nethelp.no> <2CCCB85D-8827-414F-8E5B-6D4EB57774C3@cisco.com> <7ED0F40B-156D-4D6E-B673-731499AB9CCD@puck.nether.net> <4C69D188.5000204@mesh.ad.jp> <DA290632-488D-4F89-99E5-BD2AFE1A45D1@cisco.com> <4C69EA96.9060301@mesh.ad.jp> <317616CE96204D49B5A1811098BA89500290F5E6@XMB-AMS-110.cisco.com> <4C6B2C84.1060007@mesh.ad.jp>

On 17/08/2010, at 8:42 PM, Seiichi Kawamura wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Eric Vyncke (evyncke) wrote:
>> [Changing slightly to a different angle]
>> 
>> I agree with most people that pingable interfaces on all core routers are very useful/interesting to say the least (even if I do not operate a SP network, I get the idea :-)).
>> 
>>> From the security perspective, having hidden/not reachable router interfaces is also very useful :) 
>> 
>> There are a couple of ways of achieving this: from an infrastructure ACL deployed at the edge (easier to do in IPv6 thanks to new addressing plan), to using ULA on the interfaces (+ a global as ICMP source), to using only LLA (and a few other techniques).
>> 
>> Which technique is used nowadays in IPv6 network?  I guess that infra ACL are used (parity with IPv4) or am I wrong?
> 
> Some enterprise customers using VPNs(IPsec and SSL) have this requirement.
> In many cases NAT plus some evil routing technique is used to hide,
> and ACL is used to deny reachability.
> This is in IPv4 world. In IPv6 world, nobody has requested
> VPN services and many VPN boxes still run only IPv4 so
> I really don't have a clue yet to what we'll do.
> We probably will not use ULA though.
> 
> Regards,
> Seiichi
> 
>> 
>> Regards
>> 
>> -éric
>> 

<snip>

Hiding the internal addresses of infrastructure links in service provider networks is generally done when the SP uses MPLS and TTL propagation or decrementing is disabled. This works with ipv6 vpns in MPLS today and is very common. 

Truman

References:
- Re: ping-pong phenomenon with p2p links & /127 prefixes
  - From: Ole Troan <ot@cisco.com>
- Re: ping-pong phenomenon with p2p links & /127 prefixes
  - From: Ole Troan <ot@cisco.com>
- Re: ping-pong phenomenon with p2p links & /127 prefixes
  - From: sthaug@nethelp.no
- Re: ping-pong phenomenon with p2p links & /127 prefixes
  - From: Ole Troan <ot@cisco.com>
- Re: ping-pong phenomenon with p2p links & /127 prefixes
  - From: Seiichi Kawamura <kawamucho@mesh.ad.jp>
- Re: ping-pong phenomenon with p2p links & /127 prefixes
  - From: Ole Troan <ot@cisco.com>
- Re: ping-pong phenomenon with p2p links & /127 prefixes
  - From: Seiichi Kawamura <kawamucho@mesh.ad.jp>
- RE: ping-pong phenomenon with p2p links & /127 prefixes
  - From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
- Re: ping-pong phenomenon with p2p links & /127 prefixes
  - From: Seiichi Kawamura <kawamucho@mesh.ad.jp>

Prev by Date: Re: ping-pong phenomenon with p2p links & /127 prefixes
Next by Date: Re: draft-ietf-ipngwg-p2p-pingpong-00.txt vs RFC4443
Previous by thread: Re: ping-pong phenomenon with p2p links & /127 prefixes
Next by thread: Re: ping-pong phenomenon with p2p links & /127 prefixes
Index(es):
- Date
- Thread