Hi Enno, Regarding a 3GPP phone, AFAIK, it receives a /64 so it is scalable and easy to enforce uRPF at the very first layer-3 routers. Same for a home CPE (with a very minor impact, uRPF has same performance as plain forwarding == same lookup technique) and anyway the BNG/BRAS does DHCP-PD snooping and should do uRPF as well. Pretty much like in IPv4.
But, we may indeed suspect that uRPF on a longer prefix such as /96 (??) could be as efficient as forwarding to a /96 which is rumored to be less efficient than forwarding to a prefix shorter than 64. Just a wild guess (and please do not assume some magical knowledge of mine based on my email address) -éric On 28/08/14 16:31, "Enno Rey" <e...@ernw.de> wrote: >Eric, guys, > >On Thu, Aug 28, 2014 at 02:28:53PM +0000, Eric Vyncke (evyncke) wrote: >> The mapped IPv4 address is probably coming out of a 6PE (or 6VPE) MPLS >>router where the HopLimit field is copied into the MPLS header and when >>the poor P router in charge of sending the ICMPv6 has no IPv6 address at >>all? This is per RFC and perhaps an explanation why uRPF is not >>activated? >> >> No explanation about the :: address though? >> >> As a security person, I would love to have uRPF enabled where possible >>but I am afraid that even in IPv4 it is not deployed everywhere :-( > >to be honest, as another security person, I'm not really sure about the >benefit of uRPF in the IPv6 world, in some scenarios. >imagine a single infected smartphone on LTE, generating connections with >potentially 2^64 different source addresses from its assigned /64. How >would you counter that with uRPF? >not to speak about a home device sitting behind a CPE (and mimicing >connections from different /64s being part of the /56 the CPE "got")... >thoughts? > >best > >Enno > > > > > >> >> -?ric >> >> PS: indeed, ask your vendors for features, customers have much more >>power than you guess :-) >> >> From: Lorenzo Colitti <lore...@google.com<mailto:lore...@google.com>> >> Date: jeudi 28 ao?t 2014 07:46 >> To: Jeroen Massar <jer...@massar.ch<mailto:jer...@massar.ch>> >> Cc: IPv6 Ops list >><ipv6-ops@lists.cluenet.de<mailto:ipv6-ops@lists.cluenet.de>> >> Subject: Re: Something with filters >> >> On Wed, Aug 27, 2014 at 9:01 AM, Jeroen Massar >><jer...@massar.ch<mailto:jer...@massar.ch>> wrote: >> 9 2001:5a0:a00::2e (2001:5a0:a00::2e) 79.018 ms 79.910 ms 79.960 ms >> 10 :: (::) 101.893 ms 102.004 ms 103.574 ms >> 11 rar3.chicago-il.us.xo.net<http://rar3.chicago-il.us.xo.net> >>(::ffff:65.106.1.155) 104.732 ms >> >> Yeah baby, we can use the unspecified address in ICMP replies! >> >> The mapped IPv4 address in there is pretty cool, too... > >-- >Enno Rey > >ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de >Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 > >Handelsregister Mannheim: HRB 337135 >Geschaeftsfuehrer: Enno Rey > >======================================================= >Blog: www.insinuator.net || Conference: www.troopers.de >Twitter: @Enno_Insinuator >=======================================================