On Mon, 12 Nov 2007, Havard Eidnes wrote:
Instead, my inclination would be to "solve" this problem in a
much simpler manner, simply by declaring it a configuration
error. A site which receives prefixes from more than a single
provider is clearly multihomed, and needs to have its providers
make appropriate exceptions to a strict "I will only accept
packets with source addresses from within the prefix I delegate"
rule.
Who's watching the watchers?
An architecture where you depend on the first hop ISP to do filtering
and you cannot check that it has been done further down the network
doesn't do enough to keep ISPs "honest".
Either that, or the domain in question needs to ensure via
a combination of address selection and routing policy that one
avoids being subjected to (presumably unwanted) RPF failures.
I think Fred's solution is proposing a solution in (mostly) simpler
scenarios which are typically unmanaged. A default policy, if such
could be created, shipping in smaller routers could fulfill this goal.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
