On Sat, 11 Sep 2010 08:06:39 +0200 (CEST) Mikael Abrahamsson <[email protected]> wrote:
> On Sat, 11 Sep 2010, Mark Smith wrote: > > > How would you solve the problem? If you give end-nodes the ability to > > Exactly the way it has been done for IPv4 with the mechanisms I've given > examples of before. Your criticisms seemed to be architectural ones - that the IETF hadn't designed a protocol that addressed these issues. So my question was how would you solve it (architecturally)? Layer 2 devices inspecting traffic isn't architecturally acceptable because it's a layer violation, address rewriting or insertion isn't because it takes away the end-node's peer status at the network layer, which creates all the consequences we know of from v4 NAT. I don't disagree about the costs of using point-to-point links (virtual or otherwise) to quarantine end-nodes, however increased security usually involves increased cost, so it is a security/cost tradeoff. The advantage of point-to-point/quarantine model over other options is that it both fits and maintains the existing architecture. > L2 devices look at DHCPv6 etc and then enforce policy > accordingly. The thing here is that these mechanisms should have been > designed alongside IPv6 and all the "core" protocols in IPv6 should have > been designed with this in mind, making it easy and cheap for L2 devices > to find the traffic they need to look at. > > Now whatever L2 devices need to look at is what is available, and some > isn't that easy to find and it might have to look at multiple things, some > of which is of no interest to it. > > > If you truly don't trust the end-nodes at all to set their source > > address correctly, then quarantining them on individual point-to-point > > links would seem to me to be the only option that still allows other > > people in other environments to continue to trust end-nodes setting the > > source address. > > *sigh* Taking the easy way out again. Point to point links are expensive. > > Equipment doing q-in-q and/or PPPoE termination carry a hefty premium over > the ones who don't, especially if they need to handle thousands of > customers (ie thousands of interfaces). Compare this to a Cisco 3550 which > can route thousands of customers in a few subnets if needed. > > -- > Mikael Abrahamsson email: [email protected] -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
