Cameron, >>>> MAP validate onsistency of the source IPv6 address and source port number >>>> for the packet using BMR. >>>> It dicribes section 8.1. >>>> http://tools.ietf.org/html/draft-ietf-softwire-map-05#section-8.1 >>>> >>>> I can't understand why you are saying about open DNS resolver in this >>>> question. >>>> Basically MAP domain includes CE are managed by service provider. >>>> MAP-CE should configure as it does not response for query from WAN. >>>> >>> >>> i am mostly thinking of a rogue MAP-CE spoofing may cause lots of >>> problems on the BR (port dos, already noted in the draft) and >>> undermining the attribution features of MAP. >> >> While it looks as same as 6rd, DS-Lite and 464XLAT, what kind of things are >> MAP specific. >> >> > > That's a fair point. > > But, it is MAP that is in last call. My suggestion is about making MAP > a better standard by adding a MUST implemented spoofing protection at > the PE.
8.1. Receiving rules The CE SHOULD check that MAP received packets' transport-layer destination port number is in the range configured by MAP for the CE and the CE SHOULD drop any non conforming packet and respond with an ICMPv6 "Address Unreachable" (Type 1, Code 3). you are suggesting to make these MUSTs? and perhaps adopts similar text to what's in RFC5969, section 9.2? I wouldn't object to that. IPv4 should be as well protected against spoofing as the underlaying IPv6 is. cheers, Ole _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
