Cameron (2013/04/26 5:30), cb.list6 wrote: > On Thu, Apr 25, 2013 at 1:04 PM, Ole Troan <[email protected]> wrote: >> Cameron, >> >>>>>> MAP validate onsistency of the source IPv6 address and source port >>>>>> number for the packet using BMR. >>>>>> It dicribes section 8.1. >>>>>> http://tools.ietf.org/html/draft-ietf-softwire-map-05#section-8.1 >>>>>> >>>>>> I can't understand why you are saying about open DNS resolver in this >>>>>> question. >>>>>> Basically MAP domain includes CE are managed by service provider. >>>>>> MAP-CE should configure as it does not response for query from WAN. >>>>>> >>>>> >>>>> i am mostly thinking of a rogue MAP-CE spoofing may cause lots of >>>>> problems on the BR (port dos, already noted in the draft) and >>>>> undermining the attribution features of MAP. >>>> >>>> While it looks as same as 6rd, DS-Lite and 464XLAT, what kind of things >>>> are MAP specific. >>>> >>>> >>> >>> That's a fair point. >>> >>> But, it is MAP that is in last call. My suggestion is about making MAP >>> a better standard by adding a MUST implemented spoofing protection at >>> the PE. >> >> 8.1. Receiving rules >> >> >> The CE SHOULD check that MAP received packets' transport-layer >> destination port number is in the range configured by MAP for the CE >> and the CE SHOULD drop any non conforming packet and respond with an >> ICMPv6 "Address Unreachable" (Type 1, Code 3). >> >> >> you are suggesting to make these MUSTs? >> and perhaps adopts similar text to what's in RFC5969, section 9.2? >> >> I wouldn't object to that. IPv4 should be as well protected against spoofing >> as the underlaying IPv6 is. >> > > My concern is at the rogue MAP CE. Thus, the spoof protection > filtering should be applied at the attachment PE so that the rogue MAP > CE attempts at spoofing can squashed at the provider edge. > > Make sense?
The customer is permitted IPv6 access and internet,but not permitted use MAP CE in this case. Correct? I agree BCP38/RFC2827 should use edge of IPv4/IPv6 ISP,but it does not means on MAP-BR and MAP specific topic. It should do IPv6 side interface. So I think we don't need the description for map draft. Regards, -Shishio > > CB > >> cheers, >> Ole >> > _______________________________________________ > Softwires mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/softwires > _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
