Le 2013-04-26 09:22, Ole Troan a écrit :
Cameron,
My concern is at the rogue MAP CE. Thus, the spoof protection
filtering should be applied at the attachment PE so that the rogue MAP
CE attempts at spoofing can squashed at the provider edge.
Make sense?
yes, that was what I meant too (albeit not what I wrote ;-)).
the receiving consistency check has to be done both on BR and CE.
That is still not answering Cameron's point IMHO.
- First, doing spoof prevention on the BR doesn't prevent spoofed
packets from reaching other MAP CEs directly. Second, it allows packets
to travel across the ISPs network: ideally you'd want to drop them at
the edge (PE).
- Doing spoof prevention on the CE prevents nothing because it's a rogue
CE you're trying to protect the network against.
As I understand it, Cameron is suggesting that the PE inspect inside
IPv6 packets encapsulating IPv4 packets to apply the MAP spoof check on
the IPv4 source address. This would prevent spoofed MAP packets (correct
external IPv6 source but spoofed internal IPv4 source) from reaching
the BR or other MAP CEs.
Makes sense to me.
Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
_______________________________________________
Softwires mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/softwires
