Simon, >>> My concern is at the rogue MAP CE. Thus, the spoof protection >>> filtering should be applied at the attachment PE so that the rogue MAP >>> CE attempts at spoofing can squashed at the provider edge. >>> >>> Make sense? >> >> yes, that was what I meant too (albeit not what I wrote ;-)). >> the receiving consistency check has to be done both on BR and CE. > > That is still not answering Cameron's point IMHO. > > - First, doing spoof prevention on the BR doesn't prevent spoofed packets > from reaching other MAP CEs directly. Second, it allows packets to travel > across the ISPs network: ideally you'd want to drop them at the edge (PE).
every MAP node does the spoof protection. that prevents spoofed packets from reaching other the MAP CEs. as a deployment consideration, the borders of the MAP domain should be protected to hinder tunnelled packets escaping or entering. > - Doing spoof prevention on the CE prevents nothing because it's a rogue CE > you're trying to protect the network against. doing it on the CE (as well as on the BR) prevents other CEs in the same domain accepting traffic from the rogue CE. > As I understand it, Cameron is suggesting that the PE inspect inside IPv6 > packets encapsulating IPv4 packets to apply the MAP spoof check on the IPv4 > source address. This would prevent spoofed MAP packets (correct external IPv6 > source but spoofed internal IPv4 source) from reaching the BR or other MAP > CEs. > > Makes sense to me. you are saying that every PE needs to know the MAP rules. isn't that making them into a MAP BR? in any case, the MAP specification should not specify behaviour on non-MAP nodes. cheers, Ole _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
