>> A rogue map ce starts sending malicious random SYN flood traffic to the
>> BR. The
>
> This is nothing different from the scenario of a rogue CE in non-MAP
> environment sending unwanted traffic to an unknown destination. The first
> hop router (and subsequent routers) forward the traffic, per the default
> route, but the traffic gets dropped at the boundary router, which has the
> full routing table (with specific routes). There is no spoofing in this
> case, of course.
>
>> My thought is urpf on the attachment pe would limit this issue
>
> I agree, but it is outside the MAP specification, IMO.
a) the BR operator knows who the rogue CE is based on the IPv6 source address.
(assuming IPv6 BCP38, if not, you're in trouble)
b) the BR is stateless, it doesn't care about SYN packets, it can silently drop
any packet
violating the check at high rate.
cheers,
Ole
_______________________________________________
Softwires mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/softwires
