On Apr 26, 2013, at 5:22 PM, Simon Perreault wrote: > Le 2013-04-26 16:50, Rajiv Asati (rajiva) a écrit : >> Thankfully, in MAP, both CE and BR employ the so called port-range aware >> uRPF, as Ole well clarified. So, the possibility of any device causing any >> grief to any other device (in the network - CE or outside the network - >> via BR) just does NOT exist. > > Right. > > In this security model, spoofed packets are allowed to be injected in the MAP > domain. > They will travel all the way to their destination. When they reach it, the > spoof check is performed, and at this point they are dropped. > > In other words, in the MAP model the check is at the egress point, whereas in > the BCP38 model the check is at the ingress point.
MAP is checking the mapping between the IP overlay and underlay. No more, no less. It is not doing, and thus is not a replacement for, BCP38. BCP 38 should still be done, for IPv4 and IPv6, at appropriate locations, independently of MAP. > > Egress checking could be well justified, but it needs to at least be > specifically highlighted in the security considerations section. Just be sure to identify that which is general best practice for any IPv6 or IPv4 network edge, and that which is MAP-specific. We don't want feature creep into MAP that which is generally applicable to any single or dual-stack network. - Mark > > Simon > -- > DTN made easy, lean, and smart --> http://postellation.viagenie.ca > NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca > STUN/TURN server --> http://numb.viagenie.ca > _______________________________________________ > Softwires mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/softwires _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
