IPv6 Infrastructure PI

David Freedman david.freedman at uk.clara.net
Thu Jun 3 11:49:46 CEST 2010


Now we have "LIRs can qualify for an IPv6 PI assignment for parts of their
own infrastructure that are not used for customer end sites" in RIPE-481
Have been hearing talk of organisations applying for this to number their
infrastructure out of it and make the space un-routable for security
purposes.

Would be keen to know what others think of this, here are the points I made:

- That it is no different to people using IPV4 un-routed infrastructure
addressing (i.e unshared RFC1918)

- That I could still use ULA, pure linklocal, unnumbered /128 POS etc..

- That customer networks would still be attached to your equipment and the
global addressing for their gateways are still attack vectors.

- That once I know that there is some unique addressing which is trusted by
your equipment, I know that if you slip up and don't filter it everywhere on
ingress I can static route back to you somehow (through peering or customer
connection) and impersonate your trusted hosts.

I know this is not a new argument, but I'm interested to hear what others
think...


------------------------------------------------
David Freedman 
Group Network Engineering
Claranet Limited
http://www.clara.net





More information about the ipv6-ops mailing list