IPv6 Infrastructure PI
David Freedman
david.freedman at uk.clara.net
Thu Jun 3 11:49:46 CEST 2010
Now we have "LIRs can qualify for an IPv6 PI assignment for parts of their
own infrastructure that are not used for customer end sites" in RIPE-481
Have been hearing talk of organisations applying for this to number their
infrastructure out of it and make the space un-routable for security
purposes.
Would be keen to know what others think of this, here are the points I made:
- That it is no different to people using IPV4 un-routed infrastructure
addressing (i.e unshared RFC1918)
- That I could still use ULA, pure linklocal, unnumbered /128 POS etc..
- That customer networks would still be attached to your equipment and the
global addressing for their gateways are still attack vectors.
- That once I know that there is some unique addressing which is trusted by
your equipment, I know that if you slip up and don't filter it everywhere on
ingress I can static route back to you somehow (through peering or customer
connection) and impersonate your trusted hosts.
I know this is not a new argument, but I'm interested to hear what others
think...
------------------------------------------------
David Freedman
Group Network Engineering
Claranet Limited
http://www.clara.net
More information about the ipv6-ops
mailing list