IPv6 Infrastructure PI

Gert Doering gert at space.net
Thu Jun 3 12:03:06 CEST 2010 

Hi,

On Thu, Jun 03, 2010 at 10:49:46AM +0100, David Freedman wrote:
> Now we have "LIRs can qualify for an IPv6 PI assignment for parts of their
> own infrastructure that are not used for customer end sites" in RIPE-481
> Have been hearing talk of organisations applying for this to number their
> infrastructure out of it and make the space un-routable for security
> purposes.
> 
> Would be keen to know what others think of this, here are the points I made:
> 
> - That it is no different to people using IPV4 un-routed infrastructure
> addressing (i.e unshared RFC1918)

It's better than that, because the addresses are guaranteed to be unique,
and you can even have reverse DNS for it.  RFC1918 for "visible" 
infrastructure (e.g. showing up in traceroutes) violates RFC1918 and,
generally, sucks.

> - That I could still use ULA, pure linklocal, unnumbered /128 POS etc..

ULA would also be a workable approach.

Pure link-local works, but has the disadvantage that you can't ping
the individual interfaces from your network monitoring systems.

> - That customer networks would still be attached to your equipment and the
> global addressing for their gateways are still attack vectors.

Correct for your edge systems.

> - That once I know that there is some unique addressing which is trusted by
> your equipment, I know that if you slip up and don't filter it everywhere on
> ingress I can static route back to you somehow (through peering or customer
> connection) and impersonate your trusted hosts.

True as well: hack a customer PC, access your network from there...

So "non-routed backbone addresses alone" isn't auto-securing your network,
you also need to filter it against folks statically routing it to you or
against your customers trying to get access to it.

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  150584

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279

More information about the ipv6-ops mailing list