6VPE Route Reflector
Cameron Byrne
cb.list6 at gmail.com
Fri Sep 24 16:42:48 CEST 2010
On Fri, Sep 24, 2010 at 7:12 AM, Martin Horneffer <maho at nic.dtag.de> wrote:
> On Sun, Sep 19, 2010 at 10:22:17AM -0700, Cameron Byrne wrote:
> [..]
>> This is not a huge setback, but it was an unexpected step. Does
>> anyone know a way around this requirement on a route reflector? I
>> assume adding "ipv6 unicast-routing" enables some code pieces that are
>> required for the route reflector to choose routes and handle the ipv6
>> data structures, but my concern is that it also turns on other IPv6
>> bits that i don't want to have on my route reflector at this point.
>
> My situation is a bit different, but the software was close to your
> version and I experienced the same.
>
> But anyways - what kind is your concern of?
>
Mostly surprise, but in my mind, 6VPE only had edge impacts for IPv6
deployment, but i consider route reflector changes of this nature to
be a core impact. This impact cascades into the scope of what it
means to bring IPv6 into operations. So, operational concerns are
what first came to mind and that includes security and exposure to
bugs from new code paths in the core.
I was told this requirement of IPv6 routing on route reflectors is
only for IOS, IOS-XR does not have the same requirement.
> As for security: I would suppose that as long as you don't configure
> IPv6 on any interface still no IPv6 communication between the outside
> and your router should be possible.
>
Correct, but do those new code paths open up silent loopback
interfaces? Or link local addresses? From looking at the router, i
would say no. But, this is the risk of turning on IPv6 routing when
you do not expect it. It is probably still prudent to put an IPv6 ACL
on the VTY even though there is no IPv6 address configured. If for no
other reason that some other engineer will see IPv6 unicast routing
turned on any may add an address later.... or later version of code
will enable link local addresses by default and that may be a path to
access the router and circumvent the security controls.
> As for activating new code paths: I guess this happens anyways if you
> activate RR functionality for a new address-family.
>
But the scope would be just for BGP route reflection verses system
wide enablement.
Cameron
More information about the ipv6-ops
mailing list