ipv6 next-hop link-local
nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Sun Feb 20 00:37:28 CET 2011
On Sat, 19 Feb 2011 12:21:38 +0100
Bjørn Mork <bjorn at mork.no> wrote:
> Mark Smith <nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org>
> > On Sat, 19 Feb 2011 11:07:22 +0100
> > Gert Doering <gert at space.net> wrote:
> >> Exchange points usually renumber their fabric when they run out of
> >> available addresses for participant routers - which won't happen
> >> which IPv6).
> > There's no real need for GTSM if link locals are used, and the threat of
> > SYN or similar control plane attacks from off-link sources disappears.
> I have a hard time seeing what that buys you on an IX.
These sorts of attacks typically come from within ISP or hosting/colo
ASes ... surely you're not arguing that those types of ASes don't
connect to IXes?
I know which I'd prefer - the threat of an attack from devices
limited to link local source addresses and therefore on the same
link verses a botnet of 100s or 1000s of devices with a many and a
diverse set of global sources addresses from peer ASes and potentially
many ASes downstream from those ASes.
> You should worry
> just as much about the on-link sources.
I don't agree. If you've got access to the IX link you've got
privileged access, and are also likely to be operationally responsible
for any faults that occur relating to it. You have a strong motive
and a vested interest in not maliciously disrupting it. If you were
under attack from another IX peer, using link-locals, on the same
link, it'd be obvious who they are and much easier to stop them.
More information about the ipv6-ops