Something with filters

Eric Vyncke (evyncke) evyncke at cisco.com
Thu Aug 28 16:56:13 CEST 2014 

Hi Enno,

Regarding a 3GPP phone, AFAIK, it receives a /64 so it is scalable and
easy to enforce uRPF at the very first layer-3 routers. Same for a home
CPE (with a very minor impact, uRPF has same performance as plain
forwarding == same lookup technique) and anyway the BNG/BRAS does DHCP-PD
snooping and should do uRPF as well. Pretty much like in IPv4.

But, we may indeed suspect that uRPF on a longer prefix such as /96 (??)
could be as efficient as forwarding to a /96 which is rumored to be less
efficient than forwarding to a prefix shorter than 64. Just a wild guess
(and please do not assume some magical knowledge of mine based on my email
address)

-éric


On 28/08/14 16:31, "Enno Rey" <erey at ernw.de> wrote:

>Eric, guys,
>
>On Thu, Aug 28, 2014 at 02:28:53PM +0000, Eric Vyncke (evyncke) wrote:
>> The mapped IPv4 address is probably coming out of a 6PE (or 6VPE) MPLS
>>router where the HopLimit field is copied into the MPLS header and when
>>the poor P router in charge of sending the ICMPv6 has no IPv6 address at
>>all? This is per RFC and perhaps an explanation why uRPF is not
>>activated?
>> 
>> No explanation about the :: address though?
>> 
>> As a security person, I would love to have uRPF enabled where possible
>>but I am afraid that even in IPv4 it is not deployed everywhere :-(
>
>to be honest, as another security person, I'm not really sure about the
>benefit of uRPF in the IPv6 world, in some scenarios.
>imagine a single infected smartphone on LTE, generating connections with
>potentially 2^64 different source addresses from its assigned /64. How
>would you counter that with uRPF?
>not to speak about a home device sitting behind a CPE (and mimicing
>connections from different /64s being part of the /56 the CPE "got")...
>thoughts?
>
>best
>
>Enno
>
>
>
>
>
>> 
>> -?ric
>> 
>> PS: indeed, ask your vendors for features, customers have much more
>>power than you guess :-)
>> 
>> From: Lorenzo Colitti <lorenzo at google.com<mailto:lorenzo at google.com>>
>> Date: jeudi 28 ao?t 2014 07:46
>> To: Jeroen Massar <jeroen at massar.ch<mailto:jeroen at massar.ch>>
>> Cc: IPv6 Ops list
>><ipv6-ops at lists.cluenet.de<mailto:ipv6-ops at lists.cluenet.de>>
>> Subject: Re: Something with filters
>> 
>> On Wed, Aug 27, 2014 at 9:01 AM, Jeroen Massar
>><jeroen at massar.ch<mailto:jeroen at massar.ch>> wrote:
>>  9  2001:5a0:a00::2e (2001:5a0:a00::2e)  79.018 ms  79.910 ms  79.960 ms
>> 10  :: (::)  101.893 ms  102.004 ms  103.574 ms
>> 11  rar3.chicago-il.us.xo.net<http://rar3.chicago-il.us.xo.net>
>>(::ffff:65.106.1.155)  104.732 ms
>> 
>> Yeah baby, we can use the unspecified address in ICMP replies!
>> 
>> The mapped IPv4 address in there is pretty cool, too...
>
>-- 
>Enno Rey
>
>ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
>Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
>
>Handelsregister Mannheim: HRB 337135
>Geschaeftsfuehrer: Enno Rey
>
>=======================================================
>Blog: www.insinuator.net || Conference: www.troopers.de
>Twitter: @Enno_Insinuator
>=======================================================

More information about the ipv6-ops mailing list