On Thu, 9 Sep 2010 07:43:35 +0200 (CEST) Mikael Abrahamsson <swm...@swm.pp.se> wrote:
> On Thu, 9 Sep 2010, Brian E Carpenter wrote: > > > I can't see why that would be a problem for an operator who uses DHCPv6 > > as their supported mechanism. > > I'm sure there are a lot in the IETF that agrees with you that they don't > understand why it's a problem, because the IETF has historically been > totally uninterested in security in development. > > If one uses RA, then things like RA guard, RA inspection etc (SAVI) has to > work to do this securely in L2 aggregation. If DHCPv6 could be used alone, > then no intelligence for RA needs to be done, you just filter/drop it and > a lot of problems goes away. > > It's the lack of understanding about deployment issues in the IETF So why aren't operators involving themselves more? I've seen a number of invitations for feedback and comments on IETF in a variety of fora such as nanog and other mailing lists etc., yet rarely does it seem to result in very much participation. Don't they know the IETF price of admission is nothing, other than a bit of time? Don't they realise that following and participating in the IETF gives them an opportunity to be able to both see what may be coming operationally in the future, and possibly influencing it was well? "What we’re saying today is that you're either part of the solution or you’re part of the problem." - Eldridge Cleaver >that is > making IPv6 hard to deploy for ISPs today. We're not lazy, it's just that > 15 years of non-work on security for IPv6 has to be done in a few years, > this took 5+ years to get right on IPv4 (and it's still not done right by > a lot of vendors, most likely due to lack of standards). > > SAVI is a great step forward, but it seems quite complicated due to the > fact that the issues SAVI tries to adress doesn't seem to have been > considered at all when IPv6 (or IPv4) was designed. > Unfortunately I think the fundamental issue that SAVI is trying to address is that if you're on a broadcast shared access media e.g. a LAN, you have to place a level of trust in your peers that they're not going to disrupt the shared resource, intentionally or otherwise. They have a shared interest in you not doing it to them either. SAVI won't and can't complete this problem - nor can SeND either. Ultimately I think if you cannot trust your link layer peers at all then you can't have the benefit of sharing it with them. They have to be completely quarantined from each other, via e.g. VLANs, PPPoE etc., with access to the rest of the network via a policy enforcement and vetting device of some sort i.e. a router doing more than just forwarding packets. SAVI and things like SeND are beneficial halfway measures, avoiding full quarantining. Regards, Mark. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------