Hi Joel, > On Oct 7, 2022, at 9:07 PM, Joel Halpern <j...@joelhalpern.com> wrote: > > Almost, but not quite. The first part, up to "egress points" is fine. But > the description of the reasons leaves out one case I think is important. > Namely, preventing packets from outside the SR Domain (e.g. from an outside > attacker) entering the SRv6 Domain.) > >
Ah. Got it. This is covered in more detail in RFC8754 Section 5.1 but it makes sense to at least point to it here. Take 2: NEW: In case the deployments do not use this allocated prefix additional care needs to be exercised at network ingress and egress points so that SRv6 packets do not leak out of SR domains and they do not accidentally enter SR unaware domains. Similarly as stated in Section 5.1 of RFC8754 packets entering an SR domain from the outside need to be configured to filter out the selected prefix if it is different from the prefix allocated here. Thoughts? Regards Suresh
_______________________________________________ spring mailing list spring@ietf.org https://www.ietf.org/mailman/listinfo/spring
