Thanks. Good enough for me.
On 10/7/2022 9:16 PM, Suresh Krishnan wrote:
Hi Joel,
On Oct 7, 2022, at 9:07 PM, Joel Halpern <j...@joelhalpern.com> wrote:
Almost, but not quite. The first part, up to "egress points" is
fine. But the description of the reasons leaves out one case I think
is important. Namely, preventing packets from outside the SR Domain
(e.g. from an outside attacker) entering the SRv6 Domain.)
Ah. Got it. This is covered in more detail in RFC8754 Section 5.1 but
it makes sense to at least point to it here. Take 2:
NEW:
In case the deployments do not use this allocated prefix additional
care needs to be exercised at network ingress and egress points so
that SRv6 packets do not leak out of SR domains and they do not
accidentally enter SR unaware domains. Similarly as stated in Section
5.1 of RFC8754 packets entering an SR domain from the outside need to
be configured to filter out the selected prefix if it is different
from the prefix allocated here.
Thoughts?
Regards
Suresh
_______________________________________________
spring mailing list
spring@ietf.org
https://www.ietf.org/mailman/listinfo/spring
