IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

• Previous message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Next message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 30, 2011 at 3:13 PM, Owen DeLong <owen at delong.com> wrote:
> As such, I prefer to deploy IPv6 as it is today and resolve the bugs
> and the security issues along the way (much like we did with IPv4).

Why is the Hurricane Electric backbone using /126 link-nets, not /64?
You used to regularly claim there are significant disadvantages to
longer subnets.  At best, you are still claiming there are no
advantages.  These are lies.  Please, Owen, tell us why you aren't
practicing what you preach.

> I haven't said that security issues should be ignored, either. Just that
> they should be viewed in a proper context and assessed with a realistic
> evaluation of the magnitude of the risk and the difficulty of mitigation.

You repeatedly claim that ND exhaustion is a non-issue.  You also
claim you have secret sauce to mitigate attacks.  This, after you
previously claimed that you were using common ACLs to mitigate
attacks, and I showed you how that cannot be true.  Your understanding
of this problem has rocketed from totally clueless to having secrets
you can't discuss.  Except it isn't, because you are also advocating
... denying all traffic to all subnets except the first few hundred
addresses.  What a stellar plan!

Just stop telling lies about this, Owen.  That's all I'm asking.

You, personally, are part of the problem.  If the guy who is supposed
to be the public-facing technical outreach guy for the self-described
leader in IPv6 transit/hosting/etc services continues to go around
claiming this is a non-issue, when it very clearly is, that is
destructive, not helpful.

> What has also been lost here is that my description of the various
> mitigation tactics for ND exhaustion attacks depends on the type
> of network being protected. Strategies that work for point-to-point
> links (simple ACLs at the borders in most environments, for
> example) are not the same as strategies that work to protect
> client LANs (stateful firewalls with default deny inbound) or
> strategies necessary to protect server LANs (slightly more complex
> ACLs and other tactics).

You have no such "simple ACLs at the borders" on the Hurricane
Electric network.  In fact, your mitigation mechanism for the backbone
is exactly what I recommend: deploy longer subnets.  You don't have
any mitigation mechanism for your hosting services, other than
whack-a-mole.

If anyone has trouble believing me, you can do what I did, and email
Owen off-list.  You can say, Owen, I'd like to subscribe to a
Hurricane Electric dedicated server, get myself a /64, and DoS my own
subnet, to see if that affects my box or any other nearby customers.
The reply you'll get will be that your box will be powered off,
because they have no mitigation strategy.

Arguing in the abstract is all fun and games, but when you ask Owen to
show you something that works in a real-world, production environment,
he can't.  That's because Owen's network design is not suitable for
production use in his own environment with routers he claims to have
selected in part based on their performance under ND attacks (another
lie.)

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts

• Previous message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Next message (by thread): IPv6 prefixes longer then /64: are they possible in DOCSIS networks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]