Update to BCP-38?

Mark Andrews marka at isc.org
Thu Oct 3 21:07:10 UTC 2019



> On 4 Oct 2019, at 12:10 am, Marco Davids (Private) via NANOG <nanog at nanog.org> wrote:
> 
> 
> On 03/10/2019 15:51, Stephen Satchell wrote:
> 
>> For a start, *add* IPv6 examples in parallel with the IPv4 examples.
> 
> 1000 times +1
> 
> We need (much) more IPv6 examples!

Have you read BCP-38?  Is there anything in there that really needs IPv6
examples to make it clear?

BCP-38 is “if the source address of the packet coming from the site isn’t a
address allocated to the site, drop the packet”.  I’m sure you can all figure
out how to do that with IPv6 as easily as with IPv4.

Now IPv6 examples are nice but getting several 1000’s people to read draft that
just add addresses in the range 2001:DB8::/32 instead of 11.0.0.0/8, 12.0.0.0/8
and 204.69.207.0/24, then to get the RFC editor to publish it is quite frankly
is a waste of time.

Do you really need examples of a TCP SYN Flood attack using IPv6 addresses instead
of IPv4 addresses?  Or the network diagram to be changed?



                               11.0.0.0/8
                                   /
                               router 1
                                 /
                                /
                               /                       204.69.207.0/24
         ISP <----- ISP <---- ISP <--- ISP <-- router <-- attacker
          A          B         C        D         2
                    /
                   /
                  /
              router 3
                /
            12.0.0.0/8

  In other words, the ingress filter on "router 2" above would check:

    IF    packet's source address from within 204.69.207.0/24
    THEN  forward as appropriate

    IF    packet's source address is anything else
    THEN  deny packet

   Network administrators should log information on packets which are
   dropped. This then provides a basis for monitoring any suspicious
   activity.


                             2001:DB8:11:/48
                                   /
                               router 1
                                 /
                                /
                               /                       2001:DB8:204:/48
         ISP <----- ISP <---- ISP <--- ISP <-- router <-- attacker
          A          B         C        D         2
                    /
                   /
                  /
              router 3
                /
          2001:DB8:12:/48

   In other words, the ingress filter on "router 2" above would check:

    IF    packet's source address from within 2001:DB8:204:/48
    THEN  forward as appropriate

    IF    packet's source address is anything else
    THEN  deny packet

   Network administrators should log information on packets which are
   dropped. This then provides a basis for monitoring any suspicious
   activity.

Mark

> --
> Marco
> (pushing for IPv6 examples since 2007 or so
> like in: https://youtu.be/OLEizGPoB5w?t=30)
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the NANOG mailing list