On Wed, Nov 30, 2011 at 3:13 PM, Owen DeLong <owen@delong.com> wrote:
As such, I prefer to deploy IPv6 as it is today and resolve the bugs and the security issues along the way (much like we did with IPv4).
Why is the Hurricane Electric backbone using /126 link-nets, not /64? You used to regularly claim there are significant disadvantages to longer subnets. At best, you are still claiming there are no advantages. These are lies. Please, Owen, tell us why you aren't practicing what you preach.
I haven't said that security issues should be ignored, either. Just that they should be viewed in a proper context and assessed with a realistic evaluation of the magnitude of the risk and the difficulty of mitigation.
You repeatedly claim that ND exhaustion is a non-issue. You also claim you have secret sauce to mitigate attacks. This, after you previously claimed that you were using common ACLs to mitigate attacks, and I showed you how that cannot be true. Your understanding of this problem has rocketed from totally clueless to having secrets you can't discuss. Except it isn't, because you are also advocating ... denying all traffic to all subnets except the first few hundred addresses. What a stellar plan! Just stop telling lies about this, Owen. That's all I'm asking. You, personally, are part of the problem. If the guy who is supposed to be the public-facing technical outreach guy for the self-described leader in IPv6 transit/hosting/etc services continues to go around claiming this is a non-issue, when it very clearly is, that is destructive, not helpful.
What has also been lost here is that my description of the various mitigation tactics for ND exhaustion attacks depends on the type of network being protected. Strategies that work for point-to-point links (simple ACLs at the borders in most environments, for example) are not the same as strategies that work to protect client LANs (stateful firewalls with default deny inbound) or strategies necessary to protect server LANs (slightly more complex ACLs and other tactics).
You have no such "simple ACLs at the borders" on the Hurricane Electric network. In fact, your mitigation mechanism for the backbone is exactly what I recommend: deploy longer subnets. You don't have any mitigation mechanism for your hosting services, other than whack-a-mole. If anyone has trouble believing me, you can do what I did, and email Owen off-list. You can say, Owen, I'd like to subscribe to a Hurricane Electric dedicated server, get myself a /64, and DoS my own subnet, to see if that affects my box or any other nearby customers. The reply you'll get will be that your box will be powered off, because they have no mitigation strategy. Arguing in the abstract is all fun and games, but when you ask Owen to show you something that works in a real-world, production environment, he can't. That's because Owen's network design is not suitable for production use in his own environment with routers he claims to have selected in part based on their performance under ND attacks (another lie.) -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts