On 4 Oct 2019, at 12:10 am, Marco Davids (Private) via NANOG <nanog@nanog.org> wrote:
On 03/10/2019 15:51, Stephen Satchell wrote:
For a start, *add* IPv6 examples in parallel with the IPv4 examples.
1000 times +1
We need (much) more IPv6 examples!
Have you read BCP-38? Is there anything in there that really needs IPv6 examples to make it clear? BCP-38 is “if the source address of the packet coming from the site isn’t a address allocated to the site, drop the packet”. I’m sure you can all figure out how to do that with IPv6 as easily as with IPv4. Now IPv6 examples are nice but getting several 1000’s people to read draft that just add addresses in the range 2001:DB8::/32 instead of 11.0.0.0/8, 12.0.0.0/8 and 204.69.207.0/24, then to get the RFC editor to publish it is quite frankly is a waste of time. Do you really need examples of a TCP SYN Flood attack using IPv6 addresses instead of IPv4 addresses? Or the network diagram to be changed? 11.0.0.0/8 / router 1 / / / 204.69.207.0/24 ISP <----- ISP <---- ISP <--- ISP <-- router <-- attacker A B C D 2 / / / router 3 / 12.0.0.0/8 In other words, the ingress filter on "router 2" above would check: IF packet's source address from within 204.69.207.0/24 THEN forward as appropriate IF packet's source address is anything else THEN deny packet Network administrators should log information on packets which are dropped. This then provides a basis for monitoring any suspicious activity. 2001:DB8:11:/48 / router 1 / / / 2001:DB8:204:/48 ISP <----- ISP <---- ISP <--- ISP <-- router <-- attacker A B C D 2 / / / router 3 / 2001:DB8:12:/48 In other words, the ingress filter on "router 2" above would check: IF packet's source address from within 2001:DB8:204:/48 THEN forward as appropriate IF packet's source address is anything else THEN deny packet Network administrators should log information on packets which are dropped. This then provides a basis for monitoring any suspicious activity. Mark
-- Marco (pushing for IPv6 examples since 2007 or so like in: https://youtu.be/OLEizGPoB5w?t=30)
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org