This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[ipv6-wg] "Requirements For IPv6 in ICT Equipment" comment

Previous message (by thread): [ipv6-wg] "Requirements For IPv6 in ICT Equipment" comment
Next message (by thread): [ipv6-wg] "Requirements For IPv6 in ICT Equipment" comment

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nash, Steve snash at arbor.net
Fri Jan 7 09:52:14 CET 2011

Eric
I agree with you that it would be excessive to make flow records mandatory on Residential CPE.
However the Introduction says that the document is BCP for "governments and large enterprises" so I had considered residential CPE out-of-scope.

To achieve the objectives you state of "secure,..and manageable..." I would say that instrumentation is essential.

It is possible to identify devices more specifically.
Mandatory should apply to:
1/ layer3 devices that are to be AS border routers
2/ layer3 CPE WAN-edge devices where the site offers service to off-site clients (and is therefore vulnerable to denial of service attacks)

Most large enterprises today use flow instrumentation in IPv4, so overlooking it for v6 might be a mistake.
If an organisation is convinced that it will not make use of flow data, then it can choose to ignore this recommendation, like any other in the document.

I had not viewed this requirement as restrictive to vendor selection, as all the major vendors support flow (especially Cisco).  But the requirement will help buyers to size equipment appropriately and avoid purchasing something in the short-term that is inadequate for the life of the device.

Regards
Steve

From: Eric Vyncke (evyncke) [mailto:evyncke at cisco.com]
Sent: 05 January 2011 11:38
To: Nash, Steve; ipv6-wg at ripe.net
Subject: RE: [ipv6-wg] "Requirements For IPv6 in ICT Equipment" comment

Steve,

Do not you think that this is going too far? Especially if everyone is adding his/her own requirements...

For example, I cannot imagine a residential CPE having any kind of flow export ;-)

I would prefer to have RIPE-501 focus on the bare minimum requirements in order to get IPv6 deployed as soon as possible: this means enough requirements to be deployed in a secure, interoperable and manageable way but no more as we (at least I) prefer to have multiple 'compliant' devices.

Hope this helps and does not sound to vendor originated (see my affiliation)

-éric


From: ipv6-wg-admin at ripe.net [mailto:ipv6-wg-admin at ripe.net] On Behalf Of Nash, Steve
Sent: mercredi 5 janvier 2011 10:40
To: ipv6-wg at ripe.net
Subject: [ipv6-wg] "Requirements For IPv6 in ICT Equipment" comment

Regarding:
http://www.ripe.net/ripe/docs/ripe-501.html

I find no mention of flow instrumentation in the November 2010 document.

I suggest that "router and layer 3 switch" Mandatory support should include maintenance and export of flow records , ideally compliant with rfc 3917, with sampling rate capability of at least 1 per 1000 packets, at the maximum packet rate of the device.

Regards
Steve Nash
________________________
Steve Nash CEng MIET
Consulting Engineer
Arbor Networks
office +44 118 967 4917
mobile +44 772 029 1359
www.arbornetworks.com<http://www.arbornetworks.com/>

How networks grow(tm)
________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/ipv6-wg/attachments/20110107/7c979e0d/attachment.html>

Previous message (by thread): [ipv6-wg] "Requirements For IPv6 in ICT Equipment" comment
Next message (by thread): [ipv6-wg] "Requirements For IPv6 in ICT Equipment" comment

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ipv6-wg Archives ]