[c-nsp] IPv6 - Using link-local addresses for BGP Peering
Gert Doering
gert at greenie.muc.de
Thu Mar 15 09:04:54 EDT 2012
Hi,
On Thu, Mar 15, 2012 at 01:16:26PM +0100, Peter Subnovic wrote:
> we will be having our first BGP Peering over IPv6 in the near future and
> would like to know if there is a general consens whether or not to use
> link-local addresses for the Peering.
All peering links we have today use global addresses.
There's a couple of drafts in IETF about using link-locals, but it
"feels wrong". I don't particularily like link-locals in the context
of BGP.
[..]
> Where they say it is not recommended to establish the peering over
> link-local addresses, but couldn't grasp the reasoning behind that.
One of the problems I have with it is that you can't easily map the
nexthop IP address to a "network", but you always need additional
information, that is "fe80::1234 on *this* interface". And you tie
your BGP config to a particular interface, so if you move the peering
link somewhere else, you need to do more than just move the cable
and the interface config.
[..]
> 2) What is the (from an operational and security pov) best way to set up
> the BGP Peering?
We do IPv6 peerings pretty much the same we do IPv4. Propler anti-spoofing
filters, where applicable. MD5 if the other side asks for it. Proper
ingress prefix filters on customer links (strict filtering by IRR DB) and
max-prefix settings plus basic anti-bogon garbage filters on peers/uplinks.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20120315/e72327cd/attachment.sig>
More information about the cisco-nsp
mailing list