Date and Time: UTC 15:00, Friday March 13, 2015
Convenor: Bin Hu (AT&T)
Both Jonne and Bin looked into Cisco's article IPv6 First-Hop Security. Both felt that this is a good article about the potential threats/concerns at the first-hop of IPv6 infrastructure. We need to have a deep dive of their solution and guidelines to decide whether or not we need to this feature.
Jonne got the action to further look into the need of IPv6 First-Hop security feature.
Sridhar shared a bug report and a set of patches with regard to ARP spoofing. Sridhar got an action of further looking into those patches, and will report his findings of how well IPv6 First-Hop Security can be addressed in those patches, and if there is any gaps.
Mark updated the terminology in the diagram. The others are work in progress, and will give further update next week.
Sridhar shared his findings in mailing list. The conclusion is that because of the anti-spoofing rule, we will not be able to run a router (i.e., forwarding use-case) inside the VM. In-order to support this requirement, we would need the port-security extension proposed for kilo.
The group discussed alternatives. The consensus is that we may need a small patch for Neutron to disable the anti-spoofing rule in Juno in order to achieve a successful demo. Sridhar got an action to provide this patch.