Eric

I agree with you that it would be excessive to make flow records mandatory on Residential CPE.

However the Introduction says that the document is BCP for “governments and large enterprises” so I had considered residential CPE out-of-scope.

To achieve the objectives you state of “secure,..and manageable...” I would say that instrumentation is essential.

It is possible to identify devices more specifically.

Mandatory should apply to:

1/ layer3 devices that are to be AS border routers

2/ layer3 CPE WAN-edge devices where the site offers service to off-site clients (and is therefore vulnerable to denial of service attacks)

Most large enterprises today use flow instrumentation in IPv4, so overlooking it for v6 might be a mistake.

If an organisation is convinced that it will not make use of flow data, then it can choose to ignore this recommendation, like any other in the document.

I had not viewed this requirement as restrictive to vendor selection, as all the major vendors support flow (especially Cisco).  But the requirement will help buyers to size equipment appropriately and avoid purchasing something in the short-term that is inadequate for the life of the device.

Regards

Steve

Steve,

Do not you think that this is going too far? Especially if everyone is adding his/her own requirements...

For example, I cannot imagine a residential CPE having any kind of flow export ;-)

I would prefer to have RIPE-501 focus on the bare minimum requirements in order to get IPv6 deployed as soon as possible: this means enough requirements to be deployed in a secure, interoperable and manageable way but no more as we (at least I) prefer to have multiple ‘compliant’ devices.

Hope this helps and does not sound to vendor originated (see my affiliation)

-éric