Re: [arch-d] ipv4 and ipv6 Coexistence.

Dear architecture-discuss,

This is the address for Pekka Nikander's "Reflections on Architecture" I
mentioned above:

https://www.ietfjournal.org/reflections-on-architecture/

Regard,
Guntur Wiseno Putra

Pada Kamis, 27 Februari 2020, Guntur Wiseno Putra <gsenopu@gmail.com>
menulis:

> Dear architecture-discuss,
>
> I am struggling to read on what Pekka Nikkander made about "IPv4 & IPv6"
> in "Reflection on Architecture" (2005) where he mentioned about the time of
> architecture-discuss' beginning:
>
>
> (P. Nikander:)
>
> "...Looking at the network of today, I strongly feel the pain of the
> current architecture’s cracking and squeaking. Consequently, I believe that
> we – the wider IETF community responsible for Internet technology – need to
> re-think the architecture. We need to find a way to re-create the core of
> the Internet in a way that leads to a new era of innovation and
> intellectual prosperity....
>
> ... ( What we perhaps don’t consider very often is the fact that there are
> huge asset values embedded in various parts of the network.)As the
> slower-than-expected migration to IPv6 has amply demonstrated, some parts
> of the current Internet are painfully hard to change. This makes any
> long-term architectural thinking and planning difficult.
>
> (While we can at most work towards understanding emergent complexity in
> the first place, there is a great deal we can do about architectural
> complexity... )
>
> ... We need some kind of an architectural vision and a related transition
> path; an idea of where we are heading and perhaps how we could get there.
>
> My vision includes peaceful co-existence of both IPv4 and IPv6 for a
> fairly long time to come. While I would like to see a day when the last
> IPv4 node is shut down, it is more likely that only future generations will
> see that happening. In my vision it is possible to use any application I
> want wherever I am and whatever kind of connection I may have. Indeed, I
> imagine being able to use multiple wireless networks most of the time, and
> at least one almost always. I dream of once more being able to communicate
> with anyone, anywhere on the Internet, independent of the application we
> want to use, not artificially hindered by NATs or other non-premeditated
> middle boxes. Finally, in my vision we have baseline security as a built-in
> feature of the architecture, providing cryptographically strong end-to-end
> security and sufficient hooks for attaching different kinds of security
> infrastructures, some based on organisational management and some based on
> grassroots attempts to model interpersonal human trust relationships with
> decentralised authorisation systems.
>
> It looks very likely that fulfilling my vision requires adding a new
> layer, a new “waist”, to the architecture [7]. We have to implement
> mobility, multi-homing, and the envisioned baseline security somewhere in
> the stack. If we want connectivity to span the partition between IPv4 and
> IPv6 networks, it looks necessary to build the functionality on the top of
> the existing hop-by-hop functionality of the IP layer....
>
> (Once we start to consider how to introduce the changes needed to progress
> towards any vision, it becomes apparent that the two hardest-to-change
> assets are the existing routing infrastructure and the set of all existing
> applications. But network transparency is exactly what we should
> re-establish...)
>
> Using a term that Brian Carpenter recently coined, I propose that we aim
> at providing new Architected Network Transparency (ANT). There seem to be
> three or four potential migration paths towards ANT. One possibility is to
> utilise a Cryptographically Generated Addresses (CGA) [8] based security
> model in the IPv6 Site Multi-homing by Inter-Mediation (SHIM6) [9] to
> provide end-to-end security and mobility even when IPv6 traffic is
> shimmed....
>
> ... (Toward the ANT) One possible means might be Keyed Hash Identifiers
> (KHI, pronounced as the Greek letter ?) [14], currently subject to heated
> debate in the int-area and ipv6 mailing lists. Whether KHIs should be
> considered as an important but transitory stepping stone or as despicable
> opening of the flood gates to occupy the IPv6 address space with varmints
> remains to be seen.
>
> ...".
>
>
>
>
>
>
>
> Regard,
> Guntur Wiseno Putra
>
> Pada Kamis, 27 Februari 2020, Toerless Eckert <tte@cs.fau.de> menulis:
>
>> On Wed, Feb 26, 2020 at 10:45:29AM +0000, Stephen Farrell wrote:
>> > On 26/02/2020 10:21, Stewart Bryant wrote:
>> > > "The head of MI5 has urged technology companies to give the security
>> > > services â?????exceptionalâ???  access to encrypted messages
>> >
>> > And in other, equally shocking, news: the sun will rise tomorrow;-)
>>
>> https://en.wikipedia.org/wiki/The_empire_on_which_the_sun_never_sets
>> ;-))
>>
>> > If you do want to rehash the cryptowars debate again,
>>
>> Not at all. But for example enterprises often use HTTPs proxies
>> for firewalling, intrusion detection, proprietary data leakage
>> prevention and the like. I am not aware we have stablished standards
>> for such desirable behavior. In fact there are issues with the expected
>> end-to-end krypto security when you bring in such trusted middle-men.
>> (e.g.: undesirable cert spoofing). There are no browser standards
>> for a three party trust-model AFAIK.
>>
>> Right now, we have only those global commercial players positioning
>> them as trusted third parties. Even DoH IMHO falls into this play.
>> And then selling customer data collected, at least when they have
>> some entity operating outside europe (GDPR data leakage prevention).
>>
>> All those IoT devices that export unbeknownst do the user all type
>> of collected user data to a cloud. We could come up with mandatory
>> published data models, force the connection through a trusted third
>> party device that can then do semantic filtering. Aka: i rather
>> want to be able to control than just trust GDPR statements.
>>
>> Likewise i think we could define better behaving firewall policies
>> in the fashion did it for NAT with BEHAVE, e.g.: more visibility
>> of policy for better diagnostics.
>>
>> Etc. pp. Just brainstorm what positive evolution we could promote
>> through IETF work for more security. The IETF end-to-end encryption
>> laurels nice but not enough.
>>
>> > maybe at least change the subject line? If doing so,
>> > and I hope you decide not to, because there's no gain,
>> > please recognise that there are many (me included) who
>> > do not share the views you quoted for sound technical
>> > reasons (e.g. [1] is perhaps the most-cited recent
>> > paper on that) that have garnered rough consensus in
>> > the IETF every time we've done that rehashing.
>>
>> Stating that we would like to see IETF solve problems doesnt
>> mean we agree to those regurgitated security agency memes.
>> Instead, i see these memes as the real risks, because the
>> public has shown to give in to the ongoing "tough on crime"
>> pounding with really bad outcomes. So we really need better,
>> alternative models for more security in addition to the
>> ongoing push back against that type of nonsense.
>>
>> Cheers
>>     Toerless
>>
>> > S.
>> >
>> > [1] Abelson, Harold, et al. "Keys under doormats: mandating insecurity
>> > by requiring government access to all data and communications." Journal
>> > of Cybersecurity 1.1 (2015): 69-79.
>> > https://www.cs.yale.edu/homes/jf/paper-keys-under-doormats-CSAIL.pdf
>> >
>> >
>> >
>> >
>> >
>>
>> pub   RSA 4096/7B172BEA 2017-12-22 Stephen Farrell (2017) <
>> stephen.farrell@cs.tcd.ie>
>> > sub   RSA 4096/36CB8BB6 2017-12-22
>> >
>>
>>
>>
>>
>> > _______________________________________________
>> > Architecture-discuss mailing list
>> > Architecture-discuss@ietf.org
>> > https://www.ietf.org/mailman/listinfo/architecture-discuss
>>
>>
>> --
>> ---
>> tte@cs.fau.de
>>
>> _______________________________________________
>> Architecture-discuss mailing list
>> Architecture-discuss@ietf.org
>> https://www.ietf.org/mailman/listinfo/architecture-discuss
>>
>