IETF Logo Mail Archive

Re: [GROW] WGLC: draft-ietf-grow-private-ip-sp-cores

Tony Tauber <ttauber@1-4-5.net> Wed, 13 June 2012 12:27 UTC

Return-Path: <ttauber@1-4-5.net>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7738B21F8593 for <grow@ietfa.amsl.com>; Wed, 13 Jun 2012 05:27:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.71
X-Spam-Level:
X-Spam-Status: No, score=-100.71 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CrDQK1wj84rz for <grow@ietfa.amsl.com>; Wed, 13 Jun 2012 05:27:12 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 1A73121F8534 for <grow@ietf.org>; Wed, 13 Jun 2012 05:27:12 -0700 (PDT)
Received: by obbeh20 with SMTP id eh20so974160obb.31 for <grow@ietf.org>; Wed, 13 Jun 2012 05:27:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=CzJ1XRtwhljCzvmVKiz69idcXqAL5Aul1KN6ccWb3kQ=; b=Nc180K3GS4gQtgrktatI0buelAbUAZJ0+p38KGgoQGsvFEq/VP2Wi8NU+7StOlHjR7 HCYS+a9s3a8zEJoo40al8aW/SJbKW01OXKRxACF5HDQv5ZZ0z7BmlQtcgV6d02DCJB82 06zO3aLg4+OL9a6f8kgQikmblDXg//59PDYdP3IyPS9e92lMOfVnDzoi1AA18OeouThF XFj+Bv72iC54s0Ya3C46vsxyZC3uR1aGM6rOlmuVWbrz1eJJxMDT8/5hyhcM5BjAMVvF Lz31hfvmOv5xlxfH3ChRGIoLMJyoGn8SXT4ldrCfrkcFHbJvaieNCVDoJwVKbr2gH/n8 VRjg==
MIME-Version: 1.0
Received: by 10.182.47.66 with SMTP id b2mr24334098obn.2.1339590431478; Wed, 13 Jun 2012 05:27:11 -0700 (PDT)
Received: by 10.76.124.204 with HTTP; Wed, 13 Jun 2012 05:27:11 -0700 (PDT)
X-Originating-IP: [24.104.152.66]
In-Reply-To: <4FD8726A.6040509@anthony-kirkham.com>
References: <CAL9jLabADdWCwDhBdaBJ4fVdk9a=OeJQYFQM4Z_+-P56cVWftw@mail.gmail.com> <01e301cd4580$208f3900$4001a8c0@gateway.2wire.net> <B01905DA0C7CDC478F42870679DF0F101105C4C714@qtdenexmbm24.AD.QINTRA.COM> <4FD8726A.6040509@anthony-kirkham.com>
Date: Wed, 13 Jun 2012 08:27:11 -0400
Message-ID: <CAGQUKceQo3neZB7TTvCHK9hkM41ftNJaHx4dRXsVuYjhJa+5eQ@mail.gmail.com>
From: Tony Tauber <ttauber@1-4-5.net>
To: tkirkham@anthony-kirkham.com
Content-Type: multipart/alternative; boundary="14dae93998cdd013e504c259b38e"
X-Gm-Message-State: ALoCoQmpLQVmVWZR6vkwN/E3TNQI+1sFTzMaWGkXU58cTnE+7A+8pjUqgl/z6ZZ3nf1YFOAb3S90
Cc: "grow@ietf.org" <grow@ietf.org>, "grow-chairs@tools.ietf.org" <grow-chairs@tools.ietf.org>
Subject: Re: [GROW] WGLC: draft-ietf-grow-private-ip-sp-cores
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/grow>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2012 12:27:13 -0000

Using squat/stolen space will mean ICMP messages from the SP core wouldn't
be able to reach the legitimate address holder's network but neither would
traffic of the customers of that SP.  I don't believe that the same is true
of "private" space; so there are actually _more_ problems with the "squat"
approach.

In general, big fan, support publication.

Thanks,

Tony T.

On Wed, Jun 13, 2012 at 6:58 AM, Anthony Kirkham <
tkirkham@anthony-kirkham.com> wrote:

> Donald,
>
> Thanks for the review, I plan to do another update in the next few days,
> I'm just waiting to see if any further feedback arrives.
>
> A couple of specific comments:
>
> re - squat space. The intent was not to make recommendations on the
> practice, just to document the effects.
>
> re - 5. Unexpected interactions with some NAT implementations: What you
> say is exactly what I intended to illustrate. I will update the wording so
> its clear I'm not talking about a routing loop.
>
> Regards
> Tony K
>
>
> On 9/06/12 7:17 AM, Smith, Donald wrote:
>
>> There is a mention of "squat" space that doesn't make any recommendations
>> as to use or not.
>>
>> I can understand not expressing an opinion on the rfc1918/private space
>> shouldn't this state that squating is bad?
>> "This effect in itself is often not a problem.  However, if anti-
>>    spoofing controls are applied at network perimeters, then responses
>>    returned from hops with private IP addresses will be dropped."
>>
>> Any rfc1918 filtering mechinisim will cause this issue not just bcp38
>> type anti-spoofing.
>> Firewalls, junipers and many platforms drop rfc1918 space but not as part
>> of bcp38 .
>> BTW BCP84 ala rfc3704 is an update/addition to bcp38 you should probably
>> add them to this reference.
>>
>>
>> And for consistecy I recommend using an expression such as "any rfc1918
>> or bogon filtering..."
>>
>> Under section 4 the author says urpf or ingress filtering.
>> "If the router's interface address is a
>>    private IP address, then this ICMP reply packet may be discarded due
>>    to uRPF or ingress filtering, thereby causing the PMTUD mechanism to
>>    fail."
>>
>> Under
>> 5. Unexpected interactions with some NAT implementations
>> The first section works. As stated it might confuse someone but honestly
>> unless the 4th hop also matches the 2 hop it doesn't look like a routing
>> loop to me. It looks like rfc1918 reuse.
>>
>>
>> Type escape sequence to abort.
>>    Tracing the route to 198.51.100.100
>>
>>      1 10.1.1.2 0 msec 0 msec 0 msec
>>      2 198.51.100.13 0 msec 4 msec 0 msec
>>      3 10.1.1.2 0 msec 4 msec 0 msec<<<<
>>      4 198.51.100.5 4 msec 0 msec 4 msec
>>      5 198.51.100.1 0 msec 0 msec 0 msec
>>
>> Section 6 references rfc2827 should probably include bcp84 and rfc3704.
>>
>> Your first example of a security gap is really a no worse if you use
>> private or public addresss but you call that out so I am ok with it.
>>
>> NIT
>> This:
>> Some applications discover the outside address of
>>    their local CPE to determine if that address is reserver for special
>>    use.
>> Should be this:
>> Some applications discover the outside address of
>>    their local CPE to determine if that address is reserved for special
>>    use.
>>
>>
>> When packets collide the controllers cease transmission AND wait a random
>> time before retransmission (mostly)!
>> Donald.Smith@CenturyLink.com
>>
>>
>>  -----Original Message-----
>>> From: grow-bounces@ietf.org [mailto:grow-bounces@ietf.org] On Behalf Of
>>> t.petch
>>> Sent: Friday, June 08, 2012 8:06 AM
>>> To: Christopher Morrow; grow-chairs@tools.ietf.org; grow@ietf.org
>>> Subject: Re: [GROW] WGLC: draft-ietf-grow-private-ip-sp-**cores
>>>
>>> I would like to see this published as an RFC.
>>>
>>> The only discussion I see whether or not the title of 12.2 should have
>>> an initial capital - I think that it should.
>>>
>>> Tom Petch
>>>
>>> ----- Original Message -----
>>> From: "Christopher Morrow"<christopher.morrow@**gmail.com<christopher.morrow@gmail.com>
>>> >
>>> To:<grow-chairs@tools.ietf.org**>;<grow@ietf.org>
>>> Sent: Tuesday, June 05, 2012 7:41 PM
>>>
>>>> Folks,
>>>> There's been work on the draft:
>>>>    <http://tools.ietf.org/html/**draft-ietf-grow-private-ip-sp-**cores<http://tools.ietf.org/html/draft-ietf-grow-private-ip-sp-cores>
>>>> >
>>>>
>>>> I think the commenters' comments were addressed by the authors.
>>>> Can we move this to WGLC now and clear that 6/19/2012 (June 19,
>>>>
>>> 2012).
>>>
>>>> Abstract of the draft:
>>>>   "The purpose of this document is to provide a discussion of the
>>>>    potential problems of using private, RFC1918, or non-globally-
>>>>    routable addressing within the core of an SP network.  The
>>>>
>>> discussion
>>>
>>>>    focuses on link addresses and to a small extent loopback
>>>>
>>> addresses.
>>>
>>>>    While many of the issues are well recognised within the ISP
>>>>    community, there appears to be no document that collectively
>>>>    describes the issues."
>>>>
>>>> Could there be some discussion on WGLC and  we'll see about  moving
>>>> this along to the IESG?
>>>>
>>>> -chris
>>>> ______________________________**_________________
>>>> GROW mailing list
>>>> GROW@ietf.org
>>>> https://www.ietf.org/mailman/**listinfo/grow<https://www.ietf.org/mailman/listinfo/grow>
>>>>
>>>>
>>> ______________________________**_________________
>>> GROW mailing list
>>> GROW@ietf.org
>>> https://www.ietf.org/mailman/**listinfo/grow<https://www.ietf.org/mailman/listinfo/grow>
>>>
>> This communication is the property of CenturyLink and may contain
>> confidential or privileged information. Unauthorized use of this
>> communication is strictly
>> prohibited and may be unlawful.  If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and destroy
>> all copies of the communication and any attachments.
>> ______________________________**_________________
>> GROW mailing list
>> GROW@ietf.org
>> https://www.ietf.org/mailman/**listinfo/grow<https://www.ietf.org/mailman/listinfo/grow>
>>
>>
>>
>
> --
>
>
> ______________________________**_________________
> GROW mailing list
> GROW@ietf.org
> https://www.ietf.org/mailman/**listinfo/grow<https://www.ietf.org/mailman/listinfo/grow>
>

v2.23.0 | Report a Bug | By Email