Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
Ray Hunter <v6ops@globis.net> Fri, 10 January 2014 10:50 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A03E1AD67C for <ipv6@ietfa.amsl.com>; Fri, 10 Jan 2014 02:50:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.521
X-Spam-Level:
X-Spam-Status: No, score=-0.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_37=0.6, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 88KEa1o3z3ts for <ipv6@ietfa.amsl.com>; Fri, 10 Jan 2014 02:50:23 -0800 (PST)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id CC3BD1ACCEA for <ipv6@ietf.org>; Fri, 10 Jan 2014 02:50:22 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 87C678714A3; Fri, 10 Jan 2014 11:50:10 +0100 (CET)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T7PZXk3aeFQc; Fri, 10 Jan 2014 11:50:10 +0100 (CET)
Received: from Rays-iMac.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 5E9E1870F98; Fri, 10 Jan 2014 11:50:10 +0100 (CET)
Message-ID: <52CFD061.6080807@globis.net>
Date: Fri, 10 Jan 2014 11:50:09 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.8 (Macintosh/20130427)
MIME-Version: 1.0
To: Lorenzo Colitti <lorenzo@google.com>
Subject: Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
References: <52C9D788.8060606@gmail.com> <52CBE0E6.5020107@globis.net> <CAKD1Yr2yPzQHCJHUWBa9-+=nn9BbjLhBB4e896NPWne_Unnwgg@mail.gmail.com> <52CECC76.1030706@globis.net> <CAKD1Yr3rvnDRPpkBEV4EVrrSAQYLutGg0qoweZkKv5em=4-dRw@mail.gmail.com> <52CFAB11.4070404@globis.net> <CAKD1Yr0PTXRRBwLWJfA77hv2WnmPZXqn72ahmhm4RbN3MpLkig@mail.gmail.com>
In-Reply-To: <CAKD1Yr0PTXRRBwLWJfA77hv2WnmPZXqn72ahmhm4RbN3MpLkig@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 10:50:24 -0000
> Lorenzo Colitti <mailto:lorenzo@google.com> > 10 January 2014 09:59 > > IPv6 /64 breaks address scarcity. > > > Wait, maybe I see your position now. You're thinking of a transit > network, and you want to limit the number of addresses assigned at the > edge so the middleboxes can cope? Not just middleboxes. Any process that tracks anything on the basis of an IP address. As a simple example, think of a mail server. Mail servers get abused. They can generally handle themselves. To mitigate resource depletion, postfix runs an "anvil" process in memory. It's a light weight process that simply tracks the number of recent connections in memory from each source IPv4 /32 for a short period. When an individual IPv4 source address sends "too many requests too quickly", postfix does not even open the TCP session with this client. The main postfix process daemon can then continue to serve other well-behaved nodes whilst the rogue node is "shut out". With IPv6 /64, and massively oversized allocations, that defence approach is invalidated, because the anvil process itself becomes a weakness, as it cannot track to /128. You could possibly track at /64, although even that might be too big to handle in memory, with the consequence that one rogue node can create false positives, and take down a whole LAN or site. How do you know that the remote rogue site or rogue host is a single /64 and not a /52 or /56 or /48? Do you track all of the above simultaneously? That has potential for even bigger false positives. In general, if you want to provide a third party access to your mail server or other server for information exchange, you probably want some way of throttling access at the Network Network Interface (NNI) from individual rogue nodes without cutting off well-behaved nodes. Or alternatively, providing preferential access to well-behaved nodes, with WFQ-like solutions. Either way you need to be able to differentiate and track node behaviour at a fairly granular level. Address scarcity has some upside too, in that it limits attack source surface, and allows tracking at node level, and I do not feel that has been sufficiently acknowledged. Registration of "well-behaved nodes" could be another potential approach. Perhaps leveraging AD forests. > > But I still don't understand. In most cases, in such a transit network > you can't do individual machine tracking already because machines are > behind NATs. So why is it so important to track every machine in IPv6? > In the areas I work in, they are inter-enterprise connections to trusted 3rd parties. We try to avoid NAT wherever possible (isn't that the right thing to do? ;) We even use registered addresses on the inside and outside. Security people want as tight a filter as possible. It cannot be the case that a technical problem in a trusted third party spills over into your enterprise, even if this is protected contractually. It's a real nice have to have some upper limit of possible source addresses or sessions for scaling of logs/ scanners/ network intrusion detection systems etc. Otherwise the middleboxes themselves can fall over. It's would also be nice to know who these people are (admittedly we only "know" that today due to some level of trust linked to address allocation schemes e.g. this person is assigned this IPv4address in DHCP or via their SSL VPN connection login). Some of that could be translated into IPv6 with prefix lengths >>64e.g.: an SSL VPN with a /127 = a person. IPv4 and IPv6 is probably not the layer where this identity link should be established, but it's generally all we have today. > Also, I don't understand why you wouldn't use hierarchical addressing > and delegation - which is what you might naturally do even in IPv4 - > and track ranges instead of individual addresses. In an enterprise NNI, or private cloud service, the source and destination ranges would be huge, and the complete list of individual allocations are generally unknown to the other party. The customer might have a /32. The private cloud provider might have a /32. There is generally no hierarchy. These are peer networks of equals. But even then, there's probably only a few tens to thousands machines on each side of the NNI that need to communicate. We generally limit the number of potential source addresses and sessions today by filtering to /32 or /24 or /16 at the NNI plus only allowing certain port numbers. That's massively smaller than granting access to a single IPv6 LAN of /64 for a single port. For example, a single source IPv4 /32 with access to 1 port on 4 destination IPv4 servers is never ever going to be able to saturate a flow-based WFQ session table, even if it is compromised. This source machine can only ever create 4 flows simply because of the ACL at the NNI. A single source machine (that has been compromised ) running IPv6 connected to a /64 using SLAAC + temporary addresses (and which connects to 1 port on 1 server connected to /64 with SLAAC) could easily saturate a flow-based WFQ table, causing service degradation to other well-behaved nodes, simply because the ACL is so much bigger, and the compromised machine can create so many more rogue flows. > > Perhaps I don't understand the use case. Can you say more about what > sort of networks would need this functionality? > Interconnections between enterprises, or within enterprises where different sites are managed by different parties, and avoiding cross contamination of resource depletion attacks sourced from single rogue nodes or sites. Even an ACL for a single /64 for a single port is massively bigger than the biggest access we grant today. Which probably leaves static addressing as the only option. Because alternative defence mechanisms simply aren't in place yet. -- Regards, RayH
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- [Fwd: I-D Action: draft-carpenter-6man-why64-00.t… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… George Michaelson
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Zillions of addresses [Fwd: I-D Action: draft-car… Brian E Carpenter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Ray Hunter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Christian Huitema
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith