Re: Objection to draft-ietf-6man-rfc4291bis-07.txt

Mark Smith <markzzzsmith@gmail.com> Sun, 26 February 2017 05:25 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADA28129460 for <ipv6@ietfa.amsl.com>; Sat, 25 Feb 2017 21:25:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7WHnuLYeNE7V for <ipv6@ietfa.amsl.com>; Sat, 25 Feb 2017 21:25:15 -0800 (PST)
Received: from mail-ua0-x236.google.com (mail-ua0-x236.google.com [IPv6:2607:f8b0:400c:c08::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C433E1295F8 for <ipv6@ietf.org>; Sat, 25 Feb 2017 21:25:14 -0800 (PST)
Received: by mail-ua0-x236.google.com with SMTP id f54so1471153uaa.1 for <ipv6@ietf.org>; Sat, 25 Feb 2017 21:25:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JpkGJ922JoNBVAq7y0nzrykIqoZEJwo641WorS7eA3w=; b=r1isRc8HjpgUUoBUeJ6Uv/T1J+5ixwFSFmOPu0exCOs88pnbMF5EIH8ywrkj3EY6YR j2A+PGs+q4ZIJoQFuF7e036xTwsMzWWXt9+BVVDUAkYVrOK5rW7CtOng85f3Kc/OuMVD dI5bzmtgbjaoAASwDr2yBU3/xq+sH6wcTGdhcR8qFJkodbKnPSzCsKHpTYHsFLKcS12V xeNgccSH0pLOIDNsHmeJEC8FbU2o6bo/mIaL9NbjP3eLYKyK+qOv/PvuPCb8ShAf5jpr 59bz+9OjYkJE/FyW/m7CN5W8L5fGAIWwWbgXukQ3368IDs0z10aKT0S2bIJk0YpuLL/l nxeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JpkGJ922JoNBVAq7y0nzrykIqoZEJwo641WorS7eA3w=; b=H2dGa4OtDAbdDHTRlAPrJIHOs/jd8HJHkbR4Fg+URqGQM5+Vtwzr4gzeuGqxsJ4p5r kUU1v1Sjo/X4Kof/vYZKAEZ1HaMv56A+xN1H4/HsXWzc0JRzoNKuQI3iyqcjLx0el4Xg eoXzsIKKzGJhUZn4Ci4qfZVcpYCU+FowPAwAjVZDkDf5pLw1q3TRHuJT7deviwB3wF7H jF4O0SzIIdCER1AXe0yPvE8GkjFUuup9H9ACQaLPP6T5ZDp1bm7k+Q8ZkW1caRUcir3b QBs3RS7f9d65sStx3fHXp5elqGCA403OVhCR3EZBgRyZQ3BhCS6+i01VShy/tZFQdxZ3 5QcQ==
X-Gm-Message-State: AMke39nIjxWL7b9qFSIQ92TO+cw3d5AqTGK/1fRalSgml/pO1MoPZ0Z5QeGBAj5mabg8GGMlblCBas2QidJW7g==
X-Received: by 10.176.83.123 with SMTP id y56mr373914uay.141.1488086713800; Sat, 25 Feb 2017 21:25:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.159.38.2 with HTTP; Sat, 25 Feb 2017 21:24:43 -0800 (PST)
In-Reply-To: <CAN-Dau0fq9eU71Od3oq9DRq1qLLMqiW-gr-oxgkc46Xo6hjE+Q@mail.gmail.com>
References: <20170223134026.GI5069@gir.theapt.org> <9277BC0B-04F3-4FC1-901E-F83A8F0E02D7@google.com> <58AF6429.70809@foobar.org> <902276E9-0521-4D4E-A42B-C45E64763896@google.com> <58AF726A.3040302@foobar.org> <F7C230DE-4759-4B78-ABF2-6799F85B3C62@google.com> <58B014F6.2040400@foobar.org> <6DA95097-8730-4353-A0C9-3EB4719EA891@google.com> <CAN-Dau0s04c=RV0Y8AGaxBPFui41TWPTB+5o0K2Lj-iah0An1w@mail.gmail.com> <CAL9jLaYirty22iGiEjEaYq3_KA1FZhxBTOBWuFOXQ9C-WPd5xQ@mail.gmail.com> <CAN-Dau0n6oFm538XdJOcuO1yg92BCDD3mBu5YfBVm_+g-gtcKA@mail.gmail.com> <CAL9jLaYO=uYgVfSZ0SoSe0SujJ1xgwEKE8WLzo_keJHywgXTtg@mail.gmail.com> <CAN-Dau1vJV5O_Ythp6THkAu4-YZXV82Upny1V+ybbjCVZQQX=A@mail.gmail.com> <27cce319-18ac-5c0e-3497-af92344f0062@gmail.com> <de4988be-6031-08d9-84ce-21c3fa4f9bc9@gmail.com> <CAN-Dau0fq9eU71Od3oq9DRq1qLLMqiW-gr-oxgkc46Xo6hjE+Q@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sun, 26 Feb 2017 16:24:43 +1100
Message-ID: <CAO42Z2zFX7nBWKdaiFKbFF613c5MUOuw_4QiR3C0YFSCnwpqQA@mail.gmail.com>
Subject: Re: Objection to draft-ietf-6man-rfc4291bis-07.txt
To: David Farmer <farmer@umn.edu>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/41a1BJM-sGKUB3Z8rUCPosEXRO8>
Cc: Alexandre Petrescu <alexandre.petrescu@gmail.com>, 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Feb 2017 05:25:15 -0000

On 26 February 2017 at 07:40, David Farmer <farmer@umn.edu>; wrote:
>
>
> On Sat, Feb 25, 2017 at 1:15 PM, Brian E Carpenter
> <brian.e.carpenter@gmail.com>; wrote:
>>

> Thinking about this a bit more; I think the non-64 lengths should be
> "OPTIONAL for host implementations of IPv6 to support", "RECOMMENDED for
> router implementations of IPv6 to support", "operational use of /127 subnet
> prefixes for point-to-point router links is RECOMMENDED",

I don't think /127s should be at a level of RECOMMENDED.

They are a way to mitigate a ND cache attack if your implementation is
vulnerable to one.

They are a way to mitigate a ICMP ping-pong attack, however that
requires the /127 prefix length to be configured on both ends of the
link, and that is not a requirement of the IPv6 protocol - there is no
requirement and no checking that all nodes attached to a link have
addresses from the prefix assigned to the link. A link with a /127 on
one end, and just a LL on the other (as could happen on links between
a service provide and a customer if there isn't configuration
discipline), is vulnerable to a ping-pong attack, yet would not be
obviously failing e.g., still deliver 100% successful Internet access
to that customer.

/127 of course prevent things that /64 can provide. For example, just
like hosts, Internet connected routers would benefit from being
protected from unsolicited inbound address scans by having a random
address within a /64 (you can't launch a TCP syn attack against a BGP
speaking router if you can't find it).

I think a RECOMMENDED and therefore default parameter is the one that
should have the greatest chance of interoperability, is the one that
is likely to provide the best security in the least secure
environment, and the one that is making the least functionality or
capability tradeoffs.

In my mind, /127s make too many tradeoffs to mitigate a couple of
attacks for which it may not be necessary or effective if
configuration is not verified as correct.

I think recommending /127s for point-to-point router links also
creates an implicit and unstated constraint that RFC8064
("Recommendation on Stable IPv6 Interface Identifiers") only applies
to hosts. If that is the actual constraint, it should have been stated
in that RFC, and ideally in the title of it.

People of course can use /127s in their own network if they choose to
and are willing to sacrifice the potential benefits to their routers
of not using /64s, because IPv6 supports it per BCP198.

I think making /127s a default recommendation for point-to-point links
is effectively saying that routers have no need for any of the
benefits hosts get from /64s, and I don't think that is the case.

Regards,
Mark.