Re: [v6ops] RFC7217 and flash renumbering and IID change
Fernando Gont <fgont@si6networks.com> Mon, 14 December 2020 13:50 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E384A3A0ACC for <ipv6@ietfa.amsl.com>; Mon, 14 Dec 2020 05:50:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpPy_g6kqmog for <ipv6@ietfa.amsl.com>; Mon, 14 Dec 2020 05:50:08 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B17C33A0ACB for <ipv6@ietf.org>; Mon, 14 Dec 2020 05:50:06 -0800 (PST)
Received: from [10.0.0.129] (unknown [186.19.8.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 373C5283C5B; Mon, 14 Dec 2020 13:50:02 +0000 (UTC)
Subject: Re: [v6ops] RFC7217 and flash renumbering and IID change
To: Philip Homburg <pch-ipv6-ietf-7@u-1.phicoh.com>, ipv6@ietf.org
References: <alpine.DEB.2.20.2012111147020.10335@uplift.swm.pp.se> <28ec97ca-355b-e4d8-200d-1c14160b51c0@si6networks.com> <4AC2A13C-9FE6-4D2C-B14C-D1DCC3169700@thehobsons.co.uk> <m1kole5-0000HWC@stereo.hq.phicoh.net>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <7b7803bb-cd05-339c-b072-3435a435d8eb@si6networks.com>
Date: Mon, 14 Dec 2020 10:49:16 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <m1kole5-0000HWC@stereo.hq.phicoh.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/72JCXG7ckrQSAlXMHS86lzLEAso>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 13:50:11 -0000
On 14/12/20 08:04, Philip Homburg wrote:
>> So we're back to each host deciding on the security policy for the network - n
>> ot a network admin (as a proxy for the owners of the site/network).
>>
>> I make a point of disabling upnp as one of the first steps when setting up a n
>> etwork. Who wants ${random device which may or may not be "friendly"} to be ab
>> le to determine what traffic is allowed into the network - it's not like there
>> is anyone out there in the wild west of the internet who'd have any hostile i
>> ntent :-/
>
> There are a numbering of things that could be done:
> - Use DHCPv6 IA_NA instead of SLAAC
Could work, but obviously not for Android.
> - Have a provisioning system that provides each host with a static address.
This assumes that:
* The firewall can filter based on an address/IID token -- which need
not be the case
* You're only setting rules for incoming connections (since temporary
addresses will lead to changing addresses for outgoing connections)
> - Bring back EUI-64. For systems with static addresses, EUI-64 works just
> fine.
*If* you wanted to do this sort of thing, you could configure the
address based on a token (this is what windows does). This way the IID
is stable, but you still mitigate address scans.
That said, I think EUI-64 are a bad idea.
> - Define yet another pseudo-random IID. This time one where the IID remains
> constant over the lifetime of the system.
FWIW, this is what Windows does.
Now, if the goal is to set fw rules for incoming connections, then it's
likely that you'll access the boxes via DNS names. If the address
changes, the DNS RRs need to be updated. So the hosts could update them,
and the fw set the rules on a per-domain-name basis?
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- Re: [v6ops] RFC7217 and flash renumbering and IID… Philip Homburg
- Re: [v6ops] RFC7217 and flash renumbering and IID… Fernando Gont
- Re: [v6ops] RFC7217 and flash renumbering and IID… Philip Homburg
- Re: [v6ops] RFC7217 and flash renumbering and IID… Mark Andrews