IETF Logo Mail Archive

Re: rfc4941bis: temporary addresses as "outgoing-only"?

David Farmer <farmer@umn.edu> Tue, 11 February 2020 23:48 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71AA912004C for <ipv6@ietfa.amsl.com>; Tue, 11 Feb 2020 15:48:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2ew4BAdN65L for <ipv6@ietfa.amsl.com>; Tue, 11 Feb 2020 15:48:37 -0800 (PST)
Received: from mta-p5.oit.umn.edu (mta-p5.oit.umn.edu [134.84.196.205]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 635A112083D for <6man@ietf.org>; Tue, 11 Feb 2020 15:48:37 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 48HKGr5lTGz9vcjH for <6man@ietf.org>; Tue, 11 Feb 2020 23:48:36 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bsL2BTqw4Pl for <6man@ietf.org>; Tue, 11 Feb 2020 17:48:36 -0600 (CST)
Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 48HKGr3zxKz9vckD for <6man@ietf.org>; Tue, 11 Feb 2020 17:48:35 -0600 (CST)
Received: by mail-qt1-f199.google.com with SMTP id d9so90738qtq.13 for <6man@ietf.org>; Tue, 11 Feb 2020 15:48:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PTbS1AJG+ZpC1WyhtbQS3KLgI5o66re8Kbxe9L7NACA=; b=pf5jFR+2i/GZEhMIPi5SIfuPk4UYh1fcsiQDqFQgpi1iBg0QZ8CpjLmVoLoQ7di+A4 frDuioEqTUznD+vZsWdahV9Q1/eJrrzQ7Qcf1OiG0tJAveEdUIwBTCaZh8HPOKLazRqm ZEJ/dG0mOK1ZoMN3ugsSq5IkiVDIRSbLIUU288tXm75U+tj/FWUs0c5/4Wd/U4JLUhKZ RpfQuDdZGPMh7Q2j5zRxBkjvo5WRhu1zYI9bW413TMyj2C7KHng+5YlmQy4cbbUtkPxF Y9Q051fm/Qz4EmJ+eka0E4FDjZ1jyb9STQH1wSe+9+oXP+JB2S8Bh6hkDaJovnG1BeZY ZYsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PTbS1AJG+ZpC1WyhtbQS3KLgI5o66re8Kbxe9L7NACA=; b=tohzN86O+UWj3bsISHUSbLZITh1jaL18wAfdZbHNOqB+TKOJRyCznlRuDWd3pxYTib RNPNkPE/aWMd0t8QnTmLpuXoqlmsk7pcc8jSiGAhoefO3rorU6qqUpgz+SRbdPMex4OF I8NaEYqNBTFubdgr6cSr4nlBHHumkD8KCRt42NIcKlrbfZBapGp7G6HSx75yog+ekrfX yK8EtU89CPcwO6wfc8XSUaE75b+axF67GrHioTycDHgYXtFgjSkNKaDvniQu0KsO8Nke cqmfI8iaUQ1T/N3ucEIAcwb7aZpl9XKCrI6HJ4J+kDfClyVFBze2aiFzkQ5Es89Px0dM 29OQ==
X-Gm-Message-State: APjAAAW2HsRtgLenBGPnCS5xqXL8ewjJ1hNqAO8+LWlWuYiy9+xExM4J 1m/5TGDwxj8itctjnOmDKhZXlZ+bmbPVkRH0COQbXT+MOQ/B3iWfcJ8yVfBR2QnhZZVA9YkrrPn yPyRxP2D0Uqbs8olZ1q/Vy7iw
X-Received: by 2002:ac8:6718:: with SMTP id e24mr17574633qtp.188.1581464915161; Tue, 11 Feb 2020 15:48:35 -0800 (PST)
X-Google-Smtp-Source: APXvYqwnZLP86p3AKLdxW+vcXul613dDZUTDnfCrScGM8La4Kmw0nImJCkjXT683ZFQcaMOA0KlVrKlQjBmr43SAax4=
X-Received: by 2002:ac8:6718:: with SMTP id e24mr17574611qtp.188.1581464914665; Tue, 11 Feb 2020 15:48:34 -0800 (PST)
MIME-Version: 1.0
References: <3217323b-3d8b-bf75-b5b0-ffdd01ee1501@si6networks.com> <CAO42Z2xtvjo_RO7kNsFCi4=S0TJKRest-8fEkvnwbC3rBNAj0A@mail.gmail.com> <ac38ca41-a148-470a-d2ba-26649f77e2f8@gmail.com> <992cb8c9-f360-44f1-89fe-ec9b1abd0846@si6networks.com> <CAO42Z2yXxPzhVOyE6NTgn1hHactQXZ0CRsyWZqWjBYEX3b_y9g@mail.gmail.com> <65587adb-d7f8-5457-b51a-82a9b8582ff7@si6networks.com>
In-Reply-To: <65587adb-d7f8-5457-b51a-82a9b8582ff7@si6networks.com>
From: David Farmer <farmer@umn.edu>
Date: Tue, 11 Feb 2020 17:48:18 -0600
Message-ID: <CAN-Dau2SYntjki9+etWAPv+kFQnD7HxrPi=+48EVOc0Z8iAzyg@mail.gmail.com>
Subject: Re: rfc4941bis: temporary addresses as "outgoing-only"?
To: Fernando Gont <fgont@si6networks.com>
Cc: Mark Smith <markzzzsmith@gmail.com>, 6MAN <6man@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000076b8e1059e557ed7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/99BUuXPQJLqG2d79McFdyPKmIHc>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2020 23:48:41 -0000

On Mon, Feb 10, 2020 at 11:38 PM Fernando Gont <fgont@si6networks.com>
wrote:

> On 11/2/20 02:18, Mark Smith wrote:
> > On Tue, 11 Feb 2020 at 15:32, Fernando Gont <fgont@si6networks.com>
> wrote:
> >>
> >> On 10/2/20 19:17, Brian E Carpenter wrote:
> >>> On 11-Feb-20 09:46, Mark Smith wrote:
> >>>>
> >>>>
> >>>> On Tue, 11 Feb 2020, 03:13 Fernando Gont, <fgont@si6networks.com
> <mailto:fgont@si6networks.com>> wrote:
> >>>>
> >>>>       Folks,
> >>>>
> >>>>       Since we are at it, I wonder if rfc4941bis should say anything
> about the
> >>>>       use of temporary addresses for incoming connections. (see
> >>>>
> https://tools.ietf.org/html/draft-gont-6man-address-usage-recommendations-04#section-4.3
> ).
> >>>>       (e.g., "an implementation MAY....")
> >>>>
> >>>>       Particularly for connection-oriented protocols, hosts that
> prevent
> >>>>       incoming connections on temporary addresses reduce exposure
> even when
> >>>>       their temporary addresses become "exposed" by outgoing sessions.
> >>>>
> >>>>       i.e., if the model is that temporary addresses are employed for
> outgoing
> >>>>       connections, unless a host uses temporary-only, there's no
> reason to
> >>>>       receive incoming connections on temporary addresses. (e.g.,
> browsing the
> >>>>       web or sending email should not be an invitation for folks to
> e.g.
> >>>>       port-scan you).
> >>>>
> >>>>
> >>>> This would prevent peer-to-peer connections between end-user devices,
> as it means devices become clients only, and they therefore cannot provide
> a temporary server/service.
> >>>
> >>> If a node has a stable address as well as a temporary address, that
> isn't the case.
> >>
> >> That's what I had in mind.
> >>
> >
> > So if we want to support adhoc peer-to-peer file transfers between
> > e.g. smartphones via NFC/Bluetooth/Adhoc Wifi, then stable addresses
> > are required, even if the file transfer takes say 30 seconds, well
> > within the valid lifetime of the RFC4291bis temporary addresses?
>
> I see your point. And if one were to implement this policy, yes, stable
> addresses would be required.
>
> That said, it is clear to me that this is out of scope for this document
> (I just wanted to check with the group). Once again, if we had
> appropriate APIs, applying this sort of policy host-wide wouldn't even
> make sense.
>

I think a specific requirement to use temporary addresses for outbound only
is out of scope for this document, if only because it permits the use
only temporary addresses by a node, and doesn't require permanent or stable
addresses. Nevertheless, it is an important point, that how temporary
addresses are used by applications impacts their traceability significantly.

Therefore, I think a recommendation like, temporary addresses are generally
most effective when applications prefer temporary addresses for outbound
connections and use other addresses for inbound connections when feasible,
especially for long-term well-known services, is in scope.

Thanks.




-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email