Re: rfc4941bis: temporary addresses as "outgoing-only"?
David Farmer <farmer@umn.edu> Tue, 11 February 2020 23:48 UTC
Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71AA912004C for <ipv6@ietfa.amsl.com>; Tue, 11 Feb 2020 15:48:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2ew4BAdN65L for <ipv6@ietfa.amsl.com>; Tue, 11 Feb 2020 15:48:37 -0800 (PST)
Received: from mta-p5.oit.umn.edu (mta-p5.oit.umn.edu [134.84.196.205]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 635A112083D for <6man@ietf.org>; Tue, 11 Feb 2020 15:48:37 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 48HKGr5lTGz9vcjH for <6man@ietf.org>; Tue, 11 Feb 2020 23:48:36 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bsL2BTqw4Pl for <6man@ietf.org>; Tue, 11 Feb 2020 17:48:36 -0600 (CST)
Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 48HKGr3zxKz9vckD for <6man@ietf.org>; Tue, 11 Feb 2020 17:48:35 -0600 (CST)
Received: by mail-qt1-f199.google.com with SMTP id d9so90738qtq.13 for <6man@ietf.org>; Tue, 11 Feb 2020 15:48:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PTbS1AJG+ZpC1WyhtbQS3KLgI5o66re8Kbxe9L7NACA=; b=pf5jFR+2i/GZEhMIPi5SIfuPk4UYh1fcsiQDqFQgpi1iBg0QZ8CpjLmVoLoQ7di+A4 frDuioEqTUznD+vZsWdahV9Q1/eJrrzQ7Qcf1OiG0tJAveEdUIwBTCaZh8HPOKLazRqm ZEJ/dG0mOK1ZoMN3ugsSq5IkiVDIRSbLIUU288tXm75U+tj/FWUs0c5/4Wd/U4JLUhKZ RpfQuDdZGPMh7Q2j5zRxBkjvo5WRhu1zYI9bW413TMyj2C7KHng+5YlmQy4cbbUtkPxF Y9Q051fm/Qz4EmJ+eka0E4FDjZ1jyb9STQH1wSe+9+oXP+JB2S8Bh6hkDaJovnG1BeZY ZYsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PTbS1AJG+ZpC1WyhtbQS3KLgI5o66re8Kbxe9L7NACA=; b=tohzN86O+UWj3bsISHUSbLZITh1jaL18wAfdZbHNOqB+TKOJRyCznlRuDWd3pxYTib RNPNkPE/aWMd0t8QnTmLpuXoqlmsk7pcc8jSiGAhoefO3rorU6qqUpgz+SRbdPMex4OF I8NaEYqNBTFubdgr6cSr4nlBHHumkD8KCRt42NIcKlrbfZBapGp7G6HSx75yog+ekrfX yK8EtU89CPcwO6wfc8XSUaE75b+axF67GrHioTycDHgYXtFgjSkNKaDvniQu0KsO8Nke cqmfI8iaUQ1T/N3ucEIAcwb7aZpl9XKCrI6HJ4J+kDfClyVFBze2aiFzkQ5Es89Px0dM 29OQ==
X-Gm-Message-State: APjAAAW2HsRtgLenBGPnCS5xqXL8ewjJ1hNqAO8+LWlWuYiy9+xExM4J 1m/5TGDwxj8itctjnOmDKhZXlZ+bmbPVkRH0COQbXT+MOQ/B3iWfcJ8yVfBR2QnhZZVA9YkrrPn yPyRxP2D0Uqbs8olZ1q/Vy7iw
X-Received: by 2002:ac8:6718:: with SMTP id e24mr17574633qtp.188.1581464915161; Tue, 11 Feb 2020 15:48:35 -0800 (PST)
X-Google-Smtp-Source: APXvYqwnZLP86p3AKLdxW+vcXul613dDZUTDnfCrScGM8La4Kmw0nImJCkjXT683ZFQcaMOA0KlVrKlQjBmr43SAax4=
X-Received: by 2002:ac8:6718:: with SMTP id e24mr17574611qtp.188.1581464914665; Tue, 11 Feb 2020 15:48:34 -0800 (PST)
MIME-Version: 1.0
References: <3217323b-3d8b-bf75-b5b0-ffdd01ee1501@si6networks.com> <CAO42Z2xtvjo_RO7kNsFCi4=S0TJKRest-8fEkvnwbC3rBNAj0A@mail.gmail.com> <ac38ca41-a148-470a-d2ba-26649f77e2f8@gmail.com> <992cb8c9-f360-44f1-89fe-ec9b1abd0846@si6networks.com> <CAO42Z2yXxPzhVOyE6NTgn1hHactQXZ0CRsyWZqWjBYEX3b_y9g@mail.gmail.com> <65587adb-d7f8-5457-b51a-82a9b8582ff7@si6networks.com>
In-Reply-To: <65587adb-d7f8-5457-b51a-82a9b8582ff7@si6networks.com>
From: David Farmer <farmer@umn.edu>
Date: Tue, 11 Feb 2020 17:48:18 -0600
Message-ID: <CAN-Dau2SYntjki9+etWAPv+kFQnD7HxrPi=+48EVOc0Z8iAzyg@mail.gmail.com>
Subject: Re: rfc4941bis: temporary addresses as "outgoing-only"?
To: Fernando Gont <fgont@si6networks.com>
Cc: Mark Smith <markzzzsmith@gmail.com>, 6MAN <6man@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000076b8e1059e557ed7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/99BUuXPQJLqG2d79McFdyPKmIHc>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2020 23:48:41 -0000
On Mon, Feb 10, 2020 at 11:38 PM Fernando Gont <fgont@si6networks.com> wrote: > On 11/2/20 02:18, Mark Smith wrote: > > On Tue, 11 Feb 2020 at 15:32, Fernando Gont <fgont@si6networks.com> > wrote: > >> > >> On 10/2/20 19:17, Brian E Carpenter wrote: > >>> On 11-Feb-20 09:46, Mark Smith wrote: > >>>> > >>>> > >>>> On Tue, 11 Feb 2020, 03:13 Fernando Gont, <fgont@si6networks.com > <mailto:fgont@si6networks.com>> wrote: > >>>> > >>>> Folks, > >>>> > >>>> Since we are at it, I wonder if rfc4941bis should say anything > about the > >>>> use of temporary addresses for incoming connections. (see > >>>> > https://tools.ietf.org/html/draft-gont-6man-address-usage-recommendations-04#section-4.3 > ). > >>>> (e.g., "an implementation MAY....") > >>>> > >>>> Particularly for connection-oriented protocols, hosts that > prevent > >>>> incoming connections on temporary addresses reduce exposure > even when > >>>> their temporary addresses become "exposed" by outgoing sessions. > >>>> > >>>> i.e., if the model is that temporary addresses are employed for > outgoing > >>>> connections, unless a host uses temporary-only, there's no > reason to > >>>> receive incoming connections on temporary addresses. (e.g., > browsing the > >>>> web or sending email should not be an invitation for folks to > e.g. > >>>> port-scan you). > >>>> > >>>> > >>>> This would prevent peer-to-peer connections between end-user devices, > as it means devices become clients only, and they therefore cannot provide > a temporary server/service. > >>> > >>> If a node has a stable address as well as a temporary address, that > isn't the case. > >> > >> That's what I had in mind. > >> > > > > So if we want to support adhoc peer-to-peer file transfers between > > e.g. smartphones via NFC/Bluetooth/Adhoc Wifi, then stable addresses > > are required, even if the file transfer takes say 30 seconds, well > > within the valid lifetime of the RFC4291bis temporary addresses? > > I see your point. And if one were to implement this policy, yes, stable > addresses would be required. > > That said, it is clear to me that this is out of scope for this document > (I just wanted to check with the group). Once again, if we had > appropriate APIs, applying this sort of policy host-wide wouldn't even > make sense. > I think a specific requirement to use temporary addresses for outbound only is out of scope for this document, if only because it permits the use only temporary addresses by a node, and doesn't require permanent or stable addresses. Nevertheless, it is an important point, that how temporary addresses are used by applications impacts their traceability significantly. Therefore, I think a recommendation like, temporary addresses are generally most effective when applications prefer temporary addresses for outbound connections and use other addresses for inbound connections when feasible, especially for long-term well-known services, is in scope. Thanks. -- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
- rfc4941bis: temporary addresses as "outgoing-only… Fernando Gont
- Re: rfc4941bis: temporary addresses as "outgoing-… Mark Smith
- Re: rfc4941bis: temporary addresses as "outgoing-… Brian E Carpenter
- Re: rfc4941bis: temporary addresses as "outgoing-… Gyan Mishra
- Re: rfc4941bis: temporary addresses as "outgoing-… Gyan Mishra
- Re: rfc4941bis: temporary addresses as "outgoing-… Mark Smith
- Re: rfc4941bis: temporary addresses as "outgoing-… Fernando Gont
- Re: rfc4941bis: temporary addresses as "outgoing-… Fernando Gont
- Re: rfc4941bis: temporary addresses as "outgoing-… Fernando Gont
- Re: rfc4941bis: temporary addresses as "outgoing-… Mark Smith
- Re: rfc4941bis: temporary addresses as "outgoing-… Fernando Gont
- Re: rfc4941bis: temporary addresses as "outgoing-… Fernando Gont
- Re: rfc4941bis: temporary addresses as "outgoing-… Mark Smith
- Re: rfc4941bis: temporary addresses as "outgoing-… Gyan Mishra
- Re: rfc4941bis: temporary addresses as "outgoing-… Brian E Carpenter
- Re: rfc4941bis: temporary addresses as "outgoing-… David Farmer