IETF Logo Mail Archive

Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt

Tim Chown <Tim.Chown@jisc.ac.uk> Thu, 29 March 2018 11:23 UTC

Return-Path: <tim.chown@jisc.ac.uk>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32F3512D950 for <ipv6@ietfa.amsl.com>; Thu, 29 Mar 2018 04:23:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jisc.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KXesfI1r8c5i for <ipv6@ietfa.amsl.com>; Thu, 29 Mar 2018 04:23:21 -0700 (PDT)
Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0316512D94F for <ipv6@ietf.org>; Thu, 29 Mar 2018 04:23:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=mimecast20170213; t=1522322598; h=from:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:in-reply-to:references; bh=klOBJACTameOScf6G+BPqMcCkQYsODc39fH8l69WoV0=; b=W77VbHp4ijCBtTjn0EqSFepSJ8oUITiC3giXFXv4hFVjLR/7Agc4LyAmYjVVjzvQ6AsApnu6pT5EOrMKf+RlWlARyaHpHcSHA38onxRrw35ULyoFiRQUljVoBGaPE/b+I38uxPkJezIydC5bgb7sE1pByOTESKcMHezFPT452ks=
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01lp0209.outbound.protection.outlook.com [213.199.154.209]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-113-JHlq3HDnNWuESXHYVn1llQ-1; Thu, 29 Mar 2018 12:23:16 +0100
Received: from VI1PR07MB0879.eurprd07.prod.outlook.com (10.161.108.21) by VI1PR07MB3296.eurprd07.prod.outlook.com (10.175.243.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.631.5; Thu, 29 Mar 2018 11:23:11 +0000
Received: from VI1PR07MB0879.eurprd07.prod.outlook.com ([fe80::4011:38b1:3ecf:4201]) by VI1PR07MB0879.eurprd07.prod.outlook.com ([fe80::4011:38b1:3ecf:4201%4]) with mapi id 15.20.0631.009; Thu, 29 Mar 2018 11:23:11 +0000
From: Tim Chown <Tim.Chown@jisc.ac.uk>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
CC: Fernando Gont <fernando@gont.com.ar>, 6man <ipv6@ietf.org>
Subject: Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt
Thread-Topic: I-D Action: draft-fgont-6man-rfc4941bis-01.txt
Thread-Index: AQHTxNaitTba3z/HkkufCgTd1ehlT6Pi4toAgAAzCQCAAAq2AIAAotcAgAC5soCAApnTAA==
Date: Thu, 29 Mar 2018 11:23:11 +0000
Message-ID: <2B220EB8-0024-4642-A738-D2F4CEF934E3@jisc.ac.uk>
References: <152203605148.3066.2744350974766846700@ietfa.amsl.com> <2c561929-98dc-beac-7916-20af889956a4@gmail.com> <50B5C57C-523B-437C-AD74-3F641648EA42@jisc.ac.uk> <803efd39-f488-7b97-cc34-232bc92c7623@gmail.com> <f728c0f7-512d-9d6d-7f76-03cead98d2f5@gont.com.ar> <7f2d9de6-fabe-e033-c3ad-21044e6054af@gmail.com>
In-Reply-To: <7f2d9de6-fabe-e033-c3ad-21044e6054af@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.5.20)
x-originating-ip: [94.117.5.209]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR07MB3296; 7:vB6ofiG++B4eYJDFzTChtqh+eS2pXrtXowsMTN1q3NqWsrBIBQLLHk4DrvX0AJxr/sbVEKb8mz9h3TgyDVkUyPcE5sb3VfXbSHdOAgJth3q542re+HiYTv7bXcMYwj71k8/DY3Zrm7IAUNwUxprkhFhQhzv7Iog9kl1C6aKh800lP55GlrFuzGyWUIdlmcOIZMDajvVrqN6ccCU3akQVaFmG8U6P7nqhr/wESB1glZF1+hBIixES2grKmnyvQ8jq; 20:We/HcwrF7HefB/RtJLEqtLchM/YZMSKY4dGCz5EqqxsCbrAUtxz2/Roglzc6SQVekEuhIMn3Wxb1bCqJANV359RbnSQMFlpLN+Hpy73+dNkP26MKzdU5t/yBSr4F/Z0kyGBSe34X+KVernath57dK1Vf/+5iggnPDnlAk4+qVqo=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 31da0132-8bc9-4234-ad59-08d59567749b
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB3296;
x-ms-traffictypediagnostic: VI1PR07MB3296:
x-microsoft-antispam-prvs: <VI1PR07MB329627C4B6DE5938C5A6D644D6A20@VI1PR07MB3296.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(85827821059158)(788757137089)(113508987740486);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006095)(93001095)(3231221)(944501327)(52105095)(6041310)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011); SRVR:VI1PR07MB3296; BCL:0; PCL:0; RULEID:; SRVR:VI1PR07MB3296;
x-forefront-prvs: 0626C21B10
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(346002)(39380400002)(39850400004)(376002)(189003)(199004)(11905935001)(26005)(25786009)(7736002)(305945005)(186003)(54906003)(8936002)(6116002)(446003)(2616005)(11346002)(478600001)(39060400002)(72206003)(6916009)(229853002)(486005)(6486002)(486005)(53546011)(3846002)(59450400001)(476003)(50226002)(1720100001)(5660300001)(86362001)(6306002)(68736007)(106356001)(102836004)(99286004)(6512007)(76176011)(6436002)(6506007)(2900100001)(83716003)(8676002)(53936002)(66066001)(6246003)(105586002)(966005)(5250100002)(33656002)(14454004)(82746002)(81156014)(97736004)(74482002)(3660700001)(316002)(57306001)(3280700002)(93886005)(36756003)(786003)(4326008)(2906002)(81166006); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB3296; H:VI1PR07MB0879.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-microsoft-antispam-message-info: HomtihrdLzp8ynGDszpKKr881v4O5/Y7iT6QrFWQ1Sz7Zt5SR30IYfo9secH2iBRC8zTt4epJM4Ug5/tu2Vr0cCtRBhbrrAbXnTnKwLY9UbD2TZw2q4CQVMe/tbyENKF67yIGqIGEyz8y698PITZx7Rx25/KWD5EI7fVB7HUZ1F+eTwuvyvyj0nwxzb8/RJMcp2ePxcxsf0WQPi77L0nFSEP8cbfJvjKqmKJj5XoAlBBTilSGivw41164KgBz0cCnEdIh4zsj5GEUbGYr2VVUOWa8cox5xVe3owY8l/fZXJ6ier9oYEFh70E0uastlFzIeZrKb9sROk58EqMzvMwMQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <A2E1D3E70B503D4F8F4A386BB999D854@eurprd07.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 31da0132-8bc9-4234-ad59-08d59567749b
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2018 11:23:11.2072 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB3296
X-MC-Unique: JHlq3HDnNWuESXHYVn1llQ-1
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/DaQnSQ37RGi4WMpdYDVRaU3Gkhk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2018 11:23:24 -0000

> On 27 Mar 2018, at 20:40, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> 
> On 27/03/2018 21:35, Fernando Gont wrote:
>> On 03/26/2018 11:52 PM, Brian E Carpenter wrote:
>>>>> 
>>>>>> 6. Temporary addresses are *not* disabled by default.
>>>>> 
>>>>> Specifically, this text was removed:
>>>>> 
>>>>>> Consequently, the use of temporary addresses SHOULD be disabled by	
>>>>>> default in order to minimize potential disruptions.
>>>>> 
>>>>> My concern is that the disruptions ("some applications may not behave
>>>>> robustly if temporary addresses are used") haven't gone away, and the
>>>>> cause may be very hard for ordinary users to diagnose. In fact, I
>>>>> think some of the cases of help desks advising users to switch off
>>>>> IPv6 derive from recently shipped operating systems that enable
>>>>> temporary addresses by default. I've disabled them on a couple of
>>>>> Windows 10 laptops for this reason.
>>>> 
>>>> Through what impact of using privacy addresses?  What are the problematic applications?
>>> 
>>> I don't know what the 4941 authors were thinking of. 
>> 
>> I guess they were referring to long-lived connections?
> 
> Probably. What I'm complaining about is services that have some
> sort of reputation system based on individual /128s. Temporary
> addresses do create a behaviour pattern that doesn't exist for
> IPv4 clients.
> 
>>> The example
>>> I've seen is mentioned below: a service that considers frequent
>>> changes of IP address to be a sign of illicit activity.
>> 
>> This is tricky already, anyway. With happy-eyeballs sort of behavior,
>> this can already happen (one connection happens over v4, and a
>> subsequent happens over v6).
>> 
>> I do believe that, for all such cases, giving apps more control (and
>> awareness!) regarding v6 addressing and what they can do about it is
>> needed. But that would be out of cope for this particular document, I think.
>> 
>> That said, we could add a comment about this issue in this document.
>> Thoughts?
> 
> Yes, an explanation of this side-effect issue would help. Also perhaps,
> replace the old "off by default" text by a requirement that it must be
> easy for the user to disable temporary addresses if they cause problems.
> IMHO, netsh interface ipv6 set privacy state=disabled store=persistent
> doesn't count as "easy" for a normal user.

The current 6434-bis says

"RFC 4941 SHOULD be supported.  In some scenarios, such as dedicated
   servers in a data center, it provides limited or no benefit, or may
   complicate network management.  Thus devices implementing this
   specification MUST provide a way for the end user to explicitly
   enable or disable the use of such temporary addresses."

Is that the sort of wording you'd like?

(https://tools.ietf.org/html/draft-ietf-6man-rfc6434-bis-08#page-15)

> There are real scenarios where "on by default" can be a problem.
> Here are some fragments of the real world:
> http://kb.tableau.com/articles/Issue/identifying-and-disabling-temporary-ipv6-addresses

This one seems largely about using (or not) privacy addresses for servers?

> https://lonesysadmin.net/2018/01/23/disable-windows-ipv6-temporary-addresses/

This is a more pragmatic one, where today ACLs may allow a specific admin's workstation IP access somewhere.
Maybe that's a case for RFC8273, with the ACL on the /64 prefix?  Though if it is an administratively configured system, disabling RFC 4941 should be pretty easy.
Or there are certificate-based solutions, etc.

In general, I agree with Mikael's comment on TAPS, where I think Fernando already has a draft on this topic.

Tim

>   Brian
> 
>> 
>> 
>>> (Remember, my concern is only about the default configuration
>>> and the resulting puzzlement of ordinary users and help desks.)
>> 
>> Another part of the problem here is that you cannot hint the network
>> about what to do. e.g., see draft-gont-6man-managing-slaac-policy
>> 
>> Thanks!
>> 
>> Cheers,
>> 
>

v2.23.0 | Report a Bug | By Email