Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt
Tim Chown <Tim.Chown@jisc.ac.uk> Thu, 29 March 2018 11:23 UTC
Return-Path: <tim.chown@jisc.ac.uk>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32F3512D950 for <ipv6@ietfa.amsl.com>; Thu, 29 Mar 2018 04:23:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jisc.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KXesfI1r8c5i for <ipv6@ietfa.amsl.com>; Thu, 29 Mar 2018 04:23:21 -0700 (PDT)
Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0316512D94F for <ipv6@ietf.org>; Thu, 29 Mar 2018 04:23:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=mimecast20170213; t=1522322598; h=from:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:in-reply-to:references; bh=klOBJACTameOScf6G+BPqMcCkQYsODc39fH8l69WoV0=; b=W77VbHp4ijCBtTjn0EqSFepSJ8oUITiC3giXFXv4hFVjLR/7Agc4LyAmYjVVjzvQ6AsApnu6pT5EOrMKf+RlWlARyaHpHcSHA38onxRrw35ULyoFiRQUljVoBGaPE/b+I38uxPkJezIydC5bgb7sE1pByOTESKcMHezFPT452ks=
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01lp0209.outbound.protection.outlook.com [213.199.154.209]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-113-JHlq3HDnNWuESXHYVn1llQ-1; Thu, 29 Mar 2018 12:23:16 +0100
Received: from VI1PR07MB0879.eurprd07.prod.outlook.com (10.161.108.21) by VI1PR07MB3296.eurprd07.prod.outlook.com (10.175.243.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.631.5; Thu, 29 Mar 2018 11:23:11 +0000
Received: from VI1PR07MB0879.eurprd07.prod.outlook.com ([fe80::4011:38b1:3ecf:4201]) by VI1PR07MB0879.eurprd07.prod.outlook.com ([fe80::4011:38b1:3ecf:4201%4]) with mapi id 15.20.0631.009; Thu, 29 Mar 2018 11:23:11 +0000
From: Tim Chown <Tim.Chown@jisc.ac.uk>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
CC: Fernando Gont <fernando@gont.com.ar>, 6man <ipv6@ietf.org>
Subject: Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt
Thread-Topic: I-D Action: draft-fgont-6man-rfc4941bis-01.txt
Thread-Index: AQHTxNaitTba3z/HkkufCgTd1ehlT6Pi4toAgAAzCQCAAAq2AIAAotcAgAC5soCAApnTAA==
Date: Thu, 29 Mar 2018 11:23:11 +0000
Message-ID: <2B220EB8-0024-4642-A738-D2F4CEF934E3@jisc.ac.uk>
References: <152203605148.3066.2744350974766846700@ietfa.amsl.com> <2c561929-98dc-beac-7916-20af889956a4@gmail.com> <50B5C57C-523B-437C-AD74-3F641648EA42@jisc.ac.uk> <803efd39-f488-7b97-cc34-232bc92c7623@gmail.com> <f728c0f7-512d-9d6d-7f76-03cead98d2f5@gont.com.ar> <7f2d9de6-fabe-e033-c3ad-21044e6054af@gmail.com>
In-Reply-To: <7f2d9de6-fabe-e033-c3ad-21044e6054af@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.5.20)
x-originating-ip: [94.117.5.209]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR07MB3296; 7:vB6ofiG++B4eYJDFzTChtqh+eS2pXrtXowsMTN1q3NqWsrBIBQLLHk4DrvX0AJxr/sbVEKb8mz9h3TgyDVkUyPcE5sb3VfXbSHdOAgJth3q542re+HiYTv7bXcMYwj71k8/DY3Zrm7IAUNwUxprkhFhQhzv7Iog9kl1C6aKh800lP55GlrFuzGyWUIdlmcOIZMDajvVrqN6ccCU3akQVaFmG8U6P7nqhr/wESB1glZF1+hBIixES2grKmnyvQ8jq; 20:We/HcwrF7HefB/RtJLEqtLchM/YZMSKY4dGCz5EqqxsCbrAUtxz2/Roglzc6SQVekEuhIMn3Wxb1bCqJANV359RbnSQMFlpLN+Hpy73+dNkP26MKzdU5t/yBSr4F/Z0kyGBSe34X+KVernath57dK1Vf/+5iggnPDnlAk4+qVqo=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 31da0132-8bc9-4234-ad59-08d59567749b
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB3296;
x-ms-traffictypediagnostic: VI1PR07MB3296:
x-microsoft-antispam-prvs: <VI1PR07MB329627C4B6DE5938C5A6D644D6A20@VI1PR07MB3296.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(85827821059158)(788757137089)(113508987740486);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006095)(93001095)(3231221)(944501327)(52105095)(6041310)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011); SRVR:VI1PR07MB3296; BCL:0; PCL:0; RULEID:; SRVR:VI1PR07MB3296;
x-forefront-prvs: 0626C21B10
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(346002)(39380400002)(39850400004)(376002)(189003)(199004)(11905935001)(26005)(25786009)(7736002)(305945005)(186003)(54906003)(8936002)(6116002)(446003)(2616005)(11346002)(478600001)(39060400002)(72206003)(6916009)(229853002)(486005)(6486002)(486005)(53546011)(3846002)(59450400001)(476003)(50226002)(1720100001)(5660300001)(86362001)(6306002)(68736007)(106356001)(102836004)(99286004)(6512007)(76176011)(6436002)(6506007)(2900100001)(83716003)(8676002)(53936002)(66066001)(6246003)(105586002)(966005)(5250100002)(33656002)(14454004)(82746002)(81156014)(97736004)(74482002)(3660700001)(316002)(57306001)(3280700002)(93886005)(36756003)(786003)(4326008)(2906002)(81166006); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB3296; H:VI1PR07MB0879.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-microsoft-antispam-message-info: HomtihrdLzp8ynGDszpKKr881v4O5/Y7iT6QrFWQ1Sz7Zt5SR30IYfo9secH2iBRC8zTt4epJM4Ug5/tu2Vr0cCtRBhbrrAbXnTnKwLY9UbD2TZw2q4CQVMe/tbyENKF67yIGqIGEyz8y698PITZx7Rx25/KWD5EI7fVB7HUZ1F+eTwuvyvyj0nwxzb8/RJMcp2ePxcxsf0WQPi77L0nFSEP8cbfJvjKqmKJj5XoAlBBTilSGivw41164KgBz0cCnEdIh4zsj5GEUbGYr2VVUOWa8cox5xVe3owY8l/fZXJ6ier9oYEFh70E0uastlFzIeZrKb9sROk58EqMzvMwMQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <A2E1D3E70B503D4F8F4A386BB999D854@eurprd07.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 31da0132-8bc9-4234-ad59-08d59567749b
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2018 11:23:11.2072 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB3296
X-MC-Unique: JHlq3HDnNWuESXHYVn1llQ-1
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/DaQnSQ37RGi4WMpdYDVRaU3Gkhk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2018 11:23:24 -0000
> On 27 Mar 2018, at 20:40, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: > > On 27/03/2018 21:35, Fernando Gont wrote: >> On 03/26/2018 11:52 PM, Brian E Carpenter wrote: >>>>> >>>>>> 6. Temporary addresses are *not* disabled by default. >>>>> >>>>> Specifically, this text was removed: >>>>> >>>>>> Consequently, the use of temporary addresses SHOULD be disabled by >>>>>> default in order to minimize potential disruptions. >>>>> >>>>> My concern is that the disruptions ("some applications may not behave >>>>> robustly if temporary addresses are used") haven't gone away, and the >>>>> cause may be very hard for ordinary users to diagnose. In fact, I >>>>> think some of the cases of help desks advising users to switch off >>>>> IPv6 derive from recently shipped operating systems that enable >>>>> temporary addresses by default. I've disabled them on a couple of >>>>> Windows 10 laptops for this reason. >>>> >>>> Through what impact of using privacy addresses? What are the problematic applications? >>> >>> I don't know what the 4941 authors were thinking of. >> >> I guess they were referring to long-lived connections? > > Probably. What I'm complaining about is services that have some > sort of reputation system based on individual /128s. Temporary > addresses do create a behaviour pattern that doesn't exist for > IPv4 clients. > >>> The example >>> I've seen is mentioned below: a service that considers frequent >>> changes of IP address to be a sign of illicit activity. >> >> This is tricky already, anyway. With happy-eyeballs sort of behavior, >> this can already happen (one connection happens over v4, and a >> subsequent happens over v6). >> >> I do believe that, for all such cases, giving apps more control (and >> awareness!) regarding v6 addressing and what they can do about it is >> needed. But that would be out of cope for this particular document, I think. >> >> That said, we could add a comment about this issue in this document. >> Thoughts? > > Yes, an explanation of this side-effect issue would help. Also perhaps, > replace the old "off by default" text by a requirement that it must be > easy for the user to disable temporary addresses if they cause problems. > IMHO, netsh interface ipv6 set privacy state=disabled store=persistent > doesn't count as "easy" for a normal user. The current 6434-bis says "RFC 4941 SHOULD be supported. In some scenarios, such as dedicated servers in a data center, it provides limited or no benefit, or may complicate network management. Thus devices implementing this specification MUST provide a way for the end user to explicitly enable or disable the use of such temporary addresses." Is that the sort of wording you'd like? (https://tools.ietf.org/html/draft-ietf-6man-rfc6434-bis-08#page-15) > There are real scenarios where "on by default" can be a problem. > Here are some fragments of the real world: > http://kb.tableau.com/articles/Issue/identifying-and-disabling-temporary-ipv6-addresses This one seems largely about using (or not) privacy addresses for servers? > https://lonesysadmin.net/2018/01/23/disable-windows-ipv6-temporary-addresses/ This is a more pragmatic one, where today ACLs may allow a specific admin's workstation IP access somewhere. Maybe that's a case for RFC8273, with the ACL on the /64 prefix? Though if it is an administratively configured system, disabling RFC 4941 should be pretty easy. Or there are certificate-based solutions, etc. In general, I agree with Mikael's comment on TAPS, where I think Fernando already has a draft on this topic. Tim > Brian > >> >> >>> (Remember, my concern is only about the default configuration >>> and the resulting puzzlement of ordinary users and help desks.) >> >> Another part of the problem here is that you cannot hint the network >> about what to do. e.g., see draft-gont-6man-managing-slaac-policy >> >> Thanks! >> >> Cheers, >> >
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tim Chown
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tim Chown
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Lorenzo Colitti
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Lorenzo Colitti
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tim Chown
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Brian E Carpenter
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Brian E Carpenter
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tim Chown
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Brian E Carpenter
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Michael Richardson
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Brian E Carpenter
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Brian E Carpenter
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Mikael Abrahamsson
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tim Chown
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Michael Richardson
- IPv6 addressing APIs (Re: I-D Action: draft-fgont… Fernando Gont
- IPv6 addresing problem statement (was: Re: I-D Ac… Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: IPv6 addresing problem statement (was: Re: I-… Michael Richardson
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tom Herbert
- Re: IPv6 addresing problem statement Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tom Herbert
- Re: IPv6 addressing APIs (Re: I-D Action: draft-f… Brian E Carpenter
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Brian E Carpenter
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Brian E Carpenter
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tim Chown
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tom Herbert
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Brian E Carpenter
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tom Herbert
- Re: IPv6 addresing problem statement Michael Richardson
- Re: IPv6 addresing problem statement Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: IPv6 addressing APIs (Re: I-D Action: draft-f… Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tom Herbert
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Fernando Gont
- Re: I-D Action: draft-fgont-6man-rfc4941bis-01.txt Tim Chown
- Re: IPv6 addressing APIs (Re: I-D Action: draft-f… Erik Kline