IETF Logo Mail Archive

Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05

David Farmer <farmer@umn.edu> Tue, 07 May 2019 18:49 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3032F120298 for <ipv6@ietfa.amsl.com>; Tue, 7 May 2019 11:49:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqbRO3F-dj15 for <ipv6@ietfa.amsl.com>; Tue, 7 May 2019 11:49:18 -0700 (PDT)
Received: from mta-p5.oit.umn.edu (mta-p5.oit.umn.edu [134.84.196.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF1CD120287 for <ipv6@ietf.org>; Tue, 7 May 2019 11:49:17 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 45273744 for <ipv6@ietf.org>; Tue, 7 May 2019 18:49:16 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fI9OvsitQali for <ipv6@ietf.org>; Tue, 7 May 2019 13:49:16 -0500 (CDT)
Received: from mail-vs1-f69.google.com (mail-vs1-f69.google.com [209.85.217.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id EFFCAB0C for <ipv6@ietf.org>; Tue, 7 May 2019 13:49:15 -0500 (CDT)
Received: by mail-vs1-f69.google.com with SMTP id l6so3399765vsl.7 for <ipv6@ietf.org>; Tue, 07 May 2019 11:49:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GkzjFHbEDTKxq7G5N8sOJwlTGn+Iww/DrWWLTYFRNHw=; b=M/RiMPWGuAVFIdKZd1yBBozA4cT8zpYS9SWg0319IxvLMolz4OB2ljO5+pex0H0y03 vpS+ozFMQFMqpF46q635J+EOV0woYeLBKaceSfIrRl7NuvsSxSWoZlyyTb6z9hqfGPcK fPZU2NBrhJ05u5iItZKD1sKy+Z3IuLyo5QERLlsXWjLzvy6f9OKImySjEC7BP4TO5+0v ajqIutmvsTGWDcXVgMZyaRuZioOTRDxfd73FNqvk8Q2xTgOGImoQJ6xzQnxaOUdcRyLQ tBPTQwUVQ14MYKAKnj6d6T4cvbeN3UTcZfC9hfcQLPpzfFKJ1lz34iUAw5bOxWOxqoHp XJZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GkzjFHbEDTKxq7G5N8sOJwlTGn+Iww/DrWWLTYFRNHw=; b=nMr15GBEXzRaMibFoQzBX0k2HxCDtbmJ/lt6z3iTEYnhKi810sQpVXhGYyAU09Ix9L kgIPBjSdn+6EZjFJmNym/Deau9l+oWdhDS3JoBsUF4TnsfFCRE6AyvLqok+dNaLDafjO iwRwNqJHgLtXsZg4UCuojVTKygZEA1gljV78m0oSH+4ii8LQLrxa7TTlp/mC02YJPz6p Pb59dWSL8Y+imxd3eZ8st7wpRIc9cYeeSPmXzS91fyJAmfPsFdjAtvmERVoDcrqoJ1B1 sGbMObGIgZLJSm3JAZJ3ByYoYgCiewQEhPQPIOM2ynifs8FW9s7y6vmt9TxnoF4VJlBd fdBA==
X-Gm-Message-State: APjAAAXwof+Yr1k1FqaWTmcUlKcTCnKSxd3qMO7zbyr0TXhXRznS1ZNb TxO6ZqrAmg5cR4sPYiDHdwTM3nPXgMciKUdUa7yskqjHihYLBMgYEMGOcJtwTcyRzgXrRJFgg77 FNjh3i4S/VbBWJDqPIPHOqfak
X-Received: by 2002:a67:ab4a:: with SMTP id k10mr18619996vsh.176.1557254954677; Tue, 07 May 2019 11:49:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxN2nNIkOqmSy8q/ZQBNLgnFAaHSZEzg0DlEyBxqMnTwAGbpGNjBGaV0M0ZgCzes47BhCFQ+UNIthKfpkL4LtU=
X-Received: by 2002:a67:ab4a:: with SMTP id k10mr18619967vsh.176.1557254954190; Tue, 07 May 2019 11:49:14 -0700 (PDT)
MIME-Version: 1.0
References: <F8BFFCAD-E58E-4736-8A1C-56579B6F6032@employees.org> <a2465e81-a17f-ab48-efda-20fe12a70077@foobar.org> <30239E0C-C444-4A7E-8342-AEE47BF8A2BB@employees.org> <20190505200449.GB7546@vurt.meerval.net> <80073906-c3c0-1f22-9e7f-c2b349063936@gmail.com> <CAO42Z2xzVW3m0mN7jEn8SYyYCYhrufVnkfp3rBjJcijBkvucNQ@mail.gmail.com> <CACWOCC-35yVYXSRR0sRL-MBMHyOFZtJx9E9h14G8qqVh5T7qGA@mail.gmail.com> <232c1a43-0fd9-4eae-737b-260a3906f72a@gmail.com> <51F2BD2A-A590-4AF1-B8C1-FE62C9416340@steffann.nl> <8C63324F-FEF6-40BD-B918-B413CDEF9186@gmail.com> <BC988F7C-B262-4FF3-929A-02E6BCCE2266@steffann.nl> <BC23F51B-4135-47C6-B22F-8AE5CD8CB6F6@lists.zabbadoz.net> <m1hO4j3-0000IYC@stereo.hq.phicoh.net>
In-Reply-To: <m1hO4j3-0000IYC@stereo.hq.phicoh.net>
From: David Farmer <farmer@umn.edu>
Date: Tue, 07 May 2019 13:48:57 -0500
Message-ID: <CAN-Dau2Om4iDt0PvuLpPyttgJcTKLmdYFeWMa8EEW5Mi_3EPRA@mail.gmail.com>
Subject: Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05
To: Philip Homburg <pch-ipv6-ietf-6@u-1.phicoh.com>
Cc: 6man WG <ipv6@ietf.org>, "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Content-Type: multipart/alternative; boundary="0000000000005ed46f058850ac40"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/ESHh7wqtB5EWtVPs06LkBX4YjfQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 18:49:28 -0000

On Tue, May 7, 2019 at 1:22 PM Philip Homburg <
pch-ipv6-ietf-6@u-1.phicoh.com> wrote:

> > Given as of the last draft there is an option to disable processing
> > despite implementing, OS vendors can implement the draft and do
> > what they think suits their users.   Even more so they might leave
> > the default to off for now as an advanced option to turn on and
> > with a major OS update, once the world has moved on, flip the switch
> > in the future.
>
> This draft has two perspectives:
> - a network perspective (hosts trying to configure IPv4 waste bandwidth)
> - a host perspective (trying to use IPv4 may impact battery lifetime)
>

While I support this draft, I very much support a broader look at the
problems and solutions in a world where IPv4 isn't the dominant Internet
Protocol, IPv6-Only is one manifestation of this world, but I'm quite sure
there are others. I'm thinking something similar to RFC6104 but for the
world where IPv4 isn't the dominant Internet Protocol anymore.


> If this draft was part of a complete discussion on what to do with IPv4
> and it became clear that this flag was required, then I would have no
> problem supporting the draft.
>
> But nobody is doing any work on what IPv4 should look like in the future.
> This draft is just a small hammer looking for a nail.
>
> Without a clear idea of where we want to take IPv4 we can see some things
> happening:
> - To start with the host perspective. It is very like that many network
> will
>   not set this flag. Simply because there is no operator to decide if this
>   flag can be set or not. So hosts will implement counter measures to save
>   battery life even if the flag is not set.
>
>   Then because of security risks, it makes sense for hosts to either not
>   implement it of leave it off by default.
>
>   Because there is no analysis from an IPv4 perspective, we don't actually
>   know if this draft is needed and how much effect it will have. There is
>   justs some hints from hosts that are not optimized to live without IPv4.
>
> - for a network, if many hosts do not implement this flag, then the
> network
>   somehow has to cope. If the vast majority of the hosts do not implement
>   this draft then implementing this flag in a router is mostly an accident
>   waiting to happen. Something that hardly any network engineer in the
>   field can quickly diagnose. So it makes sense for routers to not
> implement
>   this draft. Which may reinforce host behavior to not rely on this flag.
>
> - Finally, there is an existing code point in DHCPv4 to turn of IPv4 link
>   local configuration. Which is safe to implement for hosts and not hard
>   to provide for router vendors.
>
> So we have a draft that clearly makes security worse. That has operational
> risks if widely implemented. And at same time anybody sane will not
> implement the draft. So it probably live on as a useles flag that people
> will
> remember to filter on their networks.
>

I will grant you that this draft doesn't improve security, but then by my
assessment, it doesn't make things fundamentally any worse either. An
IPv4-only network, without accounting for IPv6 vulnerabilities, is
susceptible to all sort of IPv6 based attacks the most IT or security staff
will be incapable of diagnosing.


-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email