IETF Logo Mail Archive

Re: Disabling temporary addresses by default?

Ted Lemon <mellon@fugue.com> Tue, 28 January 2020 15:40 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43F08120843 for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 07:40:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LjK_K-OA3IW1 for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 07:40:41 -0800 (PST)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBB8212023E for <ipv6@ietf.org>; Tue, 28 Jan 2020 07:40:41 -0800 (PST)
Received: by mail-qv1-xf2d.google.com with SMTP id y2so2597167qvu.13 for <ipv6@ietf.org>; Tue, 28 Jan 2020 07:40:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=XHZL0qcrkk/Hzcs7HzV3pYPNXFGfs/lyjUl20IJm6XI=; b=elMLVbHlDF62vZ+RZtgeBc+8zU52TpDAx+3SjyvQicERUh2gS+sxYGezpVcOVJ4u99 VKBqbvIvTPYTjDi7KLTNjigcmI4AiKCxg6KI23miByYszqLJ3brkjwG5A4D/8A6n3pd5 R70NqszBWShGOxk9Uuk8ePZMHGK8DAtuk/Ot1pXrkll3NWVu+Gk7lwaArtPrU6iPKTVg snISxJZ8am1k/2IjEANIZYEj8sezrtK8EF3ANuuVKNz263/LAHTsCvhROi5dLvSH/LyJ Ahr9+Y4oOBGdyJOVoMkNaQdgfxMzNwugdDG0+y/ciJeFQaluyhzOggK2IyWbLpCmFSBm ySSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=XHZL0qcrkk/Hzcs7HzV3pYPNXFGfs/lyjUl20IJm6XI=; b=BtGafMsoKK+uJWuYr3iNeUdUqB3kQhs7DnWz2oIyXn2TCjvRL6vPFwMRhEZesmNrH+ 0IVy1If6S19bQnSC/HzYmUI5NQfZ4n/SQnsLWgwubn6SJPYyDLdQSaTG1n7xegRpPmSN VBXZeF9mx8juzGgic2TRCAbznDj5l5URXuEn/kq/nHiF76GHSjg+Z4rhp9ShZjFr5gz3 u8YU5dGjqsx6Ayj5RFg1DqYGZ9sDh+VKykCglCafB1p/Rr2V1YoCoXuzv+GrM/cEKX+R 0hbUbqFV5NfJVVHEg1g3zc9j3sjSXAYsH8Z5GyjIpHDMI0kgwtHWTDPi170xkkPswAUO PA8g==
X-Gm-Message-State: APjAAAWni4hfDgFUi1rvqqEEfwpOjnxsVGgQqmea2mYZgPTk6SkBh7Dn kz17IIxo+D2PyPoH2DMV1n0bOg==
X-Google-Smtp-Source: APXvYqxnZ3zOrD4qNlED2EhLgpdA9Nt3vqCfRKwzf6iHY4qr7x9o3kPXpTt9TQWnfx9FgynQeufQFg==
X-Received: by 2002:ad4:5144:: with SMTP id g4mr22794232qvq.179.1580226040874; Tue, 28 Jan 2020 07:40:40 -0800 (PST)
Received: from ?IPv6:2601:18b:300:36ee:28e6:2936:576c:ee40? ([2601:18b:300:36ee:28e6:2936:576c:ee40]) by smtp.gmail.com with ESMTPSA id z5sm12488648qts.64.2020.01.28.07.40.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Jan 2020 07:40:40 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <EA537B02-B26E-4735-8405-50967BE9081A@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_12976F7A-8536-4510-8A45-267D6207756E"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.13.2.1\))
Subject: Re: Disabling temporary addresses by default?
Date: Tue, 28 Jan 2020 10:40:37 -0500
In-Reply-To: <CAKD1Yr07NzHkYfdR3-=y28_mgvf+qTi0=-MF+q4eexuK-HubKg@mail.gmail.com>
Cc: Ole Troan <otroan@employees.org>, 6man WG <ipv6@ietf.org>
To: Lorenzo Colitti <lorenzo@google.com>
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <DE7B0688-230F-4A5C-8E24-9EAED9FD9FEB@puck.nether.net> <AFEBAD7D-DF24-4924-8B9A-60DF22BA1953@consulintel.es> <c42affce-fbd3-23ec-c9ff-4f05cdf38630@si6networks.com> <41173152-A8E8-4241-9DE7-376AA7AFB813@consulintel.es> <c4166907-b6c9-a4ef-fd59-cf539bbe0405@si6networks.com> <43D76C96-C16B-4BEB-B9B8-C68D53BCE63F@fugue.com> <fb5b8377-892d-2777-ef9b-4f9ddefa6c93@si6networks.com> <CAKD1Yr034_tu7ZoJ1FCfDYhNSN6igm-ZQyR4u3U+UDMr=huGOw@mail.gmail.com> <1af0b06d-f9d7-5ea1-27f3-b417eb9148fa@si6networks.com> <7606A049-318D-4526-917D-F2A801BF7050@cisco.com> <CAKD1Yr1d9kORFdoOJr22J_UDJ9hLPr6AQLyWuh7=bAQKa+aXGw@mail.gmail.com> <MN2PR11MB356588FC3E8A6410B725D159D80A0@MN2PR11MB3565.namprd11.prod.outlook.com> <CAKD1Yr35meRGh_POo_2jrHA_oazO1xUOG5G_rx43xNLFYHQsMQ@mail.gmail.com> <MN2PR11MB356526F01CAE1CADEF8E4472D80A0@MN2PR11MB3565.namprd11.prod.outlook.com> <CAKD1Yr0-rmyzz3y1d+pCpA0+tGuhSdjojaJovXUzVuyx6UdeLA@mail.gmail.com> <98179a48-8d86-4673-6c82-fc0022988862@foobar.org> <F84FEFAF-1F78-47D4-B3E0-981DCFD0CB58@employees.org> <CAKD1Yr11_SSUkCBuQ3-h+eRg0LPZQdhe+h7f0YZy9TiyRWj6mw@mail.gmail.com> <18823BB6-557F-4E05-A3D0-9E8495C49275@fugue.com> <CAKD1Yr07NzHkYfdR3-=y28_mgvf+qTi0=-MF+q4eexuK-HubKg@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.13.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/EjXat3X9tvxtVTE6xq2cmXGRLh0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 15:40:43 -0000

On Jan 28, 2020, at 10:31 AM, Lorenzo Colitti <lorenzo@google.com> wrote:
> For outgoing connections, that's what we do in IPv4, and it has the same disadvantages. I'd say the most important are: a) it breaks protocols that encode the IP address in the stream and requires those protocols to implement NAT traversal, and b) it requires periodic keepalives to keep the mapping alive.

Hopefully we’re not doing (a) anymore, although I suppose maybe SIP still does.  So for protocols that do this, you don’t get privacy.   Since HTTP doesn’t do it, that takes care of 99.99% of the use cases an end user cares about.   O(0) end users use SIP or FTP.

As for (b), sure, but that’s not really such a big deal in modern times.   Just keep a fast working set and a slow swapped-out set; if something hasn’t been active in the past fifteen minutes, remove it from the working set to keep lookups fast, but if you get something targeted for an unknown address that looks sensible, as time permits look it up in the slow table.  If somebody DDoSes you, long-lived idle connections might suffer, but otherwise it works, and when you are being DDoSed, you can easily do lookups at whatever rate is appopriate, and drop traffic to unknown addresses in excess of that rate on the floor.

Of course, all of this assumes that router vendors get it right (Hi, UNH!).

v2.23.0 | Report a Bug | By Email