IETF Logo Mail Archive

Re: Zillions of addresses [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]

Ray Hunter <v6ops@globis.net> Sat, 11 January 2014 14:25 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 187F51ADFBA for <ipv6@ietfa.amsl.com>; Sat, 11 Jan 2014 06:25:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XGFncpRjo66l for <ipv6@ietfa.amsl.com>; Sat, 11 Jan 2014 06:25:42 -0800 (PST)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 9E2EB1ADF87 for <ipv6@ietf.org>; Sat, 11 Jan 2014 06:25:41 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id DE8788714A2; Sat, 11 Jan 2014 15:25:30 +0100 (CET)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id diEJ7L685khe; Sat, 11 Jan 2014 15:25:30 +0100 (CET)
Received: from Rays-iMac.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id C1285870089; Sat, 11 Jan 2014 15:25:30 +0100 (CET)
Message-ID: <52D15486.1030705@globis.net>
Date: Sat, 11 Jan 2014 15:26:14 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.8 (Macintosh/20130427)
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: Zillions of addresses [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
References: <52C9D788.8060606@gmail.com> <52CBE0E6.5020107@globis.net> <CAKD1Yr2yPzQHCJHUWBa9-+=nn9BbjLhBB4e896NPWne_Unnwgg@mail.gmail.com> <52CECC76.1030706@globis.net> <CAKD1Yr3rvnDRPpkBEV4EVrrSAQYLutGg0qoweZkKv5em=4-dRw@mail.gmail.com> <52CFAB11.4070404@globis.net> <52D073CC.6070205@gmail.com>
In-Reply-To: <52D073CC.6070205@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2014 14:25:43 -0000

> Brian E Carpenter <mailto:brian.e.carpenter@gmail.com>
> 10 January 2014 23:27
>> But problems in their /48 with a rogue node assigning zillions of addresses and creating zillions of sessions should not spill over into the rest of the network managed by others.
>
> Who says that is a rogue node? It sounds like perfectly legitimate
> behaviour for a virtual machine environment that is designed to
> virtualise at layer 3. If you want those VM addresses to be
> unguessable for an off-path attacker, you might well spread them
> sparsely across a /64.
>
> Anyway -- I am not seeing much in this thread that suggests text changes
> in the -why64 draft (which is intended to be factual). I take Ray's
> original point that there *might* be other risks than ND exhaustion,
> and we'll add that to the next version.
>
> Regards
>     Brian
>
>
Agreed.

I would also like to reiterate a basic requirement from network and 
system operators, and propose the following text for -why64.


/
There is a desire by many network operators to
1) know and audit which nodes are active on a network (perhaps by 
carrying out exhaustive scanning of address space that is allowed to 
communicate off link)
2) be able to limit the total number of active addresses and sessions 
that can be sourced from a particular host, LAN or site, in order to 
prevent potential resource depletion attacks or other problems spreading 
beyond a certain scope of control.

One way of limiting the scan space, or limiting the number of possible 
source addresses and sessions from a LAN, is to increase the prefix 
length >> 64.
This may currently break many widely-deployed solutions, such as SLAAC.

There are alternatives, which present a different set of trade offs e.g. 
with respect to the right of privacy of the end user versus the rights 
of the operator to control and protect their network.
/


Whether you think the solution of extending prefix length >>64 is good 
or not is a separate debate.
IMHO Technically it should be possible. CIDR has NOT been deprecated.

I think imposing a hard limit of /64 is harmful, as it limits operators 
choice of operations model and protocols
e.g. flow-based WFQ becomes vulnerable to trivial attacks from a single 
node, whereas there's nothing fundamentally wrong with flow-based WFQ 
technology per se, or indeed other mechanisms that require tracking 
state to /128.
e..g exhaustive network scanning to check for vulnerable open ports on 
unpatched machines becomes impractical, whereas there's nothing 
fundamentally wrong with the concept in an enterprise environment.

Lorenzo and I clearly disagree on this point, but I see no value in 
continuing the debate on list wrt this draft.
it took long enough to get to the current status on allowing use of /127 
instead of /64 for point to point links (3627, 6164, 6547)

-- 
Regards,
RayH

v2.23.0 | Report a Bug | By Email