Re: rfc4941bis: temporary addresses as "outgoing-only"?

Fernando Gont <fgont@si6networks.com> Tue, 11 February 2020 05:14 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70F5A120052 for <ipv6@ietfa.amsl.com>; Mon, 10 Feb 2020 21:14:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izKc3EYk7ahN for <ipv6@ietfa.amsl.com>; Mon, 10 Feb 2020 21:14:30 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62B49120041 for <6man@ietf.org>; Mon, 10 Feb 2020 21:14:30 -0800 (PST)
Received: from [192.168.1.29] (host138.200-117-192.telecom.net.ar [200.117.192.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 6A6BE868D9; Tue, 11 Feb 2020 06:14:24 +0100 (CET)
Subject: Re: rfc4941bis: temporary addresses as "outgoing-only"?
To: Mark Smith <markzzzsmith@gmail.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: 6MAN <6man@ietf.org>
References: <3217323b-3d8b-bf75-b5b0-ffdd01ee1501@si6networks.com> <CAO42Z2xtvjo_RO7kNsFCi4=S0TJKRest-8fEkvnwbC3rBNAj0A@mail.gmail.com> <ac38ca41-a148-470a-d2ba-26649f77e2f8@gmail.com> <CAO42Z2xjOQV6yF8m203B33+dm5Ha1c126ukW=oRSUd2OSa0O6w@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <22e7b42c-34fc-27cc-284f-edcd6180a756@si6networks.com>
Date: Tue, 11 Feb 2020 02:14:18 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <CAO42Z2xjOQV6yF8m203B33+dm5Ha1c126ukW=oRSUd2OSa0O6w@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/I5Z5UYnFiTtTLGPj2uTd8X0h5Ts>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2020 05:14:32 -0000

On 10/2/20 23:10, Mark Smith wrote:
> 
> 
> On Tue, 11 Feb 2020, 09:17 Brian E Carpenter, 
> <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
> 
>     On 11-Feb-20 09:46, Mark Smith wrote:
>      >
>      >
>      > On Tue, 11 Feb 2020, 03:13 Fernando Gont, <fgont@si6networks.com
>     <mailto:fgont@si6networks.com> <mailto:fgont@si6networks.com
>     <mailto:fgont@si6networks.com>>> wrote:
>      >
>      >     Folks,
>      >
>      >     Since we are at it, I wonder if rfc4941bis should say
>     anything about the
>      >     use of temporary addresses for incoming connections. (see
>      >
>     https://tools.ietf.org/html/draft-gont-6man-address-usage-recommendations-04#section-4.3).
>      >     (e.g., "an implementation MAY....")
>      >
>      >     Particularly for connection-oriented protocols, hosts that
>     prevent
>      >     incoming connections on temporary addresses reduce exposure
>     even when
>      >     their temporary addresses become "exposed" by outgoing sessions.
>      >
>      >     i.e., if the model is that temporary addresses are employed
>     for outgoing
>      >     connections, unless a host uses temporary-only, there's no
>     reason to
>      >     receive incoming connections on temporary addresses. (e.g.,
>     browsing the
>      >     web or sending email should not be an invitation for folks to
>     e.g.
>      >     port-scan you).
>      >
>      >
>      > This would prevent peer-to-peer connections between end-user
>     devices, as it means devices become clients only, and they therefore
>     cannot provide a temporary server/service.
> 
>     If a node has a stable address as well as a temporary address, that
>     isn't the case. 
> 
> 
> True, however one of the goals of this update is to allow temporary 
> address only nodes, removing the assumption that hosts with temporary 
> addresses will also always have a stable address.

In that case,  one would expect that in temp-only scenarios, this policy 
would not be enforced.

That said, I guess that based on your other comments, it would best, if 
anything, to leave this for future work.

In that sense, would it make sense for this to be called out in the 
"Future work" section?

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492