Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
Ray Hunter <v6ops@globis.net> Fri, 10 January 2014 08:11 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD6431ADF34 for <ipv6@ietfa.amsl.com>; Fri, 10 Jan 2014 00:11:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id leYbX9L0arVI for <ipv6@ietfa.amsl.com>; Fri, 10 Jan 2014 00:11:09 -0800 (PST)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id D0DE91ADF28 for <ipv6@ietf.org>; Fri, 10 Jan 2014 00:11:08 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 74B7D8714A2; Fri, 10 Jan 2014 09:10:58 +0100 (CET)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSNRRJKbwCdD; Fri, 10 Jan 2014 09:10:58 +0100 (CET)
Received: from Rays-iMac.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 4F810870089; Fri, 10 Jan 2014 09:10:58 +0100 (CET)
Message-ID: <52CFAB11.4070404@globis.net>
Date: Fri, 10 Jan 2014 09:10:57 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.8 (Macintosh/20130427)
MIME-Version: 1.0
To: Lorenzo Colitti <lorenzo@google.com>
Subject: Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
References: <52C9D788.8060606@gmail.com> <52CBE0E6.5020107@globis.net> <CAKD1Yr2yPzQHCJHUWBa9-+=nn9BbjLhBB4e896NPWne_Unnwgg@mail.gmail.com> <52CECC76.1030706@globis.net> <CAKD1Yr3rvnDRPpkBEV4EVrrSAQYLutGg0qoweZkKv5em=4-dRw@mail.gmail.com>
In-Reply-To: <CAKD1Yr3rvnDRPpkBEV4EVrrSAQYLutGg0qoweZkKv5em=4-dRw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 08:11:11 -0000
> Lorenzo Colitti <mailto:lorenzo@google.com> > 10 January 2014 06:01 > > > Ideally, that ability to control/register active /128's should not > rely on cooperation of L2 switches or other LAN functionality that > requires purchasing new switches, or constant MIB scanning. > > I think that's a valid problem statement, and assigning >>/64 > (purposefully breaking SLAAC, whilst deploying stateful DHCPv6, or > static addressing) is one way to address that problem. > > > In your network you are free to assign addresses exclusively using DHCPv6. > > *However* - if you are doing this for the purpose of tracking, that > only makes any sense at all if the current switches you have (since > you've already said you're not going to buy new ones) can snoop DHCPv6 > requests for address assignments enforce IPv6-to-MAC address mappings. > > Do they? > You are apparently imposing a model which assumes a single management vendor is responsible right up until the edge of the network at port level. That is rarely true in any enterprise I've worked on. They are not my customer's switches. They don't manage them at all. They subcontract that to multiple parties. In the case of multiple management providers, people need to protect their own services from the failings of others. If a site is under autonomous management (e.g. trusted 3rd party) then they may be assigned a /48 in your model. OK they're responsible for their own /48 and they can suffer the consequences of poor management of devices in their site. But problems in their /48 with a rogue node assigning zillions of addresses and creating zillions of sessions should not spill over into the rest of the network managed by others. WFQ QoS (and many other processes which requires tracking of individual sessions or IP addresses) running in another vendor's network should not fail because of a single node in a single 3rd party network swamps an address/session table. I think that people need some way of limiting the number of active /128's at the network-network interface. It would be even better if we could either register or control to the /128 and identify those to a host or user. One way of doing that is to agree with trusted 3rd party sites (which generally only have a tiny number of hosts allowed to communicate across the boundary) to only assign an agreed /120 out of their /48 allocation, which requires prefix lengths >>64 (this ID) or at least the ability to apply ACL filters >> /64. Another way is source address validation at the edge, with limits assigned on a first come first served basis. Another is to ban all processes that need to track an individual IPv6 address. Another is to contract that the site themselves are responsible for limiting resource depletion attacks, but I'd still want some protection on the receiving side. I'd rather be tracking the 100K nodes that I know should be on the network out of a potential 24*2^16 addresses, rather than trying to stop a 100 zillion anonymous nodes who I can't even identify so that the 100K can work. DHCP has been successfully implemented in multi-vendor environments. The local LAN manager/outsourcer only has to configure up the LAN interface either the correct IP address and subnet mask, and point a DHCP proxy at a regional server (managed by someone else) They can make changes within a site autonomously without bothering the central team, and it all just works. DHCPv6 potentially can provide a form of centralised registration (and then be linked to admission control, or at least give cooperating end nodes a higher QoS than unidentified end nodes) and support a similar operations model. You could also allocate a /64, configure a DHCPv6 address pool to assign addresses from a range >>64 and apply and ACL, or assign and allocate >>64 prefix length (which seems easier). Because if they don't, disabling SLAAC gives you no security at all, because malicious hosts on your network will still be free to create and use arbitrary IPv6 addresses, which you will not be able to track. In fact, this gives you the same level of security as you could by disabling privacy addresses and using autoconf - malicious hosts can still do what they want, and for well-behaved hosts, instead of having the MAC address in the IPv6 address, you now have to go and get it from the DHCPv6 server logs. Lose/lose. That is also a problem. The assumption seems to be that there has been of smart nodes and a dumb network that does not run any processes requiring differential services or that tracking of individual end hosts is universally bad. But I thought we'd established that we're not exclusively talking about forcing use of particular addresses for all machines, rather establishing which nodes are genuinely active, and attempting to establish centrally what machine they are being used by. > > Or - as Tim points out, SNMP scraping will do this securely for you > today, and vendors are already building better and more scalable > address registration notification features (syslog, etc.) into switches. Not everyone allows SNMP access from other management vendors in a multi vendor environment. Not everyone feeds syslog to other management vendors. Again, you are imposing an alien operations model. It imposes polling, It imposes inter-vendor cooperation and access to all remote devices via a management protocol. Every time a switch on any one of 1000 sites changes, you're going to have to update your central poller. A central registration model avoids that overhead. > And if you're not doing this for the purpose of tracking, then why are > you doing it? Is it just because it's what you do in IPv4? If so, then > sorry, that's not a valid technical argument. At the risk of repeeating myself: helpdesk call correlation, problem correlation, log correlation, ability to track to /128 (for future filtering or tracking or resource protection of processes and devices within the network that rely on databases or caches keyed by IP address) In IPv4, this protection happens automatically due to address scarcity, without doing anything else. IPv6 /64 breaks address scarcity. -- Regards, RayH
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- [Fwd: I-D Action: draft-carpenter-6man-why64-00.t… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… George Michaelson
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Zillions of addresses [Fwd: I-D Action: draft-car… Brian E Carpenter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Ray Hunter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Christian Huitema
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith