IETF Logo Mail Archive

Re: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)

james woodyatt <jhw@google.com> Thu, 16 November 2017 20:06 UTC

Return-Path: <jhw@google.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5796C1201FA for <ipv6@ietfa.amsl.com>; Thu, 16 Nov 2017 12:06:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8J4WKK2FsY4V for <ipv6@ietfa.amsl.com>; Thu, 16 Nov 2017 12:06:47 -0800 (PST)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F37801201F2 for <ipv6@ietf.org>; Thu, 16 Nov 2017 12:06:46 -0800 (PST)
Received: by mail-pg0-x22d.google.com with SMTP id u3so147877pgn.7 for <ipv6@ietf.org>; Thu, 16 Nov 2017 12:06:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ppQci6ArACTIr5ZTeIrQrkKTZRCovgbJ6DxIwHgqyn8=; b=O3syjpOdkVaqZStSYH5wbxcR3CKKxS9VPfxacxBYxNSi0F+obW6pRdMI2Q8r2RYJKe nmQW0CA/EUi7O+eW2anriKvWSM0cxPrMSw0H586bpPepLcPLzcA4Em8yYBeiOEKJmmAD Ve5RmI0KCldDzXxq21N7Ggz+Kkjrli4wlRsULbA/00Pyz+q9V++sisb447+S0fht8pGt lG0HMjxrAJ4kUZ+kqTX1bJUsFGB6gV0+G7klBkiAYzC61OzM0zubP3dNOdC6YZcmndu0 K1RVHa+IdrgVNv0XS02ZIhXEtc4QlDXmNSfFPfiSrbcx+PDLFdMr7pkHZ+AXHbqQccaU 7rAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ppQci6ArACTIr5ZTeIrQrkKTZRCovgbJ6DxIwHgqyn8=; b=XrXv40wdk5ItY4uZJZHHVf3/oStb3FD3cdg1W/Hu7FYsSVO5d1hAdr/HLmUg+Uv7F1 rXSaFOoT1alGUBnfE61drumo/L2xFUTQ0/3ucNTNgPQIudda/CZCtCfp5pn2vAHqZzT9 stILIxzozNeo9edM28PkWrnVeAn4KIcMRZAvbTbCiWRDvq3TAbrt+clV2h774Knfq9PH k1dCsYyTiVTr81/81pK+2dIs82cHgdqH+k/tyUOEJyC0S8byiUPmEmsWLrGl0Qi/rVdk UbX2VuhqKmFd7Zjb1wZy1M/I54QzD43/vWIAzYfO/psjr9jZ92cz6VJ0GuG5nCFtKjoJ Am8A==
X-Gm-Message-State: AJaThX7Gkg8AmoScLRrKuoeF+lyK8v6oQxHaHeGPB6Xs2x8NVdorfTvZ 9O9nt7yRew4O78LI2vB64Gw2EA==
X-Google-Smtp-Source: AGs4zMbcIrfNPhYeG3sxfL4vLSyZYqEoqIvEQWqeyJtNB1+SwHVuWM6MHo3sqoOQxFXna+MnNQi5Wg==
X-Received: by 10.84.224.131 with SMTP id s3mr2785690plj.39.1510862805122; Thu, 16 Nov 2017 12:06:45 -0800 (PST)
Received: from ?IPv6:2620::10e7:10:a5ca:6de1:c280:7c3f? ([2620:0:10e7:10:a5ca:6de1:c280:7c3f]) by smtp.gmail.com with ESMTPSA id b78sm4009064pfc.21.2017.11.16.12.06.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Nov 2017 12:06:44 -0800 (PST)
From: james woodyatt <jhw@google.com>
Message-Id: <20724B57-F88D-4F19-9DF8-F492B733A03C@google.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A0CCE756-191B-426D-B481-FDD9AD1EB4E4"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)
Date: Thu, 16 Nov 2017 12:06:43 -0800
In-Reply-To: <75C8CD33-AF67-4669-8548-EF318FC69BDE@jisc.ac.uk>
Cc: Ca By <cb.list6@gmail.com>, 6man WG <ipv6@ietf.org>, Mark Andrews <marka@isc.org>, Ole Troan <otroan@employees.org>
To: Tim Chown <Tim.Chown@jisc.ac.uk>
References: <m1eEGbJ-0000EhC@stereo.hq.phicoh.net> <D43E103C-27B8-48CF-B801-ACCF9B42533E@employees.org> <m1eEHPS-0000FyC@stereo.hq.phicoh.net> <59B0BEC0-D791-4D75-906C-84C5E423291B@employees.org> <m1eEIGX-0000FjC@stereo.hq.phicoh.net> <73231F8D-498E-4C77-8DA8-044365368FC9@isc.org> <CAKD1Yr1aFwF_qZVp5HbRbKzcOGqn==MRe_ewaA8Qc8t3+CVu_Q@mail.gmail.com> <44A862B7-7182-4B3A-B46E-73065FC4D852@isc.org> <D42D8D7A-6D19-4862-9BB3-4913058A83B6@employees.org> <CAFU7BARCLq9eznccEtkdnKPAtKNT7Mf1bW0uZByPvxtiSrv6EQ@mail.gmail.com> <183A8772-6FEF-43BD-97F9-DD4A2E21DB90@google.com> <5D9D33A8-88F0-4758-84FA-BCB364E8013F@employees.org> <16B61573-E233-40ED-8A22-CD145EBB8F98@google.com> <A89E7192-0FD4-4750-8745-147AFCC364DC@jisc.ac.uk> <CAD6AjGQcF=+FRFke1P0+vcmEEqWQ0NUsfprS6qBvfsG+3HMXhA@mail.gmail.com> <75C8CD33-AF67-4669-8548-EF318FC69BDE@jisc.ac.uk>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/LnAGtXu9Txt4J_ox5AbU3ph9OsA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 20:06:49 -0000

On Nov 16, 2017, at 07:26, Tim Chown <Tim.Chown@jisc.ac.uk> wrote:
> On 16 Nov 2017, at 12:42, Ca By <cb.list6@gmail.com> wrote:
>> 
>> I assumed PCP was designed with an eye firmly on future routed home networks where firewall holes need to be opened. […]

It was. In fact, that was the reason NAT-PMP evolved into PCP in the first place: because we needed to extend NAT-PMP to support punching holes in RFC 6092 firewalls.

>> The alternative is secure host and no firewall. There is no firewall at the ietf conference right now, right?  Are you secure ? Is there a malware outbreak?

That’s the alternative, but it’s not the dominant practice.

> Yet in practice pretty much every ISP deploying IPv6 to residential is doing so with RFC 6092, or stricter. Perhaps with a toggle to turn off firewalling, but that’s the reality.

Surveys I’ve seen show that most IPv6 residential networks outside of a few large providers in USA are using something like RFC 6092 with no prior user action. Home users either have no option to disable the firewall or they have no knowledge of it. Anybody planning to deploy IPv6 applications in residential networks (and I’m absolutely one of them) would be absolutely stupid to expect any way for passive listeners to receive inbound flows from arbitrary remote endpoints. Both REC-48 and REC-49 in RFC 6092 are widely ignored in the field. (Which is the outcome I warned against when I was writing it.)

> OTOH it seems that PCP support in hosts / CPEs isn't exactly widespread.

Is there support in FreeBSD, Linux or Windows? I don’t think so.

>> The fatal flaw in PCP (aside from the name) is that it assumes the host needs protection yet it gives the host the power to control the firewall.  Next gen malware will come via email (just like today), it will encrypt your hard drive, and then setup and c2 network on your pc via pcp controls.  Sad!
> 
> True, and that happens with UPnP today…

UPnP has the added festival of third-party option enabled by default. It’s truly a magical wonder.


--james woodyatt <jhw@google.com <mailto:jhw@google.com>>

v2.23.0 | Report a Bug | By Email