IETF Logo Mail Archive

Re: RFC4941bis: consequences of many addresses for the network

otroan@employees.org Fri, 24 January 2020 10:52 UTC

Return-Path: <otroan@employees.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0AAD1200E6 for <ipv6@ietfa.amsl.com>; Fri, 24 Jan 2020 02:52:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UezbwaazpUGK for <ipv6@ietfa.amsl.com>; Fri, 24 Jan 2020 02:52:13 -0800 (PST)
Received: from clarinet.employees.org (clarinet.employees.org [IPv6:2607:7c80:54:3::74]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93F6D1200CC for <ipv6@ietf.org>; Fri, 24 Jan 2020 02:52:13 -0800 (PST)
Received: from astfgl.hanazo.no (unknown [IPv6:2a02:2121:2ca:6d01:b444:59e9:b35e:e67f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id 7921F4E11A68; Fri, 24 Jan 2020 10:52:12 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id E10C829741FA; Fri, 24 Jan 2020 11:52:09 +0100 (CET)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Subject: Re: RFC4941bis: consequences of many addresses for the network
From: otroan@employees.org
In-Reply-To: <m1iuwJV-0000MAC@stereo.hq.phicoh.net>
Date: Fri, 24 Jan 2020 11:52:09 +0100
Cc: 6man WG <ipv6@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B341FF1B-C559-4D54-B117-A58EB6A3C955@employees.org>
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <e936078e-01f9-0254-a8d0-4095455154ac@si6networks.com> <D85412DF-4B03-4790-9E39-968D50ECF86B@employees.org> <m1iuwJV-0000MAC@stereo.hq.phicoh.net>
To: Philip Homburg <pch-ipv6-ietf-6@u-1.phicoh.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/MaDzg_IzpNNNncPWej0bv4JTk7k>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 10:52:15 -0000

Hi Philip,

> The question of an address per transport connection is why would you do that?
> In many IPv4 installations, the NAT box has state per flow. So having an IPv6
> address per transport connection doesn't seem beyond what we can do.

On reason might be because the application uses the temporary address in a way that taints it.
E.g. the address is used in a connection where the user is identified through authentication.
That address is now tained from thew perspective of privacy, and should not be used for other connections.

Given that we are downgrading 4941 to proposed standard, it might also be worth evaluating the state of 4941 implementations.
Are applications clever enough to not reuse tainted addresses?
Are they incorrectly exposed by e.g. MP-TCP or ICE implementations?
Anyone with data on this?

> The question is what the benefits are. I don't see a lot of privacy benefits
> for lots of addresses.
> 
> Note that a single network port may still end up with losts of addresses:
> - users may use bridges to extend the network and connect more than one host
>  to a single port
> - users may run virtual machines (or containers) in bridged mode and end up
>  with multiple virtual hosts by behind a single port
> - having an IPv6 address per process on a host may have benefits in particular
>  if many processes would like to use the same port for some reason
> 
> Typically, even very small network switches support many thousand MAC
> addresses. I think that network devices should support similar numbers of
> IPv6 addresses per /64.

Sure, but when a host incurs a cost in the network, and the network has to have some policy in place to protect itself, there is going to be a limit.
I think we need some text in 4941 discussing this, and also give a recommendation for host behaviour. And perhaps also for network configuration.

Cheers,
Ole

v2.23.0 | Report a Bug | By Email