Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
Ray Hunter <v6ops@globis.net> Thu, 09 January 2014 16:21 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21C031AE432 for <ipv6@ietfa.amsl.com>; Thu, 9 Jan 2014 08:21:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4cRJqH5EBBoW for <ipv6@ietfa.amsl.com>; Thu, 9 Jan 2014 08:21:22 -0800 (PST)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 85D6C1ADF55 for <ipv6@ietf.org>; Thu, 9 Jan 2014 08:21:22 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id DBC878714A4; Thu, 9 Jan 2014 17:21:11 +0100 (CET)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ph6diUuCyIxk; Thu, 9 Jan 2014 17:21:11 +0100 (CET)
Received: from Rays-iMac.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id B3EC48714A3; Thu, 9 Jan 2014 17:21:11 +0100 (CET)
Message-ID: <52CECC76.1030706@globis.net>
Date: Thu, 09 Jan 2014 17:21:10 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.8 (Macintosh/20130427)
MIME-Version: 1.0
To: Lorenzo Colitti <lorenzo@google.com>
Subject: Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
References: <52C9D788.8060606@gmail.com> <52CBE0E6.5020107@globis.net> <CAKD1Yr2yPzQHCJHUWBa9-+=nn9BbjLhBB4e896NPWne_Unnwgg@mail.gmail.com>
In-Reply-To: <CAKD1Yr2yPzQHCJHUWBa9-+=nn9BbjLhBB4e896NPWne_Unnwgg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 16:21:24 -0000
> Lorenzo Colitti <mailto:lorenzo@google.com> > 9 January 2014 03:27 > > It may not be a widely held belief, but I remain concerned about > the potential for resource exhaustion for any number of processes > due to the "massive over sizing" of prefixes to /64: any number of > untested processes that track state based on /128 IPv6 address > could be attacked. The flip side of expanding privacy through > address obfuscation at IID level is that the source space > available for attacks also increases. ND cache exhaustion is > probably just the first issue we've discovered of many that exist. > This may have knock on operational consequences, which in the IPv4 > world have relied on the scarcity of IPv4 address space to be able > to operate correctly under stress scenarios. We're going to > discover who has been swimming naked when the tide goes out. Call > that FUD, or operational expediency, whichever you like. BCP38 has > saved me on a number of occasions when all else has failed. > > > It's true that some implementations may have made incorrect > assumptions about IPv6 attacks based on their IPv4 knowledge. But on > the other hand, a /64 provides plentiful space, freedom from > renumbering, and operational simplicity because "you will always have > enough subnet space" and "you can pick your own IID because a /64 > provides enough space for everyone". > > I don't think it's a good trade-off to give up those advantages just > because of some implementations may temporarily have made insecure > choices. By the same token, we didn't design IPv4 to be partitioned > into security zones, even though I'm sure that when IPv4 rolled > around, people were shocked - and I'm sure some got burnt - by the > fact that enabling IPv4 on a machine suddenly meant that the machine > was suddenly accessible from anywhere in the world. I think it's much > better to start with a flexible, full-featured, simple architecture > and them secure it. > > It's not that securing it is hard to do: in first instance, make the > abuse systems just track /64s instead of tracking /128s, and problem > solved. Of course, you still have the problem that there are too many > /64s to keep track of, but there's no way around that except to stick > with IPv4, or make a new protocol that has more address space than > IPv4 but less address space than IPv6... but why would you want that? > > I know that smaller subnets are consistent with IPv4. But "different > from IPv4" doesn't mean "worse than IPv4". In many cases, it means > "better than IPv4". > > ------------------------------------------------------------------------ Most organisations I know have way less than 100K hosts globally, and typically 10's or 100s of hosts per LAN. We seem to agree that people can't track at /64 because 2^64 is too big to track. Why then would we suggest that people track at /64 level when you already admit there's equally too many /64's to track (also 2^64)? The point is that people *could* trivially track and filter at /128 within an enterprise *if* we give network infra people the ability to control/register which /128(s) the end host uses. Ideally, that ability to control/register active /128's should not rely on cooperation of L2 switches or other LAN functionality that requires purchasing new switches, or constant MIB scanning. I think that's a valid problem statement, and assigning >>/64 (purposefully breaking SLAAC, whilst deploying stateful DHCPv6, or static addressing) is one way to address that problem. Is there anything better? -- Regards, RayH
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- [Fwd: I-D Action: draft-carpenter-6man-why64-00.t… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… George Michaelson
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Zillions of addresses [Fwd: I-D Action: draft-car… Brian E Carpenter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Ray Hunter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Christian Huitema
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith