IETF Logo Mail Archive

Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text

Mark Andrews <marka@isc.org> Thu, 08 June 2017 02:13 UTC

Return-Path: <marka@isc.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE6D31314D2 for <ipv6@ietfa.amsl.com>; Wed, 7 Jun 2017 19:13:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTB6WWOxjjC9 for <ipv6@ietfa.amsl.com>; Wed, 7 Jun 2017 19:13:55 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 127B61314D0 for <ipv6@ietf.org>; Wed, 7 Jun 2017 19:13:55 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 0F2A63493A2; Thu, 8 Jun 2017 02:13:52 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id EB38E160050; Thu, 8 Jun 2017 02:13:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D4BF6160055; Thu, 8 Jun 2017 02:13:51 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wYq-ofs2GAqj; Thu, 8 Jun 2017 02:13:51 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 88C44160050; Thu, 8 Jun 2017 02:13:51 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id B3C0C7B5522C; Thu, 8 Jun 2017 12:13:49 +1000 (AEST)
To: sthaug@nethelp.no
Cc: ek@google.com, job@instituut.net, ipv6@ietf.org
From: Mark Andrews <marka@isc.org>
References: <EB4E2A17-B77F-40B8-B565-B3BBC1E378B3@gmail.com> <20170607.075131.74727436.sthaug@nethelp.no> <CAAedzxqWqShdneSBVTEN=5b+KsyQdCroOoyviH9AOJKV262xyg@mail.gmail.com> <20170607.142936.74725051.sthaug@nethelp.no>
Subject: Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text
In-reply-to: Your message of "Wed, 07 Jun 2017 14:29:36 +0200." <20170607.142936.74725051.sthaug@nethelp.no>
Date: Thu, 08 Jun 2017 12:13:49 +1000
Message-Id: <20170608021349.B3C0C7B5522C@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/MrgvQ1B7eYztlPvocvnAtB0Hrrg>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2017 02:13:57 -0000

In message <20170607.142936.74725051.sthaug@nethelp.no>, sthaug@nethelp.no writ
es:
> > > That's precisely the point. I configure fixed addresses typically for
> > > servers, and I put the addresses in the DNS. I *want* those addresses
> > > to be publically known. Security and privacy is not relevant in this
> > > particular case.
> > 
> > For an authoritative server, sure.
> > 
> > But if you're a recursive resolver then using privacy addresses while doing
> > recursion (and changing the privacy addresses frequently) might indeed be
> > very useful.  (In fact: a unique source address per query is wonderful.)
> 
> Different strokes for different folks. I'm fine with fixed addresses
> for the query sources of my recursive resolvers, and have no plans to
> change this. I have no problems with others using a unique source
> address per query.

And it really don't add much in terms of privacy as the /64 would
be the same.  Nor is it needed to combat spoofing of responses.  We
have DNS COOKIES for that.  We are looking at removing port
randomisation when talking with servers that support DNS COOKIES.
Send a query with a cookie then if we don't get a cookie response
resend using a random port.

> Steinar Haug, AS2116
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email