Re: problem statement [was Re: New Version Notification for draft-hinden-ipv4flag-00.txt]

David Farmer <farmer@umn.edu> Tue, 21 November 2017 13:43 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1543127977 for <ipv6@ietfa.amsl.com>; Tue, 21 Nov 2017 05:43:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jG9O0PePdBoC for <ipv6@ietfa.amsl.com>; Tue, 21 Nov 2017 05:43:47 -0800 (PST)
Received: from mta-p7.oit.umn.edu (mta-p7.oit.umn.edu [134.84.196.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65603129488 for <ipv6@ietf.org>; Tue, 21 Nov 2017 05:43:47 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id C2451566 for <ipv6@ietf.org>; Tue, 21 Nov 2017 13:43:46 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DHj6z_UXExb6 for <ipv6@ietf.org>; Tue, 21 Nov 2017 07:43:46 -0600 (CST)
Received: from mail-lf0-f71.google.com (mail-lf0-f71.google.com [209.85.215.71]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 64356150 for <ipv6@ietf.org>; Tue, 21 Nov 2017 07:43:46 -0600 (CST)
Received: by mail-lf0-f71.google.com with SMTP id d10so666995lfj.17 for <ipv6@ietf.org>; Tue, 21 Nov 2017 05:43:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5VEv40gt8UoUtw2PURYosD3m+L0GlGCkc69xOYsETsI=; b=VViorfsdgPTLYJrqJYos8POxgKIZI/1V97XxUmL4kvw46ZLVEX0nzHmjD3k5JiCVdu ijffT0ZltWOD4Ou6Gk7ADdKg4BYBmT6r6xcSIQHalIYhoGopgfc1TSZh73wpDtKfdHs7 f+oVe7nEzjy1y5ukxIrYERozl+XdwwyKU8fFQO08BrmMIdb4y2eq7Pl/jXrdNUO6jHKL XLVqI+UUUOeTes3m8lplqtyrDvM9O1D9mmSSCazuRjQ4j9Fg+Hul0HD72WnglrMx+wAc RVmoiP1b6UjOv9RdXmQDtpeRboivc3tgBy6RPjnpBsNgjYPj1dDRVrD0h/51i8c+yJrT yrrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5VEv40gt8UoUtw2PURYosD3m+L0GlGCkc69xOYsETsI=; b=k0QbkGy0bSq1FxaWERcApysN6g5HmdAk5CSz/0zEJDd3auK6s4sTAwwbs8px4Qfvrc DGrSSlNj2uyTtQ6wU3/SBNxe2hJ0RvW5F9vRCsHgg/Wgo+XnmbCsdSgISZC8g2OTHHIb /73qH3zNQ2SS4+XXNmAVGU97HpcbUYXasw2UWIpGtCbPnI6tOvGEQ0dlONR0KoFji0dV Mdhy2wzCETvioV5pj/0Q1QOTN1DUOewj7roeznwwWiJTTpjHXWqEt71q988e0Vpzj2ev WAJBTGFm2gSiQgnE9yBRZJgqCgu28A+rGe4fHXG8r8d41J/lwp1DC7gm11IeDlwlOfGQ xspw==
X-Gm-Message-State: AJaThX6QfID0uMoDQD6bOmFKmuvsxViiK4720IWx/obwlE0OLLcMNoN9 7AwBelUs0DFJShPgSN/4VTlLIDhwQQZGmoq+ovqOBTfBi6stxjmh+/W0nmGDcwDxHP6pLqazpQk YvNYEHZt47PIILhoJoaHUUYHd
X-Received: by 10.46.95.28 with SMTP id t28mr5823047ljb.110.1511271824944; Tue, 21 Nov 2017 05:43:44 -0800 (PST)
X-Google-Smtp-Source: AGs4zMbHpteP6sIkUOQAZUa/6F4VA4M3PMzB3aOxvcEwR9w2iL+c8YEan2Q9e5dZNYjd8S+wnsEz7K1llN32k6bV5Vg=
X-Received: by 10.46.95.28 with SMTP id t28mr5823041ljb.110.1511271824667; Tue, 21 Nov 2017 05:43:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.217.89 with HTTP; Tue, 21 Nov 2017 05:43:43 -0800 (PST)
In-Reply-To: <0a8f6120-bb8e-a4ae-d011-01d0a19c341a@gmail.com>
References: <151090059151.22321.3357672601322845792.idtracker@ietfa.amsl.com> <E838C63E-7612-4AA4-9375-854C184D699E@gmail.com> <CAFU7BAQKoWPcEFQZgU3k_d0gUL4en6d2pyNq1V4RMNZ6HrSG8w@mail.gmail.com> <649be36e-5006-7688-448f-bc2794d6a39c@gmail.com> <19B39788-CEC6-478A-A303-7F42904533DF@huitema.net> <0a8f6120-bb8e-a4ae-d011-01d0a19c341a@gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Tue, 21 Nov 2017 07:43:43 -0600
Message-ID: <CAN-Dau2ONo-y0SJR1iGMONyei3cxqQ++YywU0bNTvVn=mBZ=qA@mail.gmail.com>
Subject: Re: problem statement [was Re: New Version Notification for draft-hinden-ipv4flag-00.txt]
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c079fb844cc53055e7e6496"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Mv3oCwy0Nc2pqnUBqYB4orrZtj0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Nov 2017 13:43:49 -0000

On Mon, Nov 20, 2017 at 7:42 PM, Brian E Carpenter <
brian.e.carpenter@gmail.com>; wrote:

> Another response to multiple points:
>
...

> > 1. Security exposure; the inverse of the problems discussed in RFC7123,
> > basically malicious or accidental IPv4 service.
> > 2. Residual IPv4 traffic, especially broadcast traffic; DHCP solicits,
> > IPv4-LL, ARP, service discovery, etc...
>
> The proposal addresses only one thing: attempting to reduce
> futile IPv4 traffic. It neither creates nor blocks IPv4 traffic.
>

That might be, but this thread is about a problem statement, and
conceivably that could add to the draft. Anyway we shouldn't ignore #1, I
think at least something should be said in the security considerations
section on the subject.  Also since this uses RAs, the security
considerations section should probably say something about rogue RAs and
the options to protect against them.


> > In very high dentistry and therefore
> > typically congested WiFi environments...
>
> A new view of dentist's office networking ;-)
>

Serendipitous and amusing autocorrecto :)

....

> > if IPv4 appears you probably want to start
> > using it after a reasonable amount of time.
>
> Indeed. And under the proposal, any RA with flag==0 would be
> an instant trigger to wake up the IPv4 stack. (And no, that
> isn't a serious DOS risk, since it is no worse than what
> we have today.)
>

Should Router Preference [RFC4191] play in this equation?  Should an RA
with a Router Preference = High and this flag = 1 be overridden by
different RA with Router Preference = Low and this flag = 0. I'm not sure I
have an answer, but this probably should be addressed in the draft either
way.

I bring this up as setting Router Preference to High is a common technique
to help protect against at least accidental RAs. Yes malicious RAs can use
a Router Preference of High, but all rogue RAs I've seen in the wild had a
medium (default) Router Preference.

-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================