IETF Logo Mail Archive

Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)

Tom Herbert <tom@herbertland.com> Wed, 07 June 2017 03:48 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12395129BDB for <ipv6@ietfa.amsl.com>; Tue, 6 Jun 2017 20:48:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MMvzPXjvKAu8 for <ipv6@ietfa.amsl.com>; Tue, 6 Jun 2017 20:48:45 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22ABD129BEF for <ipv6@ietf.org>; Tue, 6 Jun 2017 20:48:40 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id n195so2332521wmg.1 for <ipv6@ietf.org>; Tue, 06 Jun 2017 20:48:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BA/ZJt7m5uoO8jKQkLl3elwMyW88YfeIX7leJqcgFG4=; b=niZPCUJVIi0eN8Y+uwcRB6M6v9lr6TSkb82jlYYxDle8xgIqegW5fFc/yNwJYpAlat jwjsDjk9HrncKBm3XQha0+HF6W5wSPIBZ+19304SUgZ5djsoQnjX1IDRmhNRGLSuGnr6 VLTSAlyHSmZPnJsMu0+IvhdskeyAHnZEahCdlhpiYBa3YhiW9EWv3fGvu626GPN9LLgK 8Sas2VJKTBC8QpiLhlALbicgumGaKcRLpoUV6dNBPZRSaUhRDT5UdChN+JuitHJzM+Y2 /vVkKItpW3yNzBEoeoOIF8ASUTStV8CVYH/8MWzSp5qf4c7CaQhQOSxHKK358RYsi8tl Rb0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BA/ZJt7m5uoO8jKQkLl3elwMyW88YfeIX7leJqcgFG4=; b=fw7xk6fYIM7/CpxZAk37Lbd44o8AoH6ZA/6nDqr3xAJM+ESgVhPQG87/BR2MEMr89H bJ/zZqWG8g5phsK+aiIhqcAtyiyla+BE6ri5BV43BHroxe/cxGQhERSDnCiuIkNLJjb7 Y2XvXA49O3d4dHW2Cw6qNdmJP0dJ8n2FxVKAiH6YUDNeqr9iHHtORZusU5EDpCMS7nv+ 4N03iShIy0GaMXhLlTHBqAWWaDnW9/pFq5m3NiLOw1Hk6hgGp15rS2i1Jq15H9amMG1/ K8lF4DGGcW3FdHB0ourPrHR1BJf1Fju/IXQvoU/iju5WPCeXu7c/U25lGb5yFNioMPGg nQaA==
X-Gm-Message-State: AODbwcAX05nKfdSmJvAATKyJ2KwW5tfn/QJ1D7tGIUdx++nRdyPncrne UJwBfhdOfKdg5cqYuwIeNJ117/APgRLj
X-Received: by 10.28.54.204 with SMTP id y73mr483074wmh.53.1496807318653; Tue, 06 Jun 2017 20:48:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.132.135 with HTTP; Tue, 6 Jun 2017 20:48:38 -0700 (PDT)
In-Reply-To: <CACWOCC_7QpGexm8HBiEjjYdPjgkNwVCGiLg_yDNgK71BndA=Ew@mail.gmail.com>
References: <CAO42Z2ziUZnK+n2f9N_Xvb5TZBppApXgNSmDsRLxaT1_taLvFw@mail.gmail.com> <EB4E2A17-B77F-40B8-B565-B3BBC1E378B3@gmail.com> <CACWOCC_7QpGexm8HBiEjjYdPjgkNwVCGiLg_yDNgK71BndA=Ew@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 06 Jun 2017 20:48:38 -0700
Message-ID: <CALx6S373abVj-DPEL+ZHBZ2Mq1jx80mKMcjjS42Ou3sfwYAfzA@mail.gmail.com>
Subject: Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)
To: Job Snijders <job@instituut.net>
Cc: Fred Baker <fredbaker.ietf@gmail.com>, Mark Smith <markzzzsmith@gmail.com>, Erik Kline <ek@google.com>, 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/QBiSEmuHRuMJYvJtLDph-NFmN6A>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 03:48:49 -0000

On Tue, Jun 6, 2017 at 8:40 PM, Job Snijders <job@instituut.net> wrote:
> I don't think so.
>
Right. This security technique doesn't help any servers on the
Internet that have public DNS addresses or other situations where the
addresses can be discovered. In reality, hosts should never assume
that the network provides any security which is why we need to spend a
lot of effort hardening stacks to handle SYN and other types of
attacks. It's great if this makes attackers work harder, but I would
never count on for security from a host perspective.

Tom

> On Tue, 6 Jun 2017 at 20:37, Fred Baker <fredbaker.ietf@gmail.com> wrote:
>>
>>
>> On Jun 6, 2017, at 6:23 PM, Mark Smith <markzzzsmith@gmail.com> wrote:
>> >
>> > That doesn't mention that security and privacy properties of addresses
>> > will be compromised if the manually configured addresses are from a
>> > small prefix.
>>
>> Or advertised in DNS?
>>
>> I would expect that any address configured manually would also be
>> advertised in DNS, the latter being the reason for the former. If the
>> address is publicly announced, does one have a reasonable expectation of
>> privacy?
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email