IETF Logo Mail Archive

Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]

Emmanuel Thierry <ml@sekil.fr> Wed, 15 January 2014 16:40 UTC

Return-Path: <ml@sekil.fr>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD1301AE10F for <ipv6@ietfa.amsl.com>; Wed, 15 Jan 2014 08:40:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dikfJSqdet2p for <ipv6@ietfa.amsl.com>; Wed, 15 Jan 2014 08:40:16 -0800 (PST)
Received: from host1.ip6-networks.net (host1.ip6-networks.net [95.130.10.56]) by ietfa.amsl.com (Postfix) with ESMTP id B8B411AE0EE for <ipv6@ietf.org>; Wed, 15 Jan 2014 08:40:15 -0800 (PST)
Received: from [IPv6:2001:660:7301:3728:226:b0ff:fefa:237d] (unknown [IPv6:2001:660:7301:3728:226:b0ff:fefa:237d]) by host1.ip6-networks.net (Postfix) with ESMTPSA id 7ACF660A33; Wed, 15 Jan 2014 17:40:01 +0100 (CET)
Subject: Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="iso-8859-1"
From: Emmanuel Thierry <ml@sekil.fr>
In-Reply-To: <52D6AEA9.5070002@gmail.com>
Date: Wed, 15 Jan 2014 17:40:00 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <08A20B1D-7418-4343-AAE0-AF2535259CE4@sekil.fr>
References: <52C9D788.8060606@gmail.com> <F0C49F28-42D5-49CD-AF4E-DFE65CF8B911@sekil.fr> <52CFB51E.60501@gmail.com> <CBDF0DD5-D5EF-41D1-AF7A-B7552105D9D0@sekil.fr> <52D6AEA9.5070002@gmail.com>
To: Alexandru Petrescu <alexandru.petrescu@gmail.com>
X-Mailer: Apple Mail (2.1085)
Cc: ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2014 16:40:19 -0000

Hello,

Le 15 janv. 2014 à 16:52, Alexandru Petrescu a écrit :

> Hello,
> 
> Just out of curiosity... below...
> 
> Le 10/01/2014 11:57, Emmanuel Thierry a écrit :
>> Hello,
>> 
>> Thanks for your answer.
>> 
>> Le 10 janv. 2014 à 09:53, Alexandru Petrescu a écrit :
>> 
>>> Hello,
>>> 
>>> Thanks for the post.
>>> 
>>> I could understand the need to spam block an entire /64 instead (a
>>> single line in a configuration file) rathern than 2^64 lines each
>>> telling an address in that file.
>>> 
>>> Yes, this is relevant when writing other firewalling rules as
>>> well.
>>> 
>>> In this sense it is good to have an 'overall' number - like a /64
>>> - to designate one particular link and subnet.
>>> 
>>> And one may like to use other such overall numbers such as a /65
>>> or a /63 to designate these links.
>>> 
>>> And yes, the privacy extensions RFC4941 makes that attacker may
>>> use that overall number /64 to generate addresses, and defender
>>> may need to use same number /64 to comfortably protect against it.
>>> A smarter attacker would use a /63 and a smarter defender too.
>> 
>> Definitely. However, as an attacker, having a smaller prefix than a
>> IPv6 /64 to exploit for your attack could correspond in IPv4 to use
>> a smaller prefix than /32. I mean that as a defender, i would use
>> against an attacker who smartly uses its /63 or smaller, the same
>> techniques than an attacker who have access to an IPv4 /31 or
>> smaller: blacklist sequentially all IPv6 /64 that this attacker is
>> using. So anyway, a /64 boundary would at least help to leverage the
>> problem.
>> 
>> This could also be a good hint to network operators or hosters. Some
>> virtual machine providers (for instance) divide their /64 into
>> smaller prefixes (i saw /96),
> 
> When a virtual machine uses a /96 instead of a /64, is that prefix
> present in an RA?

About the hoster i think about, i didn't subscribe to their service (i let you guess why ! ;)).
However, their docs mention two major points:
* How to calculate the IPv6:  2001:db8:1:XXX:XXX:XXX:XXX:YYYY/96 where XXX:XXX:XXX:XXX is the IPv4 address (!!!) and YYYY is a number between 0000 and FFFF
* How to configure the IPv6: (...) in /etc/sysconfig/network add "IPV6_AUTOCONF=no" (...)

So there is likely no RA on their network. It is quite common on hosters networks. In France, i only knows OVH (IIRC) who sends Router Advertisements on its network. In most of cases, server configuration is performed by static manual configuration.

Best regards
Emmanuel Thierry



> And, is there some address auto-configuration involved?  (wondering
> about how is the Interface ID formed, because with Ethernet it must be
> 64bit long).
> 
> (for example, in some non-Ethernet links - like IP/USB, or some
> IP/cellular - there are some particular non-documented mechanisms to
> form Interface IDs; but these are still 64bit length, never 22bit)
> 
> Alex
> 
> 
> which may imply that a bad behavior
>> from one of their clients might influence other servers. I think
>> there should be a clear mention of the consequences it may have.
>> Such a mention may help to promote best practices (TODO: define best
>> practices).
>> 
>> Best regards Emmanuel Thierry
>> 
>> 
>>> 
>>> Le 09/01/2014 18:51, Emmanuel Thierry a écrit :
>>>> Hello,
>>>> 
>>>> (first message on these lists, hope it is accurate)
>>>> 
>>>> I'm generally thinking that the /64 limit helps to structure the
>>>> address space from the receiver point of view. Let's say i'm
>>>> running a mail server which tries to reduce spam by temporarily
>>>> blacklisting some senders. if i'm facing spammers who use their
>>>> IPv6 address space in a smart way, they will just have to
>>>> generate RFC 4941 addresses to exhaust a firewall memory. The
>>>> pragmatic way to face such attacks is to blacklist the whole
>>>> /64, never a unique /128.
>>>> 
>>>> I don't know if it is to be considered as a best practice, but
>>>> for these reasons, as a receiver, i personally consider a /64 to
>>>> be assigned to a unique link, or at least a network managed by a
>>>> unique network administrator. Enforcing this limit in protocol
>>>> standards strengthen this assumption. This might be an
>>>> additional argument for the "please keep /64 for unique links".
>>>> 
>>>> As a consequence, subdivide a /64 into several prefixes in order
>>>> to assign it on several networks might create a risk for devices
>>>> on one network to be blacklisted by actions performed by some
>>>> devices on another network, in case the whole /64 have been
>>>> blacklist by a "pragmatic" receiver.
>>>> 
>>>> Best regards Emmanuel Thierry
>>>> 
>>>> Le 5 janv. 2014 à 23:07, Brian E Carpenter a écrit :
>>>> 
>>>>> Hi,
>>>>> 
>>>>> A group of us put this together following a discussion some
>>>>> weeks ago on the v6ops list about the 64-bit boundary in IPv6
>>>>> addresses. Discussion belongs in 6man, please.
>>>>> 
>>>>> This draft is incomplete but we'd welcome input. Let me
>>>>> underline an important comment in the introduction:
>>>>> 
>>>>> _The purpose of this document is to analyse the issues around
>>>>> this question.  We make no proposal for change, but we do
>>>>> analyse the possible effects of a change._
>>>>> 
>>>>> 
>>>>> Brian + co-authors
>>>>> 
>>>>> -------- Original Message -------- Subject: I-D Action:
>>>>> draft-carpenter-6man-why64-00.txt Date: Sun, 05 Jan 2014
>>>>> 13:59:17 -0800 From: internet-drafts@ietf.org Reply-To:
>>>>> internet-drafts@ietf.org To: i-d-announce@ietf.org
>>>>> 
>>>>> 
>>>>> A New Internet-Draft is available from the on-line
>>>>> Internet-Drafts directories.
>>>>> 
>>>>> 
>>>>> Title           : Analysis of the 64-bit Boundary in IPv6
>>>>> Addressing Authors         : Brian Carpenter Tim Chown Fernando
>>>>> Gont Sheng Jiang Alexandru Petrescu Andrew Yourtchenko Filename
>>>>> : draft-carpenter-6man-why64-00.txt Pages           : 14 Date :
>>>>> 2014-01-05
>>>>> 
>>>>> Abstract: The IPv6 unicast addressing format includes a
>>>>> separation between the prefix used to route packets to a
>>>>> subnet and the interface identifier used to specify a given
>>>>> interface connected to that subnet. Historically the interface
>>>>> identifier has been defined as 64 bits long, leaving 64 bits
>>>>> for the prefix.  This document discusses the reasons for this
>>>>> fixed boundary and the issues involved in treating it as a
>>>>> variable boundary.
>>>>> 
>>>>> 
>>>>> The IETF datatracker status page for this draft is:
>>>>> https://datatracker.ietf.org/doc/draft-carpenter-6man-why64/
>>>>> 
>>>>> There's also a htmlized version available at:
>>>>> http://tools.ietf.org/html/draft-carpenter-6man-why64-00
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --------------------------------------------------------------------
>>>>> 
>>>>> 
>>>>> 
>>> 
>>>>> 
>>>>> 
> IETF IPv6 working group mailing list
>>>>> ipv6@ietf.org Administrative Requests:
>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>> --------------------------------------------------------------------
>>>> 
>>>>> 
>>>>> 
>>>> 
>>>>> 
>>>>> 
> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative
>>>> Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> --------------------------------------------------------------------
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>>> 
>>>> 
> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative
>>> Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>> 
>>> 
>>> 
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative
>> Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>> 
>> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email