Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
Emmanuel Thierry <ml@sekil.fr> Wed, 15 January 2014 16:40 UTC
Return-Path: <ml@sekil.fr>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD1301AE10F for <ipv6@ietfa.amsl.com>; Wed, 15 Jan 2014 08:40:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dikfJSqdet2p for <ipv6@ietfa.amsl.com>; Wed, 15 Jan 2014 08:40:16 -0800 (PST)
Received: from host1.ip6-networks.net (host1.ip6-networks.net [95.130.10.56]) by ietfa.amsl.com (Postfix) with ESMTP id B8B411AE0EE for <ipv6@ietf.org>; Wed, 15 Jan 2014 08:40:15 -0800 (PST)
Received: from [IPv6:2001:660:7301:3728:226:b0ff:fefa:237d] (unknown [IPv6:2001:660:7301:3728:226:b0ff:fefa:237d]) by host1.ip6-networks.net (Postfix) with ESMTPSA id 7ACF660A33; Wed, 15 Jan 2014 17:40:01 +0100 (CET)
Subject: Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="iso-8859-1"
From: Emmanuel Thierry <ml@sekil.fr>
In-Reply-To: <52D6AEA9.5070002@gmail.com>
Date: Wed, 15 Jan 2014 17:40:00 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <08A20B1D-7418-4343-AAE0-AF2535259CE4@sekil.fr>
References: <52C9D788.8060606@gmail.com> <F0C49F28-42D5-49CD-AF4E-DFE65CF8B911@sekil.fr> <52CFB51E.60501@gmail.com> <CBDF0DD5-D5EF-41D1-AF7A-B7552105D9D0@sekil.fr> <52D6AEA9.5070002@gmail.com>
To: Alexandru Petrescu <alexandru.petrescu@gmail.com>
X-Mailer: Apple Mail (2.1085)
Cc: ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2014 16:40:19 -0000
Hello, Le 15 janv. 2014 à 16:52, Alexandru Petrescu a écrit : > Hello, > > Just out of curiosity... below... > > Le 10/01/2014 11:57, Emmanuel Thierry a écrit : >> Hello, >> >> Thanks for your answer. >> >> Le 10 janv. 2014 à 09:53, Alexandru Petrescu a écrit : >> >>> Hello, >>> >>> Thanks for the post. >>> >>> I could understand the need to spam block an entire /64 instead (a >>> single line in a configuration file) rathern than 2^64 lines each >>> telling an address in that file. >>> >>> Yes, this is relevant when writing other firewalling rules as >>> well. >>> >>> In this sense it is good to have an 'overall' number - like a /64 >>> - to designate one particular link and subnet. >>> >>> And one may like to use other such overall numbers such as a /65 >>> or a /63 to designate these links. >>> >>> And yes, the privacy extensions RFC4941 makes that attacker may >>> use that overall number /64 to generate addresses, and defender >>> may need to use same number /64 to comfortably protect against it. >>> A smarter attacker would use a /63 and a smarter defender too. >> >> Definitely. However, as an attacker, having a smaller prefix than a >> IPv6 /64 to exploit for your attack could correspond in IPv4 to use >> a smaller prefix than /32. I mean that as a defender, i would use >> against an attacker who smartly uses its /63 or smaller, the same >> techniques than an attacker who have access to an IPv4 /31 or >> smaller: blacklist sequentially all IPv6 /64 that this attacker is >> using. So anyway, a /64 boundary would at least help to leverage the >> problem. >> >> This could also be a good hint to network operators or hosters. Some >> virtual machine providers (for instance) divide their /64 into >> smaller prefixes (i saw /96), > > When a virtual machine uses a /96 instead of a /64, is that prefix > present in an RA? About the hoster i think about, i didn't subscribe to their service (i let you guess why ! ;)). However, their docs mention two major points: * How to calculate the IPv6: 2001:db8:1:XXX:XXX:XXX:XXX:YYYY/96 where XXX:XXX:XXX:XXX is the IPv4 address (!!!) and YYYY is a number between 0000 and FFFF * How to configure the IPv6: (...) in /etc/sysconfig/network add "IPV6_AUTOCONF=no" (...) So there is likely no RA on their network. It is quite common on hosters networks. In France, i only knows OVH (IIRC) who sends Router Advertisements on its network. In most of cases, server configuration is performed by static manual configuration. Best regards Emmanuel Thierry > And, is there some address auto-configuration involved? (wondering > about how is the Interface ID formed, because with Ethernet it must be > 64bit long). > > (for example, in some non-Ethernet links - like IP/USB, or some > IP/cellular - there are some particular non-documented mechanisms to > form Interface IDs; but these are still 64bit length, never 22bit) > > Alex > > > which may imply that a bad behavior >> from one of their clients might influence other servers. I think >> there should be a clear mention of the consequences it may have. >> Such a mention may help to promote best practices (TODO: define best >> practices). >> >> Best regards Emmanuel Thierry >> >> >>> >>> Le 09/01/2014 18:51, Emmanuel Thierry a écrit : >>>> Hello, >>>> >>>> (first message on these lists, hope it is accurate) >>>> >>>> I'm generally thinking that the /64 limit helps to structure the >>>> address space from the receiver point of view. Let's say i'm >>>> running a mail server which tries to reduce spam by temporarily >>>> blacklisting some senders. if i'm facing spammers who use their >>>> IPv6 address space in a smart way, they will just have to >>>> generate RFC 4941 addresses to exhaust a firewall memory. The >>>> pragmatic way to face such attacks is to blacklist the whole >>>> /64, never a unique /128. >>>> >>>> I don't know if it is to be considered as a best practice, but >>>> for these reasons, as a receiver, i personally consider a /64 to >>>> be assigned to a unique link, or at least a network managed by a >>>> unique network administrator. Enforcing this limit in protocol >>>> standards strengthen this assumption. This might be an >>>> additional argument for the "please keep /64 for unique links". >>>> >>>> As a consequence, subdivide a /64 into several prefixes in order >>>> to assign it on several networks might create a risk for devices >>>> on one network to be blacklisted by actions performed by some >>>> devices on another network, in case the whole /64 have been >>>> blacklist by a "pragmatic" receiver. >>>> >>>> Best regards Emmanuel Thierry >>>> >>>> Le 5 janv. 2014 à 23:07, Brian E Carpenter a écrit : >>>> >>>>> Hi, >>>>> >>>>> A group of us put this together following a discussion some >>>>> weeks ago on the v6ops list about the 64-bit boundary in IPv6 >>>>> addresses. Discussion belongs in 6man, please. >>>>> >>>>> This draft is incomplete but we'd welcome input. Let me >>>>> underline an important comment in the introduction: >>>>> >>>>> _The purpose of this document is to analyse the issues around >>>>> this question. We make no proposal for change, but we do >>>>> analyse the possible effects of a change._ >>>>> >>>>> >>>>> Brian + co-authors >>>>> >>>>> -------- Original Message -------- Subject: I-D Action: >>>>> draft-carpenter-6man-why64-00.txt Date: Sun, 05 Jan 2014 >>>>> 13:59:17 -0800 From: internet-drafts@ietf.org Reply-To: >>>>> internet-drafts@ietf.org To: i-d-announce@ietf.org >>>>> >>>>> >>>>> A New Internet-Draft is available from the on-line >>>>> Internet-Drafts directories. >>>>> >>>>> >>>>> Title : Analysis of the 64-bit Boundary in IPv6 >>>>> Addressing Authors : Brian Carpenter Tim Chown Fernando >>>>> Gont Sheng Jiang Alexandru Petrescu Andrew Yourtchenko Filename >>>>> : draft-carpenter-6man-why64-00.txt Pages : 14 Date : >>>>> 2014-01-05 >>>>> >>>>> Abstract: The IPv6 unicast addressing format includes a >>>>> separation between the prefix used to route packets to a >>>>> subnet and the interface identifier used to specify a given >>>>> interface connected to that subnet. Historically the interface >>>>> identifier has been defined as 64 bits long, leaving 64 bits >>>>> for the prefix. This document discusses the reasons for this >>>>> fixed boundary and the issues involved in treating it as a >>>>> variable boundary. >>>>> >>>>> >>>>> The IETF datatracker status page for this draft is: >>>>> https://datatracker.ietf.org/doc/draft-carpenter-6man-why64/ >>>>> >>>>> There's also a htmlized version available at: >>>>> http://tools.ietf.org/html/draft-carpenter-6man-why64-00 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -------------------------------------------------------------------- >>>>> >>>>> >>>>> >>> >>>>> >>>>> > IETF IPv6 working group mailing list >>>>> ipv6@ietf.org Administrative Requests: >>>>> https://www.ietf.org/mailman/listinfo/ipv6 >>>>> -------------------------------------------------------------------- >>>> >>>>> >>>>> >>>> >>>>> >>>>> > -------------------------------------------------------------------- >>>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative >>>> Requests: https://www.ietf.org/mailman/listinfo/ipv6 >>>> -------------------------------------------------------------------- >>>> >>>> >>> >>> >>> >>>> >>>> > -------------------------------------------------------------------- >>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative >>> Requests: https://www.ietf.org/mailman/listinfo/ipv6 >>> -------------------------------------------------------------------- >> >>> >>> >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list ipv6@ietf.org Administrative >> Requests: https://www.ietf.org/mailman/listinfo/ipv6 >> -------------------------------------------------------------------- >> >> > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- [Fwd: I-D Action: draft-carpenter-6man-why64-00.t… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… George Michaelson
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Zillions of addresses [Fwd: I-D Action: draft-car… Brian E Carpenter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Ray Hunter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Christian Huitema
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith