Re: AD Evaluation : draft-ietf-6man-ra-pref64-06

Suresh Krishnan <Suresh@kaloom.com> Sat, 02 November 2019 04:11 UTC

Return-Path: <Suresh@kaloom.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41779120937; Fri, 1 Nov 2019 21:11:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.756
X-Spam-Level:
X-Spam-Status: No, score=-0.756 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kaloom.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sBJ6ttMleW0d; Fri, 1 Nov 2019 21:11:52 -0700 (PDT)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670133.outbound.protection.outlook.com [40.107.67.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A68D1200F4; Fri, 1 Nov 2019 21:11:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LlZBJOvCL9y48u9mMpT6zXT3hcozbanqxYXlbuDP1smnKArWVUpEavDa6ZTHp3RSJz5Y//nOMC7/kQ7O8o/H80H99a8r9WivLR6KCrc8s21kst4+W/SCbRnNFKzWspp6nhImcZyauIGs4SNyt/GO8hHpFnNe9xRVrWEV6BsBgJmP9fPUym7Z2N7KLSSobVVSOE4NQoE3B/AGqW+sjk9nm0aTmDfmMFBTgaoD9R2htQAPTppoersRQnO4Rvypb0Z4uzAih8TGpBSbK/BEpmIEtd2wrfu63okWP9i19tG1Hyr8RGaNJe2OYHCJwdVJGt/601649qi60bl0J5sJUwjsNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QC1Il4O8RhBZyiwr5uiJjzzDVGtHZiTQfHTqBGnHxls=; b=bGFBloXIlZzDUSrqY8+Iq0HC498b8tET2fbG6SIBS+DSTggJfQUlViZ1dFH1JBfeKNEE8BiVfFQoIiv6zPrstPDaC5S/OTmCPPyHjf+i4x/ibIdnq1hyD20Daw8FDmLzjgB3RgehWsRS7wevDqLBGMdPZHthWs16LTSomgLW5KDZ6IWyDU1BebPjUluT43dyrB6ftry7IXUgc0fZ9/xcT8BzJpN9ODB+YstFcLl3gI73LBW0bVtT4azxOd2Y7c/Rzusd9l0V+shs+XXSLz0sjUdlPdoIamNTb6pT9Dwqx6144yQeH7S3kQ2YLCmcLuf3Oj2LhgTsdtmpk6c/Z8wFtw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=kaloom.com; dmarc=pass action=none header.from=kaloom.com; dkim=pass header.d=kaloom.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kaloom.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QC1Il4O8RhBZyiwr5uiJjzzDVGtHZiTQfHTqBGnHxls=; b=rqUI5xX67VPp0gaKq+rP4f/oH5qdWUDpi1ZhwMylETOGvoKjn/X48yPUXnEDFqtzf7zFkuoSB3uQoj6Y8vqRxxzl8VQ0YY8S9bJdIH404YRvl3idBPziverwQAjTb1aYvOYEM7a4U/oV2UZtmTNKUfusMRyfvWsVci1x1UBkK64=
Received: from YT1PR01MB3642.CANPRD01.PROD.OUTLOOK.COM (10.255.42.27) by YT1PR01MB3484.CANPRD01.PROD.OUTLOOK.COM (10.255.43.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.23; Sat, 2 Nov 2019 04:11:49 +0000
Received: from YT1PR01MB3642.CANPRD01.PROD.OUTLOOK.COM ([fe80::c00b:23f0:4c61:f412]) by YT1PR01MB3642.CANPRD01.PROD.OUTLOOK.COM ([fe80::c00b:23f0:4c61:f412%6]) with mapi id 15.20.2387.030; Sat, 2 Nov 2019 04:11:47 +0000
From: Suresh Krishnan <Suresh@kaloom.com>
To: Lorenzo Colitti <lorenzo@google.com>
CC: "draft-ietf-6man-ra-pref64@ietf.org" <draft-ietf-6man-ra-pref64@ietf.org>, IETF IPv6 Mailing List <ipv6@ietf.org>
Subject: Re: AD Evaluation : draft-ietf-6man-ra-pref64-06
Thread-Topic: AD Evaluation : draft-ietf-6man-ra-pref64-06
Thread-Index: AQHVkTCMh13V/uY160Wc1DLMCRFao6d3Qm6AgAACeoA=
Date: Sat, 2 Nov 2019 04:11:47 +0000
Message-ID: <7E0096AC-9EBC-4D82-AF22-349311EA46CE@kaloom.com>
References: <F1B31C38-7CDB-4057-A573-D6AF76B264D3@kaloom.com> <CAKD1Yr1vOqTvEsv0oCm+bu7CkFwiyFv8_G1XM+4JAKYLoA21aA@mail.gmail.com>
In-Reply-To: <CAKD1Yr1vOqTvEsv0oCm+bu7CkFwiyFv8_G1XM+4JAKYLoA21aA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Suresh@kaloom.com;
x-originating-ip: [45.19.110.76]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2135eeba-c2e3-4d9e-edcb-08d75f4ac7b3
x-ms-traffictypediagnostic: YT1PR01MB3484:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <YT1PR01MB3484B7E5F56E0577019FE839B47D0@YT1PR01MB3484.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6108;
x-forefront-prvs: 0209425D0A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6019001)(376002)(396003)(136003)(346002)(366004)(39840400004)(269900001)(51914003)(199004)(189003)(99286004)(476003)(8936002)(186003)(6506007)(66066001)(486006)(446003)(8676002)(66476007)(54906003)(11346002)(6436002)(53546011)(64756008)(6486002)(81156014)(6246003)(256004)(76116006)(91956017)(236005)(14444005)(102836004)(76176011)(54896002)(81166006)(6306002)(71190400001)(36756003)(6512007)(2616005)(316002)(229853002)(26005)(71200400001)(7736002)(3846002)(66446008)(66946007)(66556008)(2906002)(4326008)(86362001)(25786009)(66574012)(5660300002)(14454004)(80792005)(606006)(6116002)(508600001)(33656002)(6916009)(256605007)(16193025007); DIR:OUT; SFP:1102; SCL:1; SRVR:YT1PR01MB3484; H:YT1PR01MB3642.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: kaloom.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: d2ufZw3kx+kbMbgmUpLPqQXqjc4Yl6sNLLMjiX8uCik2PQAgFjLzUrvpWkOH2mf5A9BKuEImkaFFNxic/zhLgmi9K/Dm4WTHYcX/CchhKq6Ytx8kTPUNoICcQ4lgIPO3NfcEGt1fht7i/eSZGF7JitNbcH/TaLjwJ0Rihh/uZjYhfVbKc0WImhIv7gXKSooBSHIJvGrSG0ERYuohgOsvOJWB7+Ilrr19+sVukaPzMoaKX1ICbB77jmuudHg9v5uFLrJQzJsBpzcvYvbK3og3Biv02zPwzkBb5i7dt6iaU2kLf4PNgfmJ6imn7abOxwoCYW7Aka7g0kVWbYlOUviOvQH373RneSXNpu1XZ/0/2rEd5m/4UAiCFMgVZxEXPiLisffRW4i+gYbQYGtIhPbUIz1Ewjdy7x8kyHkDQjqwC1hyxRDO32p9hbWuw0YK9vc2VVvuvyvy2IKM0g0nrWubM6zuN2TBuZgONrPPQWuJDC8=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_7E0096AC9EBC4D82AF22349311EA46CEkaloomcom_"
MIME-Version: 1.0
X-OriginatorOrg: kaloom.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2135eeba-c2e3-4d9e-edcb-08d75f4ac7b3
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2019 04:11:47.7931 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 47d58e26-f796-48e8-ac40-1c365c204513
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 32fuLNLPTsLvR12+Y34FguljL7lSD+E3T2jszjmVWrFhQdEBkcHLTLxtIAucV+ZpYb4R6JtdYuE/BALRtbH3aA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YT1PR01MB3484
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Sb2VgWP2Gu4QUiC6oqGynBx37VE>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2019 04:11:54 -0000

Hi Lorenzo,
  Thanks for the quick response!

On Nov 2, 2019, at 12:02 AM, Lorenzo Colitti <lorenzo@google.com<mailto:lorenzo@google.com>> wrote:

On Sat, 2 Nov 2019, 12:49 Suresh Krishnan, <Suresh@kaloom.com<mailto:Suresh@kaloom.com>> wrote:
Please use a documentation prefix, say 192.0.2.0/24<http://192.0.2.0/24>, instead of the RFC1918 address currently used in the example.

Are you sure this would be an improvement?

Yes, I think so :-). Addresses in examples end up being used in real life far too often. I am not going to insist on this change and I leave it to your discretion.

The example would become less realistic because 1) 192.0.2.0/24<http://192.0.2.0/24> is a /24 and subnetting a /24 is unusual, and 2) it's seems like a reasonable thing to do to route private space to a different NAT.

Is there a larger documentation prefix than 192.0.2.0/24<http://192.0.2.0/24>?

Unfortunately not. 128.66.0.0/16 was used a long time ago for this purpose but was never officially sanctioned.


* Section 7

PvD: Define before use and add and a reference to [draft-ietf-intarea-provisioning-domains]

A better reference might be RFC7556.

Works for me.


"Providing all
   configuration in Router Advertisements increases security by ensuring
   that no other protocols can be abused by malicious attackers to
   provide hosts with invalid configuration.”

This is not strictly true, right? e.g. Someone can still use PCP to override the Pref64 information from the RA. Suggest rewording to something like this

Well, only if nodes implemented the PCP method, which they don't... but yes, this is true in theory.

Given that the PCP method is a IETF defined mechanism and this document does put it on the top of the pecking order, I think it is better to use something like the alternate formulation that I suggested.

Regards
Suresh