IETF Logo Mail Archive

RE: A common problem with SLAAC in "renumbering" scenarios

"Manfredi (US), Albert E" <albert.e.manfredi@boeing.com> Fri, 15 February 2019 21:51 UTC

Return-Path: <albert.e.manfredi@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCFF130E6F for <ipv6@ietfa.amsl.com>; Fri, 15 Feb 2019 13:51:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 85qbo0IYt-tL for <ipv6@ietfa.amsl.com>; Fri, 15 Feb 2019 13:51:11 -0800 (PST)
Received: from clt-mbsout-01.mbs.boeing.net (clt-mbsout-01.mbs.boeing.net [130.76.144.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC60112F1AB for <ipv6@ietf.org>; Fri, 15 Feb 2019 13:51:11 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by clt-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id x1FLp9a6023301; Fri, 15 Feb 2019 16:51:09 -0500
Received: from XCH16-01-09.nos.boeing.com (xch16-01-09.nos.boeing.com [144.115.65.234]) by clt-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id x1FLp4Ih023237 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=FAIL); Fri, 15 Feb 2019 16:51:04 -0500
Received: from XCH16-01-11.nos.boeing.com (144.115.66.39) by XCH16-01-09.nos.boeing.com (144.115.65.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1591.10; Fri, 15 Feb 2019 13:51:02 -0800
Received: from XCH16-01-11.nos.boeing.com ([fe80::a96c:5d85:1337:4323]) by XCH16-01-11.nos.boeing.com ([fe80::a96c:5d85:1337:4323%4]) with mapi id 15.01.1591.014; Fri, 15 Feb 2019 13:51:02 -0800
From: "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>
To: Sander Steffann <sander@steffann.nl>
CC: "ipv6@ietf.org" <ipv6@ietf.org>
Subject: RE: A common problem with SLAAC in "renumbering" scenarios
Thread-Topic: A common problem with SLAAC in "renumbering" scenarios
Thread-Index: AQHUxCBHRRM+C8/2XkuG8rODXW4PVqXfllAAgAAFt4CAAAUwgIAAAy4AgAAM9oCAAAQqgP//9njQgADJZQCAAJC5gIAAGd2AgACnDwCAAB9bAP//eyTg
Date: Fri, 15 Feb 2019 21:51:02 +0000
Message-ID: <873bcd9d6c9649b9b6f373b6e991072e@boeing.com>
References: <60fabe4b-fd76-4b35-08d3-09adce43dd71@si6networks.com> <c16e0e1f-1ed2-ad88-80f1-070bdd8bccca@go6.si> <1F2C2AEE-1C7D-481C-BBA7-7E507312C53A@employees.org> <e56a6e5b-648d-200e-c35d-97f15a31fb2a@asgard.org> <CAO42Z2zh7fKAgQJq9aLCTiFoSSsTeGM=pK3gXitg+gcxH=9fhQ@mail.gmail.com> <d38857c2-6e92-91d6-bb5d-d3eeeb61276a@gmail.com> <CAO42Z2yb47OyXk__Sz-kO00pfcBJgLAhff5DF=mpAddR0iCnAA@mail.gmail.com> <2612280f-195a-ae7a-b3b1-9022d9282fa7@foobar.org> <56F813F4-C512-40A9-8A68-1090C76A80F6@consulintel.es> <CAHL_VyCN8kU7qnLOphfGR25-xGBe_p6WeGTkKVXwU5uy5aJ8Dg@mail.gmail.com> <65DB4854-97D2-4C31-A691-2CD93812EF93@consulintel.es> <CAHL_VyCMpCcGkEQu+RV1GRf2QLB-HD0+AOOBV0YhfQ5sbydVzQ@mail.gmail.com> <8CE7A0CD-97D9-46A0-814D-CAF8788F9964@consulintel.es> <e3e0bf2273e04f15b792665d0f66dfe5@boeing.com> <4c5fab33-2bff-e5b5-fc1d-8f60a01a146d@go6.si> <b4525832-9151-20bf-7136-31d87ba6c88d@huitema.net> <463f15cf-2754-e2e8-609d-dc0f33448c6c@go6.si> <ff649810-7242-7bc2-d36f-3f998f7bdd71@asgard.org> <9CDF41CA-83B4-4FC4-B995-EF79727C5458@steffann.nl>
In-Reply-To: <9CDF41CA-83B4-4FC4-B995-EF79727C5458@steffann.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [144.115.204.6]
x-tm-snts-smtp: 225F888BBC1D9FC1E8257F9C5BD733214375A49169E93C9F56609674C1D6070B2000:8
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/TtGMq0OdQ_9lgW5Gmf72jldZVB0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 21:51:14 -0000

-----Original Message-----
From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Sander Steffann

> - For stable address delegation the routing inside the ISP becomes a mess, especially when it can't be guaranteed that a customer consistently ends up at the same BNG.
>
> - To keep ISP networks scalable, prefixes are aggregated to (roughly) BNG level, making it impossible to keep prefix delegation stable at the customer's end
>
> With IPv4 this didn't cause massive problems because NAT disconnected the LAN addresses from the WAN side at the customer's end. With IPv6 this is no longer the case and it does cause problems.
>
> Stability at one end causes instability at the other end, and vice versa.
> And as can be seen from this discussion it's still an unsolved problem...

Right, but I would come back to my previous point. In the IID discussions, a lot of time was spent justifying why stable IIDs are not a good idea, and testing was done to see what breaks when IIDs are changed frequently. If changing the IID is doable, seems not to break many applications, and is touted as a meaningful security measure, then those same considerations should apply to the prefix. Yet, we're not seeing a push for varying prefixes, as we got for keeping IIDs unpredictable or even short-lived.

Instead, now there's a shift in thinking, where changing the IPv6 address is not so useful for security (which I too have been thinking all along).

We should be consistent. Just as stable IIDs, even EUI-64 based IIDs, should be permissible, when they make sense (such as in enterprise networks), we are no longer depending on them or suggesting to do this. They are a special case. Perhaps the same ought to apply to stable prefixes. Networks which want those can use whatever means they need, such as non-volatile memory in CPE devices. Otherwise, they should not be recommended and not be the norm? Just asking. Maybe this problem should go away.

Bert

v2.23.0 | Report a Bug | By Email