IETF Logo Mail Archive

Re: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)

Ca By <cb.list6@gmail.com> Thu, 16 November 2017 12:42 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 439F71294E2 for <ipv6@ietfa.amsl.com>; Thu, 16 Nov 2017 04:42:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IJpQxX3amJJt for <ipv6@ietfa.amsl.com>; Thu, 16 Nov 2017 04:42:14 -0800 (PST)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13BA51294E1 for <ipv6@ietf.org>; Thu, 16 Nov 2017 04:42:13 -0800 (PST)
Received: by mail-yw0-x234.google.com with SMTP id g204so7586402ywa.6 for <ipv6@ietf.org>; Thu, 16 Nov 2017 04:42:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Bhr6HANefIL2t8mz/eckFt+PiySaibeQiHvL1BBdY0o=; b=fN8B4FYT+6E1AXOQwHa2fvUmLxxh4z8eEsI6YYnA1oLGWOmPX4DObz82Wv9zO6ZqNx U6+VnyN5R+dOa0zvQyGag0xuReGLaYg7Lw8J6h7fJD4froP8511gwqTteXdUjM88/PkI VEWx51yGNI/dAuV4dulql8fEDz1WQhOtSJWfV4UKtSZk4NOab6q3cHkkC9Hc60N/A3L3 2+4Tmzr9Czb0ChFp90XXsthnamBzts+FP7NHXs7O30tPilra2YAJt2ZlDV/g7V56tgKh fYMTleQkoGfW+lKI/lXI4J5DboQPE3vzDJ8VzjJ+lt0Eys+a9WkIf8HrJA35EMAE2uq3 l9SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Bhr6HANefIL2t8mz/eckFt+PiySaibeQiHvL1BBdY0o=; b=bM51orvM/Vpeje21qVNVLkDsP5PShaUNpFQFuOYgsl5ktK/8qzsSFla5spQaXfATbs SNu3eMJjc+vH26EiVwIc4cd4QVdAq8uqIfrPXaHj2/C3t2SlEF9o9ekduB4hYz959IZh 3ET67hdLu94wPImlZrPCJuvWJpjIQ0FI88SCe7kmVLPYOGctJXc9RmxTNjBlFs6UeVIT bN4KzlOsiI3yNiKArEhNOGyQ3N019Bxlq88e+4xm+7wmrUiy6KYYVBm2yun7bxj1U3Km YdZtfWTix9IIcCgDSOe2LIkY/4CzF5vVBtRZDrSDILqO9SimRLr5SFe0qtH83e1O5Z3o o4mA==
X-Gm-Message-State: AJaThX6CvBk/cdXuFoFquntyy3AP6ZygcQS2FnLhvCna+/oeGjQOP3vN Ri4vuyaBRqfUIMao5Oz2hiKqjITJWaTteCwiS8M=
X-Google-Smtp-Source: AGs4zMacnOnBz3WEA6a1kqh0g2izfxGwT9qPSUO4oJdUnwUXJ0QDPbjS8pVcXpuiKERtDzL6p167dEFb2CMabtyDIPE=
X-Received: by 10.37.130.11 with SMTP id q11mr757321ybk.50.1510836132335; Thu, 16 Nov 2017 04:42:12 -0800 (PST)
MIME-Version: 1.0
References: <m1eEGbJ-0000EhC@stereo.hq.phicoh.net> <D43E103C-27B8-48CF-B801-ACCF9B42533E@employees.org> <m1eEHPS-0000FyC@stereo.hq.phicoh.net> <59B0BEC0-D791-4D75-906C-84C5E423291B@employees.org> <m1eEIGX-0000FjC@stereo.hq.phicoh.net> <73231F8D-498E-4C77-8DA8-044365368FC9@isc.org> <CAKD1Yr1aFwF_qZVp5HbRbKzcOGqn==MRe_ewaA8Qc8t3+CVu_Q@mail.gmail.com> <44A862B7-7182-4B3A-B46E-73065FC4D852@isc.org> <D42D8D7A-6D19-4862-9BB3-4913058A83B6@employees.org> <CAFU7BARCLq9eznccEtkdnKPAtKNT7Mf1bW0uZByPvxtiSrv6EQ@mail.gmail.com> <183A8772-6FEF-43BD-97F9-DD4A2E21DB90@google.com> <5D9D33A8-88F0-4758-84FA-BCB364E8013F@employees.org> <16B61573-E233-40ED-8A22-CD145EBB8F98@google.com> <A89E7192-0FD4-4750-8745-147AFCC364DC@jisc.ac.uk>
In-Reply-To: <A89E7192-0FD4-4750-8745-147AFCC364DC@jisc.ac.uk>
From: Ca By <cb.list6@gmail.com>
Date: Thu, 16 Nov 2017 12:42:01 +0000
Message-ID: <CAD6AjGQcF=+FRFke1P0+vcmEEqWQ0NUsfprS6qBvfsG+3HMXhA@mail.gmail.com>
Subject: Re: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)
To: Tim Chown <Tim.Chown@jisc.ac.uk>
Cc: 6man WG <ipv6@ietf.org>, Mark Andrews <marka@isc.org>, Ole Troan <otroan@employees.org>, james woodyatt <jhw@google.com>
Content-Type: multipart/alternative; boundary="089e0828c20cfb58de055e18f28e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/XQlURK7RI7vCNvMs3uu4Wyr6zmo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 12:42:16 -0000

On Thu, Nov 16, 2017 at 1:53 AM Tim Chown <Tim.Chown@jisc.ac.uk> wrote:

> Hi,
>
> > On 15 Nov 2017, at 23:04, james woodyatt <jhw@google.com> wrote:
> >
> > On Nov 15, 2017, at 13:47, Ole Troan <otroan@employees.org> wrote:
> >>
> >>>> IMHO the optimal solution is:
> >>>> - the network SHOULD provide a host with NAT64 prefix information in
> RA;
> >>>
> >>> Disagree. If the network has NAT64, then it should deploy RFC 7225. Ye
> gods, this is the very last thing that should be jammed into RA messages.
> >>
> >> Do we really want PCP in IPv6?
> >
> > If we have any kind of NAT, then we need PCP. Using NAT without PCP
> considered harmful. That goes for NAT64 and NAT66.
>
> And PCP is still needed to negotiate firewall holes in a pure IPv6
> scenario, isn’t it?  Assuming the host with PCP is behind Simple Security.
>
> A question: is this something we should conducer for RFC6434-bis, or
> should we be silent on PCP?
>

No


> >> Is PCP successful in IPv4?
> >
> > Well, there was this: <
> https://www.ietf.org/proceedings/88/slides/slides-88-pcp-5.pdf>
> >
> >> Or does it even work well with A+P based solutions?
> >
> > Designed expressly for it.
>
> I assumed PCP was designed with an eye firmly on future routed home
> networks where firewall holes need to be opened. What is the alternative?
>

The alternative is secure host and no firewall. There is no firewall at the
ietf conference right now, right?  Are you secure ? Is there a malware
outbreak?

The fatal flaw in PCP (aside from the name) is that it assumes the host
needs protection yet it gives the host the power to control the firewall.
Next gen malware will come via email (just like today), it will encrypt
your hard drive, and then setup and c2 network on your pc via pcp
controls.  Sad!

CB


> Tim
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email