Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
Lorenzo Colitti <lorenzo@google.com> Thu, 09 January 2014 02:28 UTC
Return-Path: <lorenzo@google.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B855F1ADFFB for <ipv6@ietfa.amsl.com>; Wed, 8 Jan 2014 18:28:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.916
X-Spam-Level:
X-Spam-Status: No, score=-1.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hs9Okmiz6Jba for <ipv6@ietfa.amsl.com>; Wed, 8 Jan 2014 18:28:30 -0800 (PST)
Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id 5A1B41ADFFA for <ipv6@ietf.org>; Wed, 8 Jan 2014 18:28:30 -0800 (PST)
Received: by mail-ie0-f180.google.com with SMTP id tp5so2985265ieb.11 for <ipv6@ietf.org>; Wed, 08 Jan 2014 18:28:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=tSDLqNGggz0FpdKmYwENS0kZ/UbMIkFGo/CNnujNjdo=; b=IXETTkAt3El16GoYKXZhIHSaLdrfz0wUKba/Xx3n3UX9lx52Ooyn9boMMQ4FEngfto v7X0jPeDqDDXehflYTam68sV55nu2japZlOz6TbCt+iUvRP9RXyr3wy4oU1H2dsq6sNN 0uorhTW7jxoacQxUxxic9tc9xep//877HdotKW8q6PcyTWAiIrFMHQ/bSMf9PnqGBkyY JZb2RXlJJ7XCztrjFkd2bCbk9RjxL0YBhM9nxNwEoIgSrDyTHl8KNyyjqPVlfT4stUAb 6WD2GwLfSvu89PdxeXKnhB5RZgQdA98zEc1+pzXL0WFEz/D9WneEeW6RV1NujjzCbyrj NclA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=tSDLqNGggz0FpdKmYwENS0kZ/UbMIkFGo/CNnujNjdo=; b=AA0CVYNTO2g0iuLsYo33CegzioXdpgMmEzIZpVHGXRBomIJuXBs3IfNYB7HtKGH66i ZuIu9Qn6/ByjVG6mmmFAmWdj+jcP9a0KtUMT1HbrABtQqM2UrMXeU3Un0Jm4Pa1ij5tB IkK7JZc4s82cxF1fVlkedJqUYLN8wSEXPKGLxw6ptcVhPU0l9uU78rwEUtMNzGT4HDn8 giFbqWmJae0YZPsKsOd8StBE2sDroDF+mqTzQPqT/jZ7REqhx6ZGfQLFthOhUf9fmpYI wN0uo7vTwoQt2nksCCsY+3t/qT4lZHE4rET4ZZusXOFIgq1lG/9CXmyKb9XgDJxro5AE PThQ==
X-Gm-Message-State: ALoCoQmchQwkK3jwk/vsXtPfGGAMDYAKzZrh6LVJjPl7FQBd+xHX2CC9PreWnIYAP4Krcpas5GKL6nOB6T2ik9E0aESMHFaFNGcIq/i8coRUpMqpJX3qt6H+UOXos+P4MtAiTc0HJMs8H5FFhnYZksTfev4kCWOFjIEUE4fx9xn2VWuRposNawbZ2hB/5FvwsSjAgUqVMrl5
X-Received: by 10.50.61.101 with SMTP id o5mr836411igr.31.1389234500001; Wed, 08 Jan 2014 18:28:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.7.36 with HTTP; Wed, 8 Jan 2014 18:27:58 -0800 (PST)
In-Reply-To: <52CBE0E6.5020107@globis.net>
References: <52C9D788.8060606@gmail.com> <52CBE0E6.5020107@globis.net>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 09 Jan 2014 11:27:58 +0900
Message-ID: <CAKD1Yr2yPzQHCJHUWBa9-+=nn9BbjLhBB4e896NPWne_Unnwgg@mail.gmail.com>
Subject: Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
To: Ray Hunter <v6ops@globis.net>
Content-Type: multipart/alternative; boundary="001a11360350e1fd5f04ef805c79"
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 02:28:32 -0000
On Tue, Jan 7, 2014 at 8:11 PM, Ray Hunter <v6ops@globis.net> wrote: > It may not be a widely held belief, but I remain concerned about the > potential for resource exhaustion for any number of processes due to the > "massive over sizing" of prefixes to /64: any number of untested processes > that track state based on /128 IPv6 address could be attacked. The flip > side of expanding privacy through address obfuscation at IID level is that > the source space available for attacks also increases. ND cache exhaustion > is probably just the first issue we've discovered of many that exist. This > may have knock on operational consequences, which in the IPv4 world have > relied on the scarcity of IPv4 address space to be able to operate > correctly under stress scenarios. We're going to discover who has been > swimming naked when the tide goes out. Call that FUD, or operational > expediency, whichever you like. BCP38 has saved me on a number of occasions > when all else has failed. > It's true that some implementations may have made incorrect assumptions about IPv6 attacks based on their IPv4 knowledge. But on the other hand, a /64 provides plentiful space, freedom from renumbering, and operational simplicity because "you will always have enough subnet space" and "you can pick your own IID because a /64 provides enough space for everyone". I don't think it's a good trade-off to give up those advantages just because of some implementations may temporarily have made insecure choices. By the same token, we didn't design IPv4 to be partitioned into security zones, even though I'm sure that when IPv4 rolled around, people were shocked - and I'm sure some got burnt - by the fact that enabling IPv4 on a machine suddenly meant that the machine was suddenly accessible from anywhere in the world. I think it's much better to start with a flexible, full-featured, simple architecture and them secure it. It's not that securing it is hard to do: in first instance, make the abuse systems just track /64s instead of tracking /128s, and problem solved. Of course, you still have the problem that there are too many /64s to keep track of, but there's no way around that except to stick with IPv4, or make a new protocol that has more address space than IPv4 but less address space than IPv6... but why would you want that? I know that smaller subnets are consistent with IPv4. But "different from IPv4" doesn't mean "worse than IPv4". In many cases, it means "better than IPv4".
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- [Fwd: I-D Action: draft-carpenter-6man-why64-00.t… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… George Michaelson
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Zillions of addresses [Fwd: I-D Action: draft-car… Brian E Carpenter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Ray Hunter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Christian Huitema
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith