IETF Logo Mail Archive

Re: [IPv6] [v6ops] Smaller prefixes (/64-/96?) for draft-collink-v6ops-ent64pd

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Fri, 31 March 2023 16:42 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8A9DC151B0F; Fri, 31 Mar 2023 09:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.597
X-Spam-Level:
X-Spam-Status: No, score=-14.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="Fug2JhfI"; dkim=pass (1024-bit key) header.d=cisco.com header.b="oAopCGnj"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dPNLQVRW6eK3; Fri, 31 Mar 2023 09:42:37 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BD84C14EB1E; Fri, 31 Mar 2023 09:42:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=69430; q=dns/txt; s=iport; t=1680280957; x=1681490557; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=PYQxkjq5RPU/Por1osyobmUNS8baSP7sCDPPpoLY+NI=; b=Fug2JhfI+5lWSHQQf8rE1GvMNkp/VS6AcdTFMuYx1Gu7rzt2rRcwshS8 PiJU2eJntDbwyDcfWejtB0DR/DXE6rEinbbkrlmPBd4lE8plhM6FzrKNI 7x5iN/agHNgG2L9WcEUi8VRPTcdbQVT9iDSHSgCM8giggucVYuQJ8L7Ot E=;
X-IPAS-Result: A0ADAAANDCdkmIkNJK1aGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBgXsFAQEBAQsBgSoxUnMCUAEIO0aEUoNMA4RQX4gxA4tKi3mBOYMygSwUgREDQg8FDwEBAQ0BAS4BCgsEAQGFBgIWhSUCJTQJDgECBAEBAQEDAgMBAQEBAQEDAQEFAQEBAgEHBBQBAQEBAQEBAR4ZBQ4QJ4U7CCUNhlUBAQEBAgEBARAICQoTAQEqAgsBBAsCAQgRBAEBASABBgMCAgIfBgsUCQgCBA4FCBqCXAGCFRMDDiMDAQ8Gn3kBgT8CiiB6gTKBAYIIAQEGBASBTkGaPg2CRwMGgUEBh0QEdl4BAYVmgQSBLycbgUlEgRQBQ4FmgQE+giBCAQECAYEoAQsHASMkgzU5gi6JfYQ1gmmISQqBNHWBIA6BPYEEAgkCEWuBEghngXxAAg1kCw5vgUoCgm8HNgNEHUADCzs6PzUUIQUEVYEZJAUDCxUqRwQIOQYaNBECCA8SDwYmRA5CNzQTBlwBKQsOEQNQgUcEL0SBGwIEASYkmz+BXgElGS0GAWcDCjYHBQQUDi0BCyAKFRUWCAoDHgwHIRE6A5I5OYJZAUeKSY4oknhHbwqDfItyjw6GIxaDfYxml31il2+NU4NtkHYkCIURAgQCBAUCDgEBBoFjOmtwcBU7DRGCSVIZD1iBBoxCCQMNCYNQhRSKZXUCAQE4AgEGAQoBAQMJiGuCWQEB
IronPort-PHdr: A9a23:tIk1RRbLPDsaaTKHUxR1Fhz/LTAphN3EVzX9orIriLNLJ6Kk+Zmqf EnS/u5kg1KBW4LHo+lFhOzbv+GFOyQA7J+NvWpEfMlKUBkI2skTlhYrVciCD0CzJfX2bis8S cJFUlIt/3yyPUVPXsjkYFiHqXyp5jlUERL6ZmJI
IronPort-Data: A9a23:ylcRkKjOirCTpypCk34w3btOX161nxAKZh0ujC45NGQN5FlHY01je htvWGyFOv2JN2aned8gPornoEIDupLXyIRlSlNp+X01EnxjpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+lH1dOKJQUBUjclkfJKkYAL/En03FF8MpBsJ00o5wLZi2dcw2LBVPivU0 T/Mi5yHULOa82Yc3lI8s8pvfzs24ZweEBtB1rAPTagjUG32zhH5P7pDTU2FFEYUd6EPdgKMq 0kv+5nilo/R109F5tpICd8XeGVSKlLZFVDmZna7x8FOjzAazhHe3JrXO9IMLkBl1jeLrexv1 fIUiqGvQiEvHo71zbF1vxlwS0mSPIVP/LvBZHO4q8HWkwvNcmDnxLNlC0Re0Y8wo7ksRzoQs 6VDbmlWMXhvhMruqF6/YvFwhtkpIdP3FIgeoXpnizreCJ7KRLiTEviXuIQCg1/cgOhhPuSCf MAULgBQbSTCXQZ9ZHsON8gHybLAan7XKm0E9w39SbAMy3ba1w113b7uN5zYdsGDX8l9nluRu W/HuW/+B3kyKoKY0SGt83+wiKnIhyyTcIMKCuOQ9/N2jhuU3GN7IBkRT1a9s/6RhUm5VNZSb UcT/0IGo6Eo8UGxZsT4WVu1rGPslhsVQdlCAf8h7QCRyoLb5g+YAi4PSTspQNY8tcYwAzFs3 VaTh97vGTF1mLKQQHOZsLyTqFuP1TM9JGsGY2oPShEIpoWlq4AohRWJRdFmeEKosjHrMSG3x ALXrioMu6sOqpc06rqw21bnoAv58/AlUTUJzgnQW2uk6CZwa4ike5Gk5DDnARBocd7xor6p4 SBspiSO0AwdJcrWzXHSHY3hCJnstqjZYWGN6bJ6N8R5nwlB7UJPamy5DNtWHF1oNM0JZTjvC KM4kVwMuMcMVJdGgFMeXm5cI80uya6lHtP/W7WIKNFPeZN2MgSA+UmChHJ8PUiwyyDAcolmZ v93lPpA615BVMyLKxLtGo8gPUcDnHxW+I8qbcmTI+6b+bSffmWJbrwOLUGDaOs0hIvd/lWNq Y4Gb5DalU8COAEbXsUx2dNNRbztBSVlba0aV+QMHgJ+ClM8QTp4W6O5LU0JK9w690iqqgs41 ijtBhAHoLYOrXbGMg6NImtyc6/iWI0XkJ7IFXJEALpc4FB6OdzHxP5GL/MfJOB7nMQ9lqQcZ 6deJK297gFnF26vF8I1N8et9eSPtX2D2GqzAsZSSGNjL8ExF1aUqoaMk8mG3HBmMxdbfPAW+ 9WIvj43i7JaL+i+JK46sM6S8m4=
IronPort-HdrOrdr: A9a23:f8whKKr2g7O6KYvqDwISjaMaV5uHL9V00zEX/kB9WHVpm5Oj+f xGzc516farslossSkb6K+90KnpewK5yXcH2/huAV7CZniohILMFuBfBOTZskXd86OVzJ8n6U 4NSdkdNDS0NykHsS+Y2nj3Lz9D+qj8zEnAv463pB0BLXAIV0gj1XYFNu/xKDwQeOAyP+tBKH Pq3Lsgm9PPQwVzUu2LQl0+G8TTrdzCk5zrJTQcAQQ81QWIhTS0rJbnDhmxxH4lInJy6IZn1V KAvx3y562lvf3+4ATbzXXv45Nfn8ak4sdfBfaLltMeJlzX+0aVjcVaKv6/VQIO0aSSAWUR4Z 3xStAbToNOAkbqDyOISN3Wqk/dOXgVmibfIBSj8AreSITCNUIH4ox69Npkmt+z0Tt7gDm6u5 g7hF5x/qAnfi/ojWDz4cPFWAptkVfxqX0+kfQLh3gaSocGbqRNxLZvtn+9Pa1wVB4S0rpXW9 VGHYXZ/rJbYFmaZ3fWsi1mx8GtRG06GlODTlIZssKY3jBKlDQhpnFoiPA3jzMF7tYwWpNE7+ PLPuBhk6xPVNYfaeZ4CP0aScW6B2TRSVbHMX6UI17gCKYbUki95qLf8fEw/qWnaZYIxJw9lN DIV05Zr3c7fwb0BciHzPRwg1nwqE7UZ0We9iif3ekOhlTRfsudDcTYciFaryKJmYRqPvHm
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="5.98,307,1673913600"; d="scan'208,217"; a="89555327"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 31 Mar 2023 16:42:34 +0000
Received: from mail.cisco.com (xfe-aln-005.cisco.com [173.37.135.125]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 32VGgXYf009378 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 31 Mar 2023 16:42:33 GMT
Received: from xfe-aln-001.cisco.com (173.37.135.121) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Fri, 31 Mar 2023 11:42:32 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-001.cisco.com (173.37.135.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25 via Frontend Transport; Fri, 31 Mar 2023 11:42:32 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WEZjG6RQLnuGrGyGgkc9KmWl0HbIx67yWWn9kysNMPbOxsKYtf5Qv0FiFJDy4TylfCcLmbKh9KKsAdHrm1tQfR5HaXaNi9fD/bo4IMWCXic8Cx5bESZxzgDrPg8ssVfIQA3xWosJVGVjfmGLoxBh3ZvBNt/5ZrpOb7boBYtosmxB9EFp2onFFg+iAwHpns/TnMM5NOMKNpI15L17Mf97qG8VLW1nFlU4+jekNc/gqdnPlPgBKFXwFG/eSJOE5XmW4EjWHdtaRdBsiEcs13zST86u8N+PkJHaVZiWEsTwR1G0lTdPYkDkOjmSpYuM1UZ1Z9UX8uFQlEDYjWim1oAhPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PYQxkjq5RPU/Por1osyobmUNS8baSP7sCDPPpoLY+NI=; b=DoNRt6ozI4/yuze6IFBcQtLZDOw89/2CicWBDh6XmVpME5q15OQ9vjZHoJjb0Mq6pIyLlrNzJ5aUY+6iAdZcc7ejVyHPOezaVKWDg29R9kHNCCzaXRwg6SAYC2laWL4yOnTsAfsMrj+Exr49M7vscsEGoI+tWWBq5C3QAk3ut8qs6pYIi+Io6n2lPUYulvX9cnuLBH4CFN52db8YPLbkzaa3hR97lzAKbq8Gw1nS4wIX/chv9amJzhTgDloQaeoZKALvZFJ6+LGwz2VqPI1Jo0jX0kps8OC+PSV2iSc//D+Yv4t8vaxVt8ELU5jCSqrgBDnLax73D1YVe0blGmDjUA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PYQxkjq5RPU/Por1osyobmUNS8baSP7sCDPPpoLY+NI=; b=oAopCGnj8ds/d2Hwl8s49yLQm4mwmYdLiPiNRpIxFIx7FWEApX9fSZaLoVANo25pXJCNjvBFIfLH8Kr899fEIvUeoWr7jyCeszd8ma8Nor0+KabdLrZKsi5QmNGQrUDf6RSVd8CxqVNWDGt25sggg9gJmFCuPhIQowsgRr7Wd6c=
Received: from CO1PR11MB4881.namprd11.prod.outlook.com (2603:10b6:303:91::20) by PH0PR11MB5046.namprd11.prod.outlook.com (2603:10b6:510:3b::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.39; Fri, 31 Mar 2023 16:42:30 +0000
Received: from CO1PR11MB4881.namprd11.prod.outlook.com ([fe80::4635:eea4:8abb:bea1]) by CO1PR11MB4881.namprd11.prod.outlook.com ([fe80::4635:eea4:8abb:bea1%3]) with mapi id 15.20.6254.022; Fri, 31 Mar 2023 16:42:30 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
CC: Mark Smith <markzzzsmith@gmail.com>, David Farmer <farmer@umn.edu>, Lorenzo Colitti <lorenzo@google.com>, 6man WG <ipv6@ietf.org>, V6 Ops List <v6ops@ietf.org>, Vasilenko Eduard <vasilenko.eduard@huawei.com>
Thread-Topic: [IPv6] [v6ops] Smaller prefixes (/64-/96?) for draft-collink-v6ops-ent64pd
Thread-Index: AQHZYiYfCXb+prGwK0CJbtwwuszGZK8RxQ0AgAAS6gCAAAYmsIABBxyAgAAYYjCAAOojgIAApZ6A
Date: Fri, 31 Mar 2023 16:41:04 +0000
Deferred-Delivery: Fri, 31 Mar 2023 16:37:30 +0000
Message-ID: <CO1PR11MB4881A6CF714CC18AB06553CDD88F9@CO1PR11MB4881.namprd11.prod.outlook.com>
References: <2f71dc17-5fee-6805-8848-0c3d32647897@gmail.com>
In-Reply-To: <2f71dc17-5fee-6805-8848-0c3d32647897@gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB4881:EE_|PH0PR11MB5046:EE_
x-ms-office365-filtering-correlation-id: cd1df6d5-c9c8-4227-bab3-08db3206eb32
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vFmP+eGz24KJ6ccd0yhFwmHVInwPdm618nwrkywEf3z4vV3SjsaBWEMmqtGJABFQx0q5MmrWBEOMLgSuSjlqTPh+UjCVw85aGqWR3vVNgIwOlzdb0dnBnHZruCe3M8xpBZRlXcFuWVYTFjoauFtSQ2+VWmCE3NHYq4dM8qvngGcXAfNTybO6D3Gl/sQz6GwKUnUPYVXlvROgvz5b2r8Hk3mOim2UEe3esKHph4iElJ92D32CNZ94aLdMmtwh5OGnU0kYBrPOvQPSux2jEnsMyNbxBU6okb+lXcsVNJSoM8NWaeY5ciUVzM5IzjJcFe6Wue2U//rcMhyZ7JOagZtjq9EzXCzZ6REUolIURuxheOGCggo+ERiHuYlTrhPYwaBIzvacMeiQ6vBZVXQkc9+5S0HSigwYS5a2bskJwt/TJotqNn1VMsHGZ9gHiKP3XHqAYw3hOmARWJOisePVzCCKEIFTUgGGWoN6C2f1s8tvoudgLAPWExgDjOz/U8rN+Xtr0ZtPDK+XdYx6fO0iIFFWER6FyWaEzLY8C87FsOF4IO6VXlDznJ1seZI8p0SiFZPVnxX6klN1XvCfp5GpKMYPIu5CQJ35TISKy+p+42lPZYGcVnNjKhkLTPJGbrSZw7ZTL5oocNG7pKNV8nnHKp1Yew==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB4881.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(346002)(376002)(39860400002)(366004)(136003)(451199021)(66899021)(7696005)(966005)(66476007)(478600001)(71200400001)(186003)(41300700001)(6506007)(66574015)(66556008)(8936002)(53546011)(83380400001)(55016003)(2906002)(9686003)(33656002)(64756008)(38070700005)(66446008)(86362001)(4326008)(6916009)(30864003)(76116006)(38100700002)(66946007)(122000001)(8676002)(52536014)(54906003)(5660300002)(6666004)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: SB/IM6/F3zJ9eMcXW0RSPtg8O7YHqL30BNP4xacfku5MsLsKva4nF0ct7WIXD6xfW6I1WohKO/MziHFWe6CdAxBquAgFsH+fwYkOgw0I4Iw69KJ/Tm2/MUZWdRRnTNO0lj7lhVuryBWU2Yp7KkqyeL9AxlQUTXyCure7hLP1HKnsGxAWaVADGb63tPGEnfTgFa5QUnWllIl8pneBZThNpzNFMyMZIIbJH00DrAwCcEDq8rVlsYC+5335W4jOw+h3GexE6N0xQ3+rxXpBh/BefaY+jrmCWsMj+tuHqPRrvA6w0YdqF7j+RwwpJ9yhHJjJNn7toWtE7PQM7hYfXpMj3BZPsLM+ugOILAHeKCYMnv2O4rZYpQbb0/tWbxg5pN8npjVUDmxaTIB0HGEeXzMCpGOkPp3LAv9YXQ9NROBSkUcL0VF94ob1Rqrw3bDhcuaBIRh+PygUj8eAJyizIylAONYql3vzrZ67Tk9w0zaq+JFVBrJTBoHO0GtDNEdngD1nUCwHM/seBrZIpFeHE1x8XDDAdGP8NONIujHmDUu5zWFsqZ32bX0KpGGUuUSv340Rs1Jl/wXHsSQQfgfjcQ2QzU6SssHV1k3FmYUh5PnIdKNZnMGs+WQrj8jIwR8F0FuxrCR9v+8PJKL9j+zHbifDB2KKgz9uT7K/nlnV2RPE+qLtXh12BgFwRpiRW9jalE+ujE20c6ELYKXNIPqYOiWiEpP2Yhp0qNjilROKoIP9PWmhbRvt2TGAiyKgSt1A7HO7ezDa6dPE118gWyShfaU+WCApctA28+HMZSsfVfMrg/EJRYaE0liJPoAPxcSQUSCSXdkMJSdzd5Xjtlp/UWncEQEiPKUj+Hwh6ilRKJsqoh7HFaYZM/dpIDa8vT6+wFrMF8EbxGvMFe+AwP6mIdcPPuoA0zIdO+PlrSOhZyIcyX3yHIz8+TdF1FVJ/d2WizYMeqLDg3SYUs8Ke0PjjTsFQ7KCdSZkSg/kcbZbfkZvVuKtOn0J/nvzBDnKNymgTUlrE4fSfPx3uFpDJ6VPuihXA6Mpgk2NrnlO/Y02+O4lp0CApDl4oXUSfG5hHAqEvdj55IbzIobawCVv91jquYwzlytjnrW6zh33fz5fNcCV1+evkrSZfGUlKKuHM8xyEehOgKRZaMmJjJkjpJ9vPyhNXSo2qVt4zBVfx/iMDPwUKCBmSrO3JZ4TEVS1O279M7iYVs+Z35E9RHSM7Hn+rBuOSlGVSygffsDBmm6Orx+1zqz6PnOrShhN1KiB1gYBAZYmvdpXRC45pFeaJTEP/Di6cwirAksoK3EHfyBWfbbmxAv3sdVe0E4ZEfdW992cx8dA+YWAAg2Xem+CcYYJb+2v8aYSFvhdI2gdp998lb1CEkZWiReSNRXmmZmkAq14sfWZ/wDYXcW9r8ldvY4fXyln/2210aA7WOWg+qrZV6OvZVQu/WZkoN3ugXlaOb3h30a7fCanSI43wdhHbgqzChIZU53cJkvHW31KSAfxxA46jEmWRJFpfguY4R7u7LTIE9wwFrAx5F5jSbJctCEN5R1CSyI+MJv6oVeXyJg+WIaz/4kFYBVRFG4i6OLXWd0qsTYuBWKswhXhT6vYTLws6cNWa6MZK04woxHJdkXQqtxIRD5lSKUAQYs61bK6bRSxF9d4
Content-Type: multipart/alternative; boundary="_000_CO1PR11MB4881A6CF714CC18AB06553CDD88F9CO1PR11MB4881namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB4881.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cd1df6d5-c9c8-4227-bab3-08db3206eb32
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Mar 2023 16:42:29.9768 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BScaQJsDf6CrTqzf+YVkoJYO0esOpgfp9Ef7B7aim0gDzQ6aoLwvqmj8hnZbEsIMHXNdLF/DQ03icMOCs4V3Uw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5046
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.135.125, xfe-aln-005.cisco.com
X-Outbound-Node: alln-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/_DsEgzLCLFe5yQwGRMeNxeJ60YY>
Subject: Re: [IPv6] [v6ops] Smaller prefixes (/64-/96?) for draft-collink-v6ops-ent64pd
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2023 16:42:41 -0000

Hello Brian

Indeed we need to write that threat model down before we give any recommendation on how to delegate prefixes.

In that process we note that there’s the same number of addresses in a /64 regardless of the sizes that are distributed, as individual/128 or else. The threat depends thus on what additional information the attacker can get, from and inside compromised device or from the outside (e.g., a darkweb db).

In a case 2 attack, since there are still as many addresses to scan in the /64, one interesting difference is whether the attack is blocked by the router or not. The router offers more protection when it distributes many long prefixes (meaning small in size like a /112).
And as Mark pointed out in that case we want the host to own multiple prefixes in the case of small-size / long-plen prefixes, and to rotate them. Which in my book reads as we want something like a prefix stateful autoconfiguration.

Regards,

Pascal

Le 31 mars 2023 à 00:22, Brian E Carpenter <brian.e.carpenter@gmail.com> a écrit :
Hi Pascal,

On 31-Mar-23 05:21, Pascal Thubert (pthubert) wrote:
Hello Mark
The trouble we're going to have with this discussion is we don't have a privacy threat model for context. We don't know which types of attackers we're trying to have a host be private from, what information they have or can acquire etc.
Fully agreed that we need a threat model and all your words around that. IMHO the threat model should consider how bad it is to reach the host for an address that does not exist, vs. dropping the packet at the router.

Also, there are two very different types of threat model here, which might lead to different answers:

(#1) The remote tracking threat model (section 1.2 of RFC 8981)
(#2) The address scanning threat model (explored in RFC 7707)

My comment about /80 vs /96 was directed at #2. But the threat also depends on where the scanning code runs. If a host can be tricked into running a scanning script locally, for example, there are probably new vulnerabilities.

  Brian

Not if the network doesn't rotate prefixes.
The idea is not for the host to assume that the network rotates prefixes. To your point that the host protects itself, the idea is for the host to rotate a number of small prefixes the way it rotates addresses today. See that as address groups as opposed to addresses. This gives more addresses for the internal apps. And uses roughly the same resources on the router, at least when only stateful protocols are used (SFAAC and DHCP but no SLAAC which has its own costs and threats like DoS).
You can even autoconf prefixes like you autoconf addresses. The idea is that the host has a stateful IGP-independent UNI with the router to inject the prefix, so the can router redistributes that in its stateful IGP. See https://datatracker.ietf.org/doc/draft-thubert-6lo-prefix-registration/ <https://datatracker.ietf.org/doc/draft-thubert-6lo-prefix-registration/> .
I realise you deal with low bandwidth wireless scenarios, I wonder if bandwidth issues caused by 128 bits addresses is really a sign that IPv6 is fundamentally "too big" for your scenarios?
I appreciate your concern; As it goes, the problem is with the big irons, not IoT.
- Silicon forwarders pull a limited amount of heading bytes and make their decision on that . For that reason, everything that is for the destination should be at the end of the header chain (in a destination option) so as to allow more room for things that the router is interested in, IP header and HbH for a start. The expectation behind this is that everything in the IP header is crucial to reach the destination.
- In IoT we compress the headers with 6LoWPAN HC, 6LoRH and SCHC. So the size is not really a worry. We usually do not care for privacy that much, and derive IPv6 IIDs from MAC the old way. This way we can totally elide the IPv6 address that matches the MAC address.
All the best
Pascal
*From:* Mark Smith <markzzzsmith@gmail.com>
*Sent:* jeudi 30 mars 2023 8:57
*To:* Pascal Thubert (pthubert) <pthubert@cisco.com>
*Cc:* David Farmer <farmer=40umn.edu@dmarc.ietf.org>; Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>; 6man WG <ipv6@ietf.org>; V6 Ops List <v6ops@ietf.org>; Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>
*Subject:* Re: [IPv6] [v6ops] Smaller prefixes (/64-/96?) for draft-collink-v6ops-ent64pd
Hi Pascal,
(Repeating some points others have already made, started this email much earlier today)
On Thu, 30 Mar 2023, 02:31 Pascal Thubert (pthubert), <pthubert@cisco.com <mailto:pthubert@cisco.com>> wrote:
     *
     * A /64 per host gives the host a lot more capability to take care and ownership of its own address privacy as compared to trusting the network to do so when given a smaller prefix such as a /96 or longer.
 *
   Sorry Mark, I do not buy that at all. It’s quite the opposite.
Not if the network doesn't rotate prefixes.
   Once it is known (by the attacker) that the /64 is taken from a network that hands /64s out, then the correlation will be 100% based on the first 64 bits. 0 privacy when rotating addresses.
How does the attacker determine that a network is sharing a 64 bit IID space between a set of hosts or giving a 64 bit IID space to individual hosts?
   Ask yourself, if it is useful for attackers, long would that take knowledge to be available in the dark web? Today you can easily get the location of an address on the web, and it’s usually quite good.
The trouble we're going to have with this discussion is we don't have a privacy threat model for context. We don't know which types of attackers we're trying to have a host be private from, what information they have or can acquire etc.
Without that threat model, types of attackers, the information they have and can acquire, I think we need to aim for a privacy minimum or baseline in these IDs. I think that means giving as much responsibility and resources to the hosts for their own privacy by default, so they don't have to rely on the network to provide some or any of it.
Which is a worse host privacy situation?
- A host that has been given an unchanging /64, giving it 64 bits of possible IID randomness for how ever it wants to use those bits to attain privacy (per packet spread spectrum addressing for a connection? Tony Hain mentioned that idea at APNIC 38 when I met up with him there) and doesn't have to assume the network will rotate /64 prefixes, or
- A host that has been given a /96, a /104 or a /112, and then must assume the network will rotate prefixes, can't be sure of it, and has to risk its privacy to somehow measure if the network is providing rotating prefixes or not?
Privacy like security is relative, not absolute.
   With /64 per host, you effectively end up with what some people wanted to build 25 years ago: an IPv4 with 8 bytes addresses (at least for what is used in forwarding), DHCP only, 0 privacy. The remaining 64 bits become wasted expensive space in the IP header that could better fit in a destination option but that all the silicon forwarders along the path have to load and deal with. Lose-lose.
I don't think the lower 64 bits are wasted, they are providing addressing privacy that is in the hosts' control and other conveniences such as a simple default subnet size. Waste only occurs when there is no useful value gained from the resource.
The bandwidth consequences of 128 bit size of IPv6 addresses wasn't a concern back in May of 1994 when IPv6 addresses were changed from 64 bits to 128 bits. Since my Internet link has gone from 33 600 bps to 100 000 000 bps in that nearly 30 years, as have many other networks, the bandwidth overhead can only be less of a concern since then.
https://www.sobco.com/ipng/archive/sipp/message.31.may.94 <https://www.sobco.com/ipng/archive/sipp/message.31.may.94>
I realise you deal with low bandwidth wireless scenarios, I wonder if bandwidth issues caused by 128 bits addresses is really a sign that IPv6 is fundamentally "too big" for your scenarios?
Regards,
Mark.
   It would be a lot better to get a number of random size (/96 and longer)  and rotate them, using very few addresses in each, maybe for applications that are not afraid to be correlated. Prefix Autoconfiguration is doable too, long as you have a “DAD” process that 1) works and 2) considers overlaps.
   All the best;
   Pascal
   *From:* ipv6 <ipv6-bounces@ietf.org <mailto:ipv6-bounces@ietf.org>> *On Behalf Of *Mark Smith
   *Sent:* mercredi 29 mars 2023 16:53
   *To:* David Farmer <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>>
   *Cc:* Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>>; 6man WG <ipv6@ietf.org <mailto:ipv6@ietf.org>>; V6 Ops List <v6ops@ietf.org <mailto:v6ops@ietf.org>>; Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org <mailto:40huawei.com@dmarc.ietf.org>>
   *Subject:* Re: [IPv6] [v6ops] Smaller prefixes (/64-/96?) for draft-collink-v6ops-ent64pd
   On Thu, 30 Mar 2023, 00:46 David Farmer, <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>> wrote:
       On Wed, Mar 29, 2023 at 05:06 Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote:
           On Tue, Mar 28, 2023 at 1:36 AM Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org <mailto:40huawei.com@dmarc.ietf.org>> wrote:
               > Please keep in mind that the host running a DHCP-PD client (one the code development might be needed for) is not necessarily  the only host using the delegated prefix.
               > In the case of virtual OSes or expanding the network behind the host the prefix is used for SLAAC by other systems so we shall ensure all of them would work.
               DHCP-PD could not happen automatically, it is possible to support the configuration
               when the link would have 1) many /96 hosts and 2) /64 router
           I think you are confusing the host itself with other hosts behind it that it wants to extend the network to. If the host wants to extend the network, SLAAC is the only thing that is guaranteed to work for any IPv6 implementation, because it's required by the IPv6 specifications.
           Nothing today can do SLAAC on a /96 so if the host got a /96 from the network it would not be able to do anything with it other than create IP addresses for itself.
       Lorenzo,
       If the host (in this case, more accurately, the node, since it is extending the network to other hosts) wants to extend the network to other hosts, and the network the node is attaching to wants to allow that, then yes, SLAAC and a /64 prefix hint with DHCP-PD seems the most appropriate way to accomplish that.
       However, you have said your objection to DHCP-IA_NA is the host needs the network’s permission for additional addresses. But with DHCP-PD with a /96, the network is given the host 4B address to do with as it sees fit, and short of extending the network to other hosts (again, technically, that’s a node), that seems like enough addresses for an individual host to do anything it could ever want to do. With 4B addresses, every process on a host could have its own address and still have a few billion leftovers.
       Furthermore, the host doesn’t need to use SLAAC or ND to utilize any of those 4B addresses. It’s an internal matter within the host. SLAAC and ND are needed to coordinate address usage with other hosts, and in the case of an individual host, that’s unnecessary.
       Now when you start talking about virtualization and multiple virtual hosts within a single physical host, then SLAAC and ND are probably the best way for those virtual hosts to coordinate address usage with each other, and then a /64 again seems most appropriate.
       While I still think recommending a /64 per host is appropriate to allow the most flexibility and to allow extension of the network to other hosts, physical or virtual. Nevertheless, longer prefixes should also be allowed as well. If we are really only attaching an individual host, then a /96, a /104, or maybe even a /112 seems more than sufficient for the addressing needs of any individual host. Furthermore, this would allow more bits for the network to randomize part of the prefix to restore some privacy to the host that is lost by assigning a whole prefix to an individual host.
   What if the network hands out /112s but  doesn't periodically change the prefix?
   What can a host do if the network doesn't provide the level of privacy the host wants?
   How can a host determine what privacy levels the network will provide without the host having to risk its privacy to find out?
   For example, say a host wants its prefix changed daily, yet the network changes it weekly. What does the host do after 24 hours?
   Its only choice is to disconnect and then never connect again because it doesn't know if it is going to get the same or a different prefix. If it was given the same prefix if it connects again its privacy requirement has been breached.
   What if different hosts want to implement different privacy measures? They will all be bound and limited to what the network provides, rather than having the choice themselves.
   The less a host has to rely on the network for its privacy, the better off the host is. This is the essence of the end-to-end argument - if you want something done properly, you need to do it yourself.
   A /64 per host gives the host a lot more capability to take care and ownership of its own address privacy as compared to trusting the network to do so when given a smaller prefix such as a /96 or longer.
       With a /64 per host, the randomized IID will be much less effective from a privacy perspective, where shifting randomized bits to the prefix could restore some privacy, at least Internet-facing.
       Thanks
       --------------------------------------------------------------------
       IETF IPv6 working group mailing list
       ipv6@ietf.org <mailto:ipv6@ietf.org>
       Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
       --------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email