Re: [IPv6] ULA vs. 1918
"Pascal Thubert (pthubert)" <pthubert@cisco.com> Wed, 16 August 2023 15:43 UTC
Return-Path: <pthubert@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B468C15198C for <ipv6@ietfa.amsl.com>; Wed, 16 Aug 2023 08:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.905
X-Spam-Level:
X-Spam-Status: No, score=-11.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="ja6rghG9"; dkim=pass (1024-bit key) header.d=cisco.com header.b="enIibmm+"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0OC84eby1v-j for <ipv6@ietfa.amsl.com>; Wed, 16 Aug 2023 08:43:21 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56343C151701 for <ipv6@ietf.org>; Wed, 16 Aug 2023 08:43:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15666; q=dns/txt; s=iport; t=1692200601; x=1693410201; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=6HN1f6hd8oaJD0TRm1df5lFUfJP4H909vPlnzzPm6fM=; b=ja6rghG9M+J7wO4Nr4wpmqw+B5Qr0yMWBD4YlhoBtf4jXaxPYgoYaPWJ tFFIUnf9dDBh44hmXtsXc3d7YOXPjnNarBMHjh1HcAN/RLGD6f7Ktcn7x 2nFPjv3MgfDlRYSJpqy8tZ4zJ8EixQS3T+978Kz83asdlj8BQu//7GONh A=;
X-IPAS-Result: A0AZAAAE7txkmIMNJK1XAxwBAQEBAQEHAQESAQEEBAEBZYEWBwEBCwGBYCoodAJZPEeEUYNMA4ROX4hgA4tahV6GKoE4hF8UgREDQhQPAQEBDQEBLgsLBAEBhQYCFoZHAiU0CQ4BAgICAQEBAQMCAwEBAQEBAQMBAQUBAQECAQcEFAEBAQEBAQEBHhkFDhAnhWgNhgQBAQEBAgEBARARBA0MAQEsBgUBBAkCAgEGAg4MAiMDAgICGQYGCxQBEAIEDgUIEweCXAGCKgMOIwMBEI9Qj04BgUACiiZ6fzOBAYIJAQEGBAWBTkGuBw2CSQMGBYEQLQGHYgQaAWVngVmEIoIzJxuBSUSBFUOBZoECPoIgQgEBAgGBKAESAQMGGhUKCxuDFDmCLodOgTV1hQo/BzKBUlqLNgkhgQgIXoFuPQINVQsLY4EVgkcCAhE6E1BxGwMHA4EEEC8HBDIdBwYJFy8lBlEHLSQJExVABIF4gVYKgQM/FQ4Rgk8iAgc2OBlLgmYJFQw0UHgQLgQUGG0nBEslBRoVHjcREhkNAwh7HQI0PAMFAwQ2ChUNCyEFFEMDSAZQCwMCIwUDAwQdA0QdQAMLbT01FBsFBD0pWQWeLHEVgUIQHT4GPioULxAgAi4LKgUOLRUEKx4BBAsGARApkhgdCQg5gllIjwmeG28KhAuKGIFmjxSGKBeEAZNZkR9imCqNYIN0kH4rE4UJAgQCBAUCDgEBBoFjOmtwcBU7gmdSGQ9WjUoMDQmBBgEJgkKFFIpldgI2BQEGAQuIeyyCLgEB
IronPort-PHdr: A9a23:3iaKpBey1NnZSJkr0TzvF79XlGM/fYqcDmcuAtIPgrZKdOGk55v9e RGZ7vR2h1iPVoLeuLpIiOvT5rjpQndIoY2Av3YLbIFWWlcbhN8XkQ0tDI/NCUDyIPPwKS1vN M9DT1RiuXq8NBsdA97wMmXbuWb69jsOAlP6PAtxKP7yH9vKk8Sq3e2o57XYYh5Dg3y2ZrYhZ BmzpB/a49EfmpAqar5k0wbAuHJOZ+VQyCtkJEnGmRH664b48Mto8j9bvLQq8MsobA==
IronPort-Data: A9a23:T+ypi6uUsRWt6NiC6A9DvQglC+fnVC5eMUV32f8akzHdYApBsoF/q tZmKW7XP/yNZTHyft5wPI3n80oDscLUx9dgGVFvqXozRnkVgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0vrav67xZVF/fngqoDUUIYoAQgvA1c9IMsdoUg7wbVh0tc22YLR7z6l4 LseneWOYDdJ5BYsWo4kw/rrRMRH5amaVJsw5zTSVNgT1LPsvyB94KE3ecldG0DFrrx8RYZWc QpsIIaRpQs19z91Yj+sfy2SnkciGtY+NiDW4pZatjTLbhVq/kQPPqgH2PU0bR92uh6ExolN8 8gQ6KDoTQx2FbXRl7FIO/VYO3kW0axu8bvDJz20ttaeihSAeHr3yPIoB0YzVWEa0r8oWicVq 7pBc3ZUNUnra+GemNpXTsF0msQ+JsTxIKsUu2prynfSCvNOrZXrGvmTtI4Hgmdo7ixINfnbf PQjMiFXVwjRUQAWCFs+OK4Bjfj90xETdBUB+A7K+sLb+VP7zRRvjpDsPcbbPNuQSq1ocl2wr 2bC+SHyBQsXcYXZwjue+XXqjejK9c/mZG4MPLng189BjQTK+lcOVUAqDV+w/tKhl0HrDrqzN Hco0iYpqKEz8mmiQd/8QwC0rRa4Uvg0Boo4/woStV/l90bE3+qKLjNfFm8bOLTKoOdzFGJ0i gLV9z/8LWE32IB5X05x4Vt9QdmaECwRIGlqicQsElZdu4OLTG3ecnvyojtLGaqxiJj+Hiv9h mnMpykljLJVhskOv0lawbwlq2z2znQqZldqjukyYo5DxlgoDGJCT9f4gWU3Fd4acO6koqCp5 RDoYfS24uEUFo2qnyeQWugLF7zBz6/bYWeF2wI1Q8N/qG3FF5ufkWZ4vmgWyKBBbJ5sRNMVS BS7Vf55vcUKZyL6McebnaroU5h6pUQfKTgVfqmEMoURCnSAXASG5yppLVWBxHzglVNErE3ME cnzTCpYNl5DUf4P5GPvH481iOZ3rghgnjm7bc6gkHyaPU+2OST9pUEtagXeN4jULcqs/W3oz jqoH5LWkUoEDLCkPXm/HEx6BQliEEXXzKve8qR/XuWCOQFhXmomDpfsLXkJIt0Nc3h9/gsQw kyAZw==
IronPort-HdrOrdr: A9a23:m9YMC6x+DM2Fh6vQvjIuKrPxg+skLtp133Aq2lEZdPULSK2lfp GV8sjziyWatN9IYgBfpTnhAsO9qXO1z+8T3WBjB8bSYOCAghrmEGgC1/qv/9SEIU3DH4FmpN xdmyYVMqyLMbEXt7ee3OD8Kade/DDlytHnuQ699QYRcegCUcgJhGsJaXf4LqQ1fng7OXNTLu v72iMznUvZRZ1hVLXDOpBqZZmmmzTMrv/bSC9DIyRixBiFjDuu5rK/OQOfxA0iXzRGxqpn2X TZkiTij5/T882T+1v57Sv+/p5WkNzuxp9oH8qXkPUYLT3ql0KBeJlhYbufpzo4ydvfq2rC0e O84SvIDf4Dr085TVvF5icFHDOQlgrG3kWSjGNwR0GT+PARCghKU/apzrgpAicxo3BQz+2Ulp g7nl5wc/FsfEn9dOOX3amSazh60kWzunYsiugVkjhWVpYfcqZYqcgF8FpSC4poJlOw1GkLKp gmMCjn3ocfTXqKK3TC+mV/yt2lWXo+Wh+AX0gZo8SQlzxbhmpwwUcUzNEW2i5ozuNxd7BUo+ Dfdqh4nrBHScEbKap7GecaWMOyTmjAWwjFPm6eKUnuUKsHJ3XOoZjq56hd3pDhRLUYiJ8p3J jRWlJRsmA/P0roFM2VxZVOtgvARW2sNA6dvP22J6IJzYEUaICbRRFrEmpe4fdIi89vd/HmZw ==
X-Talos-CUID: 9a23:X8x1uGN0KtWfY+5DXHFGxWUZQ5kZSWCAkUuIJ0TnIn50R+jA
X-Talos-MUID: 9a23:cWv0EgUusCWrcFDq/DDpnw9Yb9xQ2Li/Ol1Uo5kvi/W7JDMlbg==
X-IronPort-Anti-Spam-Filtered: true
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-5.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Aug 2023 15:43:14 +0000
Received: from alln-opgw-5.cisco.com (alln-opgw-5.cisco.com [173.37.147.253]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 37GFhEC1013829 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <ipv6@ietf.org>; Wed, 16 Aug 2023 15:43:14 GMT
Authentication-Results: alln-opgw-5.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=pthubert@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.01,177,1684800000"; d="scan'208";a="5666449"
Received: from mail-bn8nam11lp2168.outbound.protection.outlook.com (HELO NAM11-BN8-obe.outbound.protection.outlook.com) ([104.47.58.168]) by alln-opgw-5.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Aug 2023 15:43:13 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B9OrcUKuiYxPRcmeUpD2p5jxi+65ZoapwTnDjxJixpIHPC0BDwI/XYvQ1/IGo38lsWIQF3VrVXOY2fjDvYPp8PpfhJgrCJjDow0XLoxH5992CNVbCg27XEJboTpAjZ5Kgp5t4iiijsqOKW6PHeoddRk3hSNbQNo1Vvsb6Wxlo4sFSqUHuo5tDhXtTjyd8KBwn6/Gel/nol7oItORCTjtWyI2FFBHwtG5LUKQNQSP4PBr2DCYXmIk1WXDUtBij5U8qk4hmUtxS4KBajrzPwT096TYN36tqRBlpfeol0R6Mt3e0UDZ0R9Q6z7Q5N8ghhHT9WIVgS8D3nGKfw5c/xbiZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6HN1f6hd8oaJD0TRm1df5lFUfJP4H909vPlnzzPm6fM=; b=K/f+/sYYVzVr2ZmxrPk6a3rKnf8+wTLO9mkfltb2+QZ9Z2X9A+kITfMTc54L4QOrF3mZ5Tr1E++Tb/TKyNr+9yU8FGqEbTSeaQ0gn0ikMhLlBIz+6awDmXumWyYekUef04o2Bg798Mc4kSTt4Sscc+D0VNQLNleMTLUuilRsiXabbaX6GOZxl1QqSEieHbL91CcmcM3Js66HIzXhu1rcWWP3pq1MEHxC3MFIoZMPov4qRT2jk67C1IF1V4p0QNClkqJ8+fkx3xeenooasiekNjdN1Ef84y8psS3N9KBLMXTo4sunPgYODfk2y0EwIMTBoIuZHUkGU9X8t0zFuYAU0Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6HN1f6hd8oaJD0TRm1df5lFUfJP4H909vPlnzzPm6fM=; b=enIibmm+ZSo2LfyfueabyyKzpEK9+inPUb/S6Nbd4shfLZpc1ygT6G9j0vqsmNjR9VumI/urdtci6QtGXY5ZgdNRmb+R8pEKcq8RUi/1nIFC1H6G5Wo1y7vamDabvjBBur5gtWmGh2YJ4vInmlQuB5sKC5max62jBOcRdUwcgYw=
Received: from CO1PR11MB4881.namprd11.prod.outlook.com (2603:10b6:303:91::20) by PH7PR11MB8501.namprd11.prod.outlook.com (2603:10b6:510:308::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6678.26; Wed, 16 Aug 2023 15:43:11 +0000
Received: from CO1PR11MB4881.namprd11.prod.outlook.com ([fe80::9ca3:7661:4c9a:3561]) by CO1PR11MB4881.namprd11.prod.outlook.com ([fe80::9ca3:7661:4c9a:3561%7]) with mapi id 15.20.6678.029; Wed, 16 Aug 2023 15:43:11 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Ted Lemon <mellon@fugue.com>
CC: Brian E Carpenter <brian.e.carpenter@gmail.com>, "ipv6@ietf.org" <ipv6@ietf.org>
Thread-Topic: [IPv6] ULA vs. 1918
Thread-Index: AQHZnh6QpEvEDttOvkqs/AsdkMKBiq+J1sSAgAAcISWAABI1AIAAAOPqgACAIICAAFUigIAACPAAgAAFHwCAAJMaFYAA2pUAgACtyUSAAIOwAIAABH7egAAjNACAAAIZZYAAAn2AgAAK04mAAAkzgIBfppCg
Date: Wed, 16 Aug 2023 15:42:53 +0000
Deferred-Delivery: Wed, 16 Aug 2023 15:42:36 +0000
Message-ID: <CO1PR11MB4881D59A3EDF82FA031E9125D815A@CO1PR11MB4881.namprd11.prod.outlook.com>
References: <CAJU8_nW36iEWvYHu6qAGvnEKeJ1P1w4BLov+VdSeZ06XLFXDRA@mail.gmail.com> <252E7296-D071-4E2C-971C-63E18694ADB8@isc.org> <CO1PR11MB488198C7174F42A6027656B4D85AA@CO1PR11MB4881.namprd11.prod.outlook.com> <2727C342-C0C4-42E5-B75D-51174FB7F59E@isc.org> <CO1PR11MB488139AB1EC0F8D15184F6D0D85AA@CO1PR11MB4881.namprd11.prod.outlook.com> <CAN-Dau2zjmU0TXEDJyc52W=TiHXAhjnzwAqtEcpE469buH7prQ@mail.gmail.com> <24af315f-f096-cbc5-82e3-984070825541@gmail.com> <CAN-Dau3745bRSQS_Bgsb9yp0M-GK8wjToQLN9qf9PpiA=quBmQ@mail.gmail.com> <54d56b6a-1934-33fe-a8b5-e2b5408abf19@gmail.com> <DAFB73BA-D993-4957-A5A5-0B9D53E89AED@cisco.com> <99c35b98-71e3-f304-02df-0ba849220392@gmail.com> <FE8A0C37-0480-4D68-8343-B05C859BC2F9@cisco.com> <CAPt1N1=TYVbaYk1T-3RzVp+n-Uqmtmvkr=SxG=E-QbOuaEaOHA@mail.gmail.com> <CO1PR11MB48812878301CDDC2CA8D277DD858A@CO1PR11MB4881.namprd11.prod.outlook.com> <CAPt1N1=xgewgdMVLqgiYSPWR=htBYaWLS41vJfdxFLYmEwEd1g@mail.gmail.com> <02B40094-A14F-47E3-911F-9A314A5978A2@cisco.com> <CAPt1N1mWpweM-dKdtHK5jiCVb024s6nQ17PKDLNX+MBxSX5PJg@mail.gmail.com> <C0A33B04-AA2F-40C1-9B4F-63AC93F84D0C@cisco.com> <CAPt1N1nUY7e5EbiZotbXMVzLARSN4=v56nSWGUPR6t4i+GXvMQ@mail.gmail.com>
In-Reply-To: <CAPt1N1nUY7e5EbiZotbXMVzLARSN4=v56nSWGUPR6t4i+GXvMQ@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB4881:EE_|PH7PR11MB8501:EE_
x-ms-office365-filtering-correlation-id: 0b4b1046-dff7-44bd-bed5-08db9e6f7f3d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tYYIT+E+Jm8pU8M0BvmHckvewGocRznmhmlFMf/oQH3T9FptHjcjAk9wTocF0rVv+Mq+0yBZj5QO2PiWTIGK/rB7M+uSXnibxYgK6/EGymZZht6OjUlezwzGklMc+4cvElY0PbNEKcoGO5zWk0LRG9iaU8597EJj3L07p1CoeQl3AULvCZE9gYcLQZ/CmtgtTALWmYlrCyatJac6Zh0w+deNfIxHj6TzaDTK0LzO0ud+z6BHqSsiQdOZhieDcdDvT3mTWk2n7NuJcOCUqlUVrtJ+GK1MEkbc2wIK+SVUDWhmN5xyrcvtJ192ONqY8qaIwF5huCpBprsUX4PmT9mofVLw93NlpSBeBlYnUHYjIBV6pTEUDdblQ/hDD5k1zNrvY5/WDttZ0r0FdjAxegb022bSRc/nN1FEdePC8pFQ+UosaO0LCZGcD8XgWkcFBVfBR9OH5xNLxG/gEg+5qkHd6lc6M2Go9gHRVIPICMfxW4h2tHNjXs9PPniqpGQQpPWgE9fFdiDorX/bYDOYGfNKTsqGPUSEqJ9z8ZRQjtRBnMj4HtJLU7dd3cBSX/OHpTKRR1OnV7CUb0xYlL4mTUgD2+K8U2jXwFWKMoVFrAbAJ4t7bd//hZR2eWGZZtEdg0Fmah4oiUpynDOniMOKlr6aXQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB4881.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(39860400002)(346002)(366004)(376002)(136003)(1800799009)(451199024)(186009)(316002)(54906003)(76116006)(6916009)(66946007)(64756008)(66476007)(66556008)(66446008)(122000001)(966005)(41300700001)(52536014)(5660300002)(66574015)(38070700005)(38100700002)(8676002)(4326008)(8936002)(30864003)(2906002)(83380400001)(26005)(55016003)(478600001)(86362001)(9686003)(40140700001)(53546011)(33656002)(7696005)(6506007)(6666004)(71200400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Aenx+RTHT3Wa0rXsX6drhntdcSwkrDbmRDD3fyDewzSXwIeQuBVZ1XmUP2hRxWllugAT+0ApERiRnnsfzXHGMHV3iSF8PJ+8v1YxLsg58y3ryuHLP4iI6svnsOt9VRb2ZY8LlENVir2vukiAiZHKlbr6HP6BNgPMualMOUvppQBRJgDRZRoRX6B8Z7wdtzun+hpCrC8dn9YUs6H+ZljsOc7KY8MOM56dIYVgsEJ3jAM1qDHc8cndq8hzKl3Aoqfqs91LaBmUwQpUbGT7CaJVlH6yi/rKHvX/omHUHAaT2WuMG3guDXHyPWfWiCdH1ov892utxS4srETkLfdOCazs/+IBpTYlua2VvXROp5LqQhlILRG8bFcYfi0wOY58SbnlFCH1n0eROBgP+IigBXChQPQ4V2+gQn0ifoGfqowYX4Osf5liEqnoe6n3pELf86D/dzMrn2kmkne1ieIm+3v+2Yt/z0OgkvPzqjS5wXRm4tQkiknYyQ/1Mt0vY48yOYzs59vL4vn3y2kg14VJMJREIm2OMgV45hrarVxbHFcrIr3eXfPpgH7dedvY10OEpQroiykS5xJ/bkSa+n63Sr1Fa6xB4pD3ax/eFafPhhKyawT+4Sv18igQpuTXBtZQgkF8WNyhPQ1/YEsc0w/0Gs/WlZGh4ciRwIJMxhPRCahDISN1OqpkAXhqZ5O1ZToYlYDw11tBMMpq3QiI7vIp8wPz8y3a0gvD+IOgpy/J7/JSMrhf1qCifrzBAT4i/YLgbfPFNDA2LNPygrlVEufhYyes7tOLRCneVMsmT49RU5s84L0HdSyd1r8KrM8dzdT+lh8yyjRpcH79Jm371cOHzFumAmuKUAA4mvjfsMG0mrV/cGF8JL87x4mCks17mjlfds1oQ1tUriVqVQUVC4QHeOwCIqoe1a/yhbTz38daxuFBhnL/OUNFO2ac1TPyof98O9jAVE5/w2LOqUmq4/79BXcdezCn0HpNBI8ugzMpUiVmsfrYw1NsoyypF9pX2TnsYUI4vo7NklZ+LXZqkYRGW8EkLmhf5MJOT4dRBCKuRc319qRqKgNpsMyLWnxwpEOcbmIJ0IkkLUlNlkBEb6rCryqA7XrsHsBzu8qO1fhU8IpcCrdcT0s8aiCdkoT7sLpa7dZ3WO3lXBtKsEOID30uJiVw0S0TQlNZ8+lMG9bf6xJsLNlRV07mgTeSPnTwUKC36k1jtXZy+TsRjk8ML76HC5S+UMMdFY5PCTWSoYf9ONUcC/eY2QmukSNq4ttvD1W9fxHB0r9+YIdwurPkSbKmC58+VNLpidGKH4eeV6SGxc4VcpM6o1mKfnRlj8z1pDPFTxaQnG40OFGYv0YH+qJgpMFbUALwI0pg1sOucPXM2qqH13IpwNEtQiEFBuY5jAz1KJbmUZRtLXDerr6s3VIbMYE4wRyEX7FvJr7TYAKY87/sWtCXaVQmDP3kR+Et0oGmAsp2AVu7MfIXyYPcQ8DXGuHtjxuDG+OW5iMPEo8LicLL1HO5+xZzq1OFWncOGDYPAkHHfo80COgv6goZrlh1N157fy9R1PxtCM6ITWdw5LK1/1mS5biqIen+Ik0nhzwQ1twl
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB4881.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0b4b1046-dff7-44bd-bed5-08db9e6f7f3d
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Aug 2023 15:43:11.6070 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: q0ZQYOUvHsM3RPVC64LhxuztAsp4fvL5/U4AnId0uXJtRMGMXbQytUlasPdaCzYsdP8qMyUQyEW6nfuXnaDHHg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB8501
X-Outbound-SMTP-Client: 173.37.147.253, alln-opgw-5.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/_OTbyySn2A4KOGSjWV3FMLlHL38>
Subject: Re: [IPv6] ULA vs. 1918
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2023 15:43:25 -0000
Hello Ted: I realize I failed to respond. Sorry for that! > Two observations here. First, it's never a good security practice to make decisions based on source address. So I don't think this is a very convincing use case. Second, this use case presumes that we can solve the really hard problem that I think we all know we can't readily solve. We are throwing good use cases in the trash to support a use case of questionable value that's really hard to get right. I just don't see the benefit. About observation 1) The decisions in question are a) for SAS whether to prefer ULA<->ULA over GUA<->GUA. b) for the destination to accept the packet and answer c) for the hosts and network to play EH games that are only valid within a domain about a) see thread Best Source / Destination address pair about b) the receiver knows at least that the answer stays within the domain. This can be a SYN attack, but once the 3-way is done, the receiver knows that the sender is inside the domain (or has a trojan inside). This is some level of security, not claiming absolute security. About c) it's a safer to place EHs in ULA<->ULA packets because the EH may cause issues when leaked outside. About observation 2) I'm missing the point. Can you provide an good use case example where GUA<->GUA is preferable over ULA<->ULA, provided that the ULA pair works? All the best Pascal On Fri, Jun 16, 2023 at 2:11 PM Pascal Thubert (pthubert) <mailto:pthubert@cisco.com> wrote: Oh you’re right, my logic is flawed there. I was expressing a real property but not applicable there as you point out. Step back: Say the stack has all addresses but knows that it can reach a server GUA with a ULA. The server that replies will know that the client is local and that can change the security posture of the connection. This is for the original case. In that regard ULA is better than GUA. And a node with only ULA as you point out can control its external reachability eg by obtaining temporary GUAs from a home agent at the border of the domain, using the ULA as CoA and the GUA as home address as in section 4.4 of RFC 4864. Compared to rfc 1918 and NAT this places the control in the host as opposed to the NAT box. In that regard ULA is better than rfc 1918. But it only works if the host knows that ULA will work proactively or very quickly on demand… Regards, Pascal Le 16 juin 2023 à 19:33, Ted Lemon <mailto:mellon@fugue.com> a écrit : The message I was replying to said: packets to/from the ULA can only be injected within the ULA domain of routability. This creates an isolation against external attackers which have to be inside or use a trojan to attack an ULA only node. So that means that the node is ULA-only, and is not reachable via GUA or 1918. If the node has all three, then isn't it the case that it's attackable using the GUA, and hence the security concern doesn't apply? And if it only has ULA, it's only attackable from within the routing domain of the ULA, and hence there's no security issue? Sorry to belabor the point, but if you think there's a security issue here it would be good to characterize it clearly. On Fri, Jun 16, 2023 at 1:23 PM Pascal Thubert (pthubert) <mailto:pthubert@cisco.com> wrote: Ok we’re not on the same case that’s why. I was discussing the preference between GUA ULA and 1918. When a node has them all. Saying that actually ULA when done well could have the best properties while the state of the art makes it least preferred… Regards, Pascal Le 16 juin 2023 à 19:16, Ted Lemon <mailto:mellon@fugue.com> a écrit : Okay, but it seems like there's no problem then, since the node is ULA-only. It's only when you number the node with a GUA and publish it that it becomes reachable. So, from an operational perspective, what is the use case you are thinking of where this is a problem in a practical sense? On Fri, Jun 16, 2023 at 11:12 AM Pascal Thubert (pthubert) <mailto:pthubert@cisco.com> wrote: Hello Ted packets to/from the ULA can only be injected within the ULA domain of routability. This creates an isolation against external attackers which have to be inside or use a trojan to attack an ULA only node. regards, Pascal ________________________________________ De : Ted Lemon <mailto:mellon@fugue.com> Envoyé : vendredi 16 juin 2023 16:53 À : Pascal Thubert (pthubert) <mailto:pthubert@cisco.com> Cc : Brian E Carpenter <mailto:brian.e.carpenter@gmail.com>; mailto:ipv6@ietf.org <mailto:ipv6@ietf.org> Objet : Re: [IPv6] ULA vs. 1918 What do you mean by “secure” here! Op vr 16 jun 2023 om 03:02 schreef Pascal Thubert (pthubert) <pthubert=mailto:40cisco.com@dmarc.ietf.org> Hello Brian If I have a ULA and my destination has a ULA and routing enables connectivity between the 2, ULA to ULA seems to be the most secured choice (because there’s some control on the diameter where an attacker can operate). But then how does my stack know? Sure, routing does to a point (default routes obfuscate). So I could leave it to trial and error / eyeballs. But isn’t that a demonstration that the information available at the stack is lacking? What we want is the stack to know which prefixes a ULA can reach from the routing standpoint, and if an ULA can reach a prefix, allow to prefer a ULA. The ULA to ULA routability could be expected / inferred within a 48, but my point above is that it’s doubly a mistake to resort on that. I’ll add that outside the 48 boundary, ULA longest match is not your friend. If you have 2 ULAs a and b and a destination c outside a’s and b’s 48s, but a longer bitwise match with b, does that mean anything about which of a or b can be routed to c? Ne. This is why for each PIO of an ULA there should be a train of prefixes that an address formed from the address in that PIO can reach, with a preference (vs other PiOs) That’s the only way to unleash the power of ULAs. Note along that vein: there’s no point making GUA prefixes special in that logic. If the ULA can reach a GUA, then the ULA is still a more secure source address. Placing a GUA in the train with a preference should be acceptable. For the return path, the GUA should assume symmetrical routability: if the ULA packet reaches me I can reach it back (because it is hopefully filtered at the site boundary). IOW we could consider RIO as the router-level “the originating router can reach this destination prefix with this preference “ and a RIO-prime attached to a PIO would be the source address-level “a source address formed from the prefix in the PIO above can reach this destination prefix with this preference “. This destination prefix being a global address, ULA or GUA. Note that RPL use that sort of semantics very successfully. More so with upcoming signaling in https://datatracker.ietf.org/doc/draft-ietf-roll-dao-projection/. I’m not asking you to read the draft but it’s a good hint at how powerful the concept of AGP can become. Take care, Pascal Le 15 juin 2023 à 22:40, Brian E Carpenter <mailto:brian.e.carpenter@gmail.com> a écrit : On 15-Jun-23 19:38, Pascal Thubert (pthubert) wrote: Hello Brian Today the only reachability that is assumed seems to be the /64. Based on the current standards one could assume that /48 is reachable as well but I’d not like to case that in stone in the stacks. The /64 experience with SLAAC should have taught us a thing or 2. Routing will determine whether the whole /48 is reachable. There's not too much we can do about that at the address selection stage. This is more a matter of scope; and as things have evolved, the nearest thing we still have to site-local scope is a ULA /48. I completely agree that this is classful addressing (even link-local is classful). However, it would not be cast in stone in the code, since it would be in a configuration table. Do we have a better solution for the *default* behaviour? (There is an argument for the default table being defined by v6ops, not by 6man.) Brian This is why I jumped in the thread. The ULA may reach a shorter aggregation (even if to Lorenzo’s point that is not fully legal with the current text), and it may reach other ULA prefixes. So hardcoding the /48 is not only repeating an error of the past but also not sufficient to avoid the need of DHCP, as soon as the network gets fancier. And it will. SNAC is just one example. I’m looking forward to seeing what the new draft proposes. I hope for a per PIO option inspired by RIO. Basically for ULA all the access le prefixes would be listed with a preference. Along the same vein I hope for another per PIO option, also inspired by RIO, that indicates the router preference for a source address derived from that prefix. Regards, Pascal Le 15 juin 2023 à 00:52, Brian E Carpenter <mailto:brian.e.carpenter@gmail.com> a écrit : On 15-Jun-23 10:33, David Farmer wrote: On Wed, Jun 14, 2023 at 17:01 Brian E Carpenter <mailto:brian.e.carpenter@gmail.com <mailto:mailto:brian.e.carpenter@gmail.com>> wrote: On 15-Jun-23 04:56, David Farmer wrote: > I've been thinking we should extend RFC 8028's use of a PIO with A=0 and L=0 for choosing the first-hop router. By adding to that, if the prefix is from the ULA range, then the host should also treat the prefix as a Local ULA prefix from an RFC 6472 section 10.3 perspective and add it to the table as a local ULA prefix. What is specific about A=L=0 in this case? Why wouldn't this apply to any PIO in the ULA range? If A=1 and the prefix length isn’t 64, some people are going to have words with you, I’m fine with it, but I’m not really looking to pick a fight today, and those seem to be fighting words. I was assuming the PIO would be for a prefix of whatever length happens to be in use on the subnet in question (which would be indeed be 64 today). But one can legitimately assume that if fdxx:xxxx:xxxx:yyyy::/64 is announced, the applicable ULA prefix is fdxx:xxxx:xxxx::/48. Brian Also, L=1 is making a different statement about the prefix. A=L=0 isn’t making any other statement about the prefix than it might be a ULA that the host should treat as local and the router announcing the RA knows how to route for. But it doesn’t specifically have to be A=L=0, but that is probably the safest statement to make. Thanks -- =============================================== David Farmer mailto:Email%3Afarmer@umn.edu <mailto:mailto:Email%253Afarmer@umn.edu> Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 =============================================== -------------------------------------------------------------------- IETF IPv6 working group mailing list mailto:ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list mailto:ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- [IPv6] ULA vs. 1918 Kyle Rose
- Re: [IPv6] ULA vs. 1918 Ed Horley
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Kyle Rose
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Kyle Rose
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Lorenzo Colitti
- Re: [IPv6] ULA vs. 1918 Mark Andrews
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Mark Andrews
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- Re: [IPv6] ULA vs. 1918 Mark Andrews
- Re: [IPv6] ULA vs. 1918 Lorenzo Colitti
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- Re: [IPv6] ULA vs. 1918 Lorenzo Colitti
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- Re: [IPv6] ULA vs. 1918 Vasilenko Eduard
- Re: [IPv6] ULA vs. 1918 Mark Andrews
- Re: [IPv6] ULA vs. 1918 David Farmer
- Re: [IPv6] ULA vs. 1918 Nick Buraglio
- Re: [IPv6] ULA vs. 1918 Michael Richardson
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Mark Smith
- Re: [IPv6] ULA vs. 1918 David Farmer
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Mark Andrews
- Re: [IPv6] ULA vs. 1918 David Farmer
- Re: [IPv6] ULA vs. 1918 Kyle Rose
- Re: [IPv6] ULA vs. 1918 Fred Baker
- Re: [IPv6] ULA vs. 1918 Kyle Rose
- Re: [IPv6] ULA vs. 1918 Mark Andrews
- Re: [IPv6] ULA vs. 1918 Kyle Rose
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Mark Smith
- Re: [IPv6] ULA vs. 1918 Mark Smith
- Re: [IPv6] ULA vs. 1918 Vasilenko Eduard
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- [IPv6] Developing a solution to a problem that sh… Mark Smith
- Re: [IPv6] Developing a solution to a problem tha… Mark Smith
- Re: [IPv6] Developing a solution to a problem tha… Kyle Rose
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Timothy Winters
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Mark Andrews
- Re: [IPv6] ULA vs. 1918 Ted Lemon
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Kyle Rose
- Re: [IPv6] ULA vs. 1918 Erik Nygren
- Re: [IPv6] ULA vs. 1918 Ted Lemon
- Re: [IPv6] Developing a solution to a problem tha… David Farmer
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Mark Andrews
- Re: [IPv6] Developing a solution to a problem tha… David Farmer
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- Re: [IPv6] Developing a solution to a problem tha… Philip Homburg
- Re: [IPv6] ULA vs. 1918 Ted Lemon
- Re: [IPv6] ULA vs. 1918 Ted Lemon
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- Re: [IPv6] ULA vs. 1918 Ted Lemon
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- Re: [IPv6] ULA vs. 1918 Ted Lemon
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- Re: [IPv6] ULA vs. 1918 Ted Lemon
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] Developing a solution to a problem tha… Ted Lemon
- Re: [IPv6] Developing a solution to a problem tha… Ed Horley
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] Developing a solution to a problem tha… Philip Homburg
- Re: [IPv6] Developing a solution to a problem tha… Ole Troan
- Re: [IPv6] Developing a solution to a problem tha… Philip Homburg
- Re: [IPv6] Developing a solution to a problem tha… jordi.palet@consulintel.es
- Re: [IPv6] Developing a solution to a problem tha… Brian Carpenter
- Re: [IPv6] Developing a solution to a problem tha… Ole Troan
- Re: [IPv6] Developing a solution to a problem tha… tom petch
- Re: [IPv6] Developing a solution to a problem tha… Ted Lemon
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] Developing a solution to a problem tha… David Farmer
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] Developing a solution to a problem tha… Kyle Rose
- Re: [IPv6] Developing a solution to a problem tha… David Farmer
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] Developing a solution to a problem tha… Kyle Rose
- Re: [IPv6] Developing a solution to a problem tha… Kyle Rose
- Re: [IPv6] Developing a solution to a problem tha… David Farmer
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] Developing a solution to a problem tha… Kyle Rose
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] Developing a solution to a problem tha… Kyle Rose
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] Developing a solution to a problem tha… David Farmer
- Re: [IPv6] Developing a solution to a problem tha… Kyle Rose
- Re: [IPv6] Developing a solution to a problem tha… David Farmer
- Re: [IPv6] Developing a solution to a problem tha… Ole Troan
- Re: [IPv6] Developing a solution to a problem tha… Ole Troan
- Re: [IPv6] Developing a solution to a problem tha… Ole Troan
- Re: [IPv6] Developing a solution to a problem tha… Ted Lemon
- Re: [IPv6] Developing a solution to a problem tha… Ted Lemon
- Re: [IPv6] Developing a solution to a problem tha… Ted Lemon
- Re: [IPv6] Developing a solution to a problem tha… Philip Homburg
- Re: [IPv6] Developing a solution to a problem tha… Ted Lemon
- Re: [IPv6] Developing a solution to a problem tha… Philip Homburg
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] [EXTERNAL] Re: Developing a solution t… Manfredi (US), Albert E
- Re: [IPv6] Developing a solution to a problem tha… Michael Richardson
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- Re: [IPv6] Developing a solution to a problem tha… Pascal Thubert (pthubert)
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter
- Re: [IPv6] Developing a solution to a problem tha… David Farmer
- Re: [IPv6] Developing a solution to a problem tha… Ted Lemon
- Re: [IPv6] Developing a solution to a problem tha… David Farmer
- Re: [IPv6] Developing a solution to a problem tha… Ted Lemon
- Re: [IPv6] Developing a solution to a problem tha… Kyle Rose
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] Developing a solution to a problem tha… Brian E Carpenter
- Re: [IPv6] ULA vs. 1918 Pascal Thubert (pthubert)
- Re: [IPv6] ULA vs. 1918 Ted Lemon
- Re: [IPv6] ULA vs. 1918 Brian E Carpenter