IETF Logo Mail Archive

Re: RFC8064 implemented in linux ?

Mark Smith <markzzzsmith@gmail.com> Sat, 29 June 2019 03:48 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B558112092E for <ipv6@ietfa.amsl.com>; Fri, 28 Jun 2019 20:48:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.498
X-Spam-Level:
X-Spam-Status: No, score=-0.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3a7lG_6T0i2k for <ipv6@ietfa.amsl.com>; Fri, 28 Jun 2019 20:48:55 -0700 (PDT)
Received: from mail-oi1-x244.google.com (mail-oi1-x244.google.com [IPv6:2607:f8b0:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 063A712009C for <ipv6@ietf.org>; Fri, 28 Jun 2019 20:48:55 -0700 (PDT)
Received: by mail-oi1-x244.google.com with SMTP id g7so5766325oia.8 for <ipv6@ietf.org>; Fri, 28 Jun 2019 20:48:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yF7DZ47dqE9Rl0DruLU8fW6DzVAoM7iOkEsHSw9QXMg=; b=XoXMxqo4jdMqkeEN8wmfT+9QkTIeVoFN5Jio9lrigqT+N1sgDOO3qiDXwbIGCWdnE1 qPjSRwbIKOCZlYWA58uzk101ynN2ShGCqCoKyrxZ/DZjcfieRVVZnnPXm+KGfjVt5gti o/yOv2DzvLJJqyx5+pKoz3QDuVI8PCplXS5TAPU5DFYQHcTjoOjnIYwwTcZqMpJ+SCDz 8gIk3H+p+/G+O8yNPFgGqI9CRe63SwGd+s0yto+BVstZ0D0lH/+GlAl1m0T7THVLfjPo OBx8q26EpHZDCJIrdSe0X2rlNj6emC0ud71iNLdGlkyns7lBHRF24disUE/5Q5cfL2Og KEAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yF7DZ47dqE9Rl0DruLU8fW6DzVAoM7iOkEsHSw9QXMg=; b=KvnzzEZtYFgk0en6sAnucdpMudIiV2+gs1LtYM2yfxIiVvMGURz1ro/WRM2+MOGtjt 9j+agIGnp01oSvLuHWqfmBtCqGHoQSi0Rk9na1BgidOMPv8JKUq+4+bjPtJAsTGGkfRi 0rqQgHRTUgH5J1w6qnDFwapwfXe/T6i2h8MeMA0YIZcBiGd4I1aofqFP0hU72BS7mb/L Zyc4AMCsou2nWi0mZppMuoFF0Vd+YDlsaRv9bI376xKWp9NoSx0qaLni9K7trP0tR0G+ XkN9K2H7ItzS7v14KQKQK4Kakj3ECzQBA4S6QngG090l/0xOx5B1LGwV5TT1lWrd3PZ0 3/Zw==
X-Gm-Message-State: APjAAAU5P6+LxNqruzF/EBfevF2xTEK5GjsMjG2p9hraQyLgSRi/5B5W f8ATHS66QKNEvgHOT3ahoTkLUI22V6gptWFE8+k=
X-Google-Smtp-Source: APXvYqxxlKzXco2NfgJNQsQrtshr7fdJbkH9b4zd4WlMOOE21KQQ1O5eTOWUffmql8HJnCrMPPZgEiqFdPzjn9PGNto=
X-Received: by 2002:aca:c584:: with SMTP id v126mr676022oif.60.1561780134150; Fri, 28 Jun 2019 20:48:54 -0700 (PDT)
MIME-Version: 1.0
References: <69fb7b6e-cb0b-34a8-9a36-006878787282@gmail.com> <1752910.pSMvptStIT@rumburak.ite.tul.cz> <CAO42Z2yag_jm2r4P0=D5OTm-V8qVC6WPyYu6Ns7AhAHbuEE3pQ@mail.gmail.com> <fd4e7dd6-4c14-0eb9-9cef-9bc0e46d5c34@gmail.com>
In-Reply-To: <fd4e7dd6-4c14-0eb9-9cef-9bc0e46d5c34@gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sat, 29 Jun 2019 13:48:27 +1000
Message-ID: <CAO42Z2xpjJGgqba+5yUdLJ6Rn3RrGEjkWfzUZbTqSkudVVbZkA@mail.gmail.com>
Subject: Re: RFC8064 implemented in linux ?
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001d08f7058c6e46bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/aThu6PBBQKzhlC453Jx61SrUWk0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jun 2019 03:48:58 -0000

On Sat., 29 Jun. 2019, 12:13 Brian E Carpenter, <brian.e.carpenter@gmail.com>
wrote:

> On 29-Jun-19 12:37, Mark Smith wrote:
> >
> >
> > On Sat., 29 Jun. 2019, 02:36 Martin Hunek, <martin.hunek@tul.cz <mailto:
> martin.hunek@tul.cz>> wrote:
> >
> >     Hi Alex, hi all,
> >
> >     I hope that this mail would not be breach to Code of Conduct, but
> this is straight from network's operator heart. :-)
> >
> >     I hope that RFC8064 would never be implemented on any router. As
> would be operational nightmare.
> >
> >
> > It's intended to be implemented on all SLAAC implementations, not just
> hosts.
> >
> > That includes routers, and it explicitly includes Link Local addresses.
> >
> > That is so that Link Local addresses of routers are both auto-generated
> and stable across interface module swaps.
>
> Right, but nowhere is it said that you MUST NOT assign static addresses,
> including static LL addresses, if that's what you want to do.
> Nor does RFC8064 say that you MUST assign RFC7217 identifiers to all
> interfaces; even its title says "recommendation".
>

I've never said people can't use static default router addresses if they
wanted to.

He's saying that RFC 8064/RFC 7217 is so operationally terrible
("operational nightmare") that it should never be implemented on any router
at all.

I'm pointing out that a specific use case for RFC 7217 is routers because
one justification I've heard for setting static LL addresses on routers was
because changing the interface module changed the MAC address, which meant
the router's EUI-64 based LL address IID also changed.

That's why I suggested explicitly saying that RFC 7217 applied to LLs too
when it was being developed, and why there are a number of options for the
Net_Iface parameter in the RFC 7217 appendix, some of which won't change
even when an interface module swap results in an interface link-layer
address change.

Another motivation for static LLs on routers might be to help with
troubleshooting, through ease of an end-user typing the address  e.g. "ping
-I eth0 fe80::1".

However, I think asking the end user to "ping -I eth0 ff02::2" (link scope
all routers multicast address) and then having them read out the last
couple of digits of the address or addresses that respond is just as easy
and equivalent for default router troubleshooting. (A test on this Linux
box shows that specifying an interface on the ping to ff02::2 command can
also be optional.)

Martin also talks about no need for privacy addresses on servers/routers,
which makes me wonder if he has RFC 8064/7217 confused with RFC 4941.


> So it seems to me that Martin can do what he wants, even if it means
> changing an implementation default.


> Sites that need to correlate IP addresses with MAC addresses can still
> do so, as they do for IPv4. It just isn't arp -a any more.


I wonder what they're fundamentally trying to achieve when they do this,
and if it is based on a false assumption that MAC addresses can't or can't
easily be changed, and therefore MAC addresses are a good and reliable
end-user identifier.



> (In Windows it's netsh int ipv6 show neigh, but I don't know how to
> spell that in Linuxese.)
>

ip -6 neigh show

or

ip -6 neigh ls


Regards,
Mark.




>
>     Brian
>
>
> >
> >
> >
> >
> >     I can see need for privacy with global addresses
> >
> >
> > RFC8064 (indirectly RFC 7217) is not about privacy addresses.
> >
> > They're the opposite use case - persistent, stable addresses, entirely
> independent of or only loosely coupled to hardware e.g. device backplane
> slot.
> >
> >
> >     as it is clear that individuals could be easily tracked over the
> internet when using EUI-64 suffixes. It is not so obvious with stationary
> servers, but OK - you could remotely detect vendor and model of hardware,
> so yes if you really need to hide that it is reasonable.
> >
> >     When client need to generate LL address with other method then
> EUI-64, that is for me hard to grasp. Reactions to reasons from RFC8064:
> >     As network operator, I can still correlate network activity by
> accounting in RADIUS or just mirror access port and track it based on L2
> addresses. There is no location tracking possible with LL address as prefix
> fe80:: would not tell any more or less about location with or without
> randomized suffix. Address scanning is still not needed as all I need is
> ask at all nodes multicast address and I get a list of addresses in local
> segment. Only real reason why I would like to hide device vendor+model is
> so called "device-specific vulnerability exploitation". But still I can
> just listen on the line waiting for traffic and then just connect to port
> 80 or 443 and it would just happily tell. But OK, if someone thinks that it
> is really needed and that it would be beneficial to cover vendor+model
> instead of doing proper firewall...
> >
> >     Lastly the case of router (OpenWRT):
> >     Why would I need to use anything else than EUI-64? As network
> operator I need address that is static (on WAN interface at least), so I
> can do reliable static leases if customer wants them. You could argue that
> there is DUID for that and you would be right - in theory. But I have seen
> routers which generated random DUID on every boot (UBNT), that of course
> was major problem so only static thing left was LL address, which was
> EUI64. Other thing I seen were custom DHCPv6-PD hooks, which extracted MAC
> from some DUID types, made LL address from that and placed record for
> delegated prefix paired with computed LL address as destination. And I've
> seen clients which hides DUID so well that easiest way how to get it is
> packet snooping and manual link reset.
> >
> >     So when there would not be predictable LL address on WAN interface,
> I would not be able to make static routing records in routing table based
> on value written on customer CPE - the MAC address. So no more prefix
> reservation based on phone customer support, we would have to go trough
> provisioning of CPE prior installation.
> >
> >     Another "solution" would be to make dynamic routing table and when
> I'm giving customer /56, I can reduce it to /120 so I can encode 64b of
> random ID into prefix. Hopefully just an idea for April fool's RFC:
> >
> >     Address scheme would than look like:
> >     /29 from RIR -> 3b for MANs
> >     /32 for my MAN -> 8b for POPs
> >     /40 for POP -> 8b for interface+VLAN
> >     /48 for interface/VLAN -> 64b left for client LL suffix to provide
> static pool
> >     /112 would be max prefix length for customer or /120 when "legacy"
> devices on segment.
> >
> >     All that because router could get tracked on local link? By whom?
> Network operator would still be able to track every connection and they
> often must by law. By the way network operator still must be able to
> deliver packets to router so it needs to keep track of router's
> addresses/prefixes. Only real "benefit" RFC8064 brings to network operators
> would be a headache.
> >
> >     Because similar privacy related solution we are actually forced to
> go from SLAAC to DHCPv6 for server addresses because we cannot tell what
> IPv6 address server would have, so either no AAAA+PTR records (DDNS is not
> an option) or we would have to provision every server to use EUI64.
> >
> >     Long story short, RFC8064 needs a bis that it MUST NOT be used on
> routers. Otherwise it could bring real problems to real networks. All for
> purely theoretical issue router could have with its privacy.
> >
> >     I hope that I didn't offend anyone, I couldn't help myself.
> >
> >     Regards,
> >     Martin
> >
> >     PS: If you read it up to this point, than you are real good. :-)
> >
> >     Dne pátek 28. června 2019 13:49:29 CEST, Alexandre Petrescu
> napsal(a):
> >     > Is RFC8064 implemented in linux, with kernels 4.x, on openwrt? (in
> >     > addition to BSD).
> >     >
> >     > I am asking because the IPWAVE WG IPv6-over-OCB document is not
> >     > implemented in BSD. IPv6-over-OCB is implemented extensively on
> linux.
> >     >
> >     > The IPv6-over-OCB document suggests a 'transition time' to migrate
> from
> >     > current embedded platforms that do LL addresses formed from
> hardwired
> >     > MAC addresses (linux kernel 4.x openwrt) to future software where
> the LL
> >     > addresses are formed from more random IID (RFC8064).
> >     >
> >     > The Transport Area review of this document demands a value for this
> >     > 'transition time'.  My speculation, without knowing the current
> >     > implementation status of RFC8064 on openwrt with kernels 4.x, is
> that
> >     > the value of 'transition time' nears 5 years.
> >     >
> >     > Alex
> >     >
> >     >
> >
> >     --------------------------------------------------------------------
> >     IETF IPv6 working group mailing list
> >     ipv6@ietf.org <mailto:ipv6@ietf.org>
> >     Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >     --------------------------------------------------------------------
> >
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
> >
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email