IETF Logo Mail Archive

Re: A common problem with SLAAC in "renumbering" scenarios

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Fri, 15 February 2019 09:40 UTC

Return-Path: <prvs=194943d449=jordi.palet@consulintel.es>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B8C8130F82 for <ipv6@ietfa.amsl.com>; Fri, 15 Feb 2019 01:40:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkay36IwtTgP for <ipv6@ietfa.amsl.com>; Fri, 15 Feb 2019 01:40:26 -0800 (PST)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6030130F5F for <ipv6@ietf.org>; Fri, 15 Feb 2019 01:40:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1550223624; x=1550828424; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:Message-ID:Thread-Topic:References:In-Reply-To: Mime-version:Content-type:Content-transfer-encoding; bh=tH8OS3AJ 1N7jZHvUg6F7MOXhdF9g2/+aNI3BncmGlR0=; b=nNCgFm4dc8BkgBvc3hwlCK+u TPG9sT9XRqzIM60/uKhmsyNX1jmz352NEZmNC3hlD4xbzeHL3BG2LLHtE/i9nw6p 69SpDktdyOry57RK2MR/49GHDY+gKmwXrNEPmDCUV5sapzF3MvVuZZRaAgI1p7lx bVxFw7hQJZX3Vaz8Og8=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Fri, 15 Feb 2019 10:40:24 +0100
X-Spam-Processed: mail.consulintel.es, Fri, 15 Feb 2019 10:40:23 +0100
Received: from [10.10.10.139] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50006155984.msg for <ipv6@ietf.org>; Fri, 15 Feb 2019 10:40:22 +0100
X-MDRemoteIP: 2001:470:1f09:495:6504:820c:c824:1c47
X-MDHelo: [10.10.10.139]
X-MDArrival-Date: Fri, 15 Feb 2019 10:40:22 +0100
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=194943d449=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: ipv6@ietf.org
User-Agent: Microsoft-MacOutlook/10.10.7.190210
Date: Fri, 15 Feb 2019 10:40:19 +0100
Subject: Re: A common problem with SLAAC in "renumbering" scenarios
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: Jan Zorz - Go6 <jan@go6.si>, Christian Huitema <huitema@huitema.net>, ipv6@ietf.org
Message-ID: <66B174B6-6442-495C-BEBB-373FF8AD8133@consulintel.es>
Thread-Topic: A common problem with SLAAC in "renumbering" scenarios
References: <60fabe4b-fd76-4b35-08d3-09adce43dd71@si6networks.com> <4602.1549908472@localhost> <CAO42Z2w1swQNuwnrOyTCEMXt0NSyrBx7Ww3kUN-7dfEV=fvk3A@mail.gmail.com> <c16e0e1f-1ed2-ad88-80f1-070bdd8bccca@go6.si> <1F2C2AEE-1C7D-481C-BBA7-7E507312C53A@employees.org> <e56a6e5b-648d-200e-c35d-97f15a31fb2a@asgard.org> <CAO42Z2zh7fKAgQJq9aLCTiFoSSsTeGM=pK3gXitg+gcxH=9fhQ@mail.gmail.com> <d38857c2-6e92-91d6-bb5d-d3eeeb61276a@gmail.com> <CAO42Z2yb47OyXk__Sz-kO00pfcBJgLAhff5DF=mpAddR0iCnAA@mail.gmail.com> <2612280f-195a-ae7a-b3b1-9022d9282fa7@foobar.org> <56F813F4-C512-40A9-8A68-1090C76A80F6@consulintel.es> <CAHL_VyCN8kU7qnLOphfGR25-xGBe_p6WeGTkKVXwU5uy5aJ8Dg@mail.gmail.com> <65DB4854-97D2-4C31-A691-2CD93812EF93@consulintel.es> <CAHL_VyCMpCcGkEQu+RV1GRf2QLB-HD0+AOOBV0YhfQ5sbydVzQ@mail.gmail.com> <8CE7A0CD-97D9-46A0-814D-CAF8788F9964@consulintel.es> <e3e0bf2273e04f15b792665d0f66dfe5@boeing.com> <4c5fab33-2bff-e5b5-fc1d-8f60a01a146d@go6.si> <b4525832-9151-20bf-7136-31d87ba6c88d@huitema.net> <463f15cf-2754-e2e8-609d-dc0f33448c6c@go6.si>
In-Reply-To: <463f15cf-2754-e2e8-609d-dc0f33448c6c@go6.si>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/iJpshSm3OJX26GovifTtPbSrL9k>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 09:40:28 -0000

/64 for every device is perfectly possible and I think it is wise, following RFC8273, so VMs inside a device can have their own addresses.

I see a scenario where (and I don't care if it is a residential or enterprise), a single persistent (unless the user explicitly wants it non-persistent) /48 is provided to the CE.

Then the CE can organize the /48 in different subnets. For example, devices (sensors that just report data), will get persistent or non-persistent /64s. Actuators (you need to talk to them, so you may want to have persistent addresses in the DNS), will get persistent /64. End-user devices (tablets, laptops, etc.), will have persistent or non-persistent /64s and finally, of course, if you have servers, you want to have the with persistent /64s.

I know everything could be non-persistent using dynamic DNS, but this is expensive, is extra services, and it is slow. I don't think it make sense for stable services.

Regards,
Jordi
 
 

-----Mensaje original-----
De: ipv6 <ipv6-bounces@ietf.org> en nombre de Jan Zorz - Go6 <jan@go6.si>
Fecha: viernes, 15 de febrero de 2019, 10:30
Para: Christian Huitema <huitema@huitema.net>, <ipv6@ietf.org>
Asunto: Re: A common problem with SLAAC in "renumbering" scenarios

    On 15/02/2019 08:57, Christian Huitema wrote:
    > 
    > On 2/14/2019 1:19 PM, Jan Zorz - Go6 wrote:
    >>
    >> To augment what many already have said here - it's a tie between IP
    >> address and household address and name/surname that should not be
    >> public, the address itself is mostly harmless and it doesn't matter if
    >> it's static or dynamic. Tracing gets done on L7 and above anyway ;)
    > 
    > 
    > In the current state of the web, if a user gets a new address, the
    > various web surveillance mechanisms will associate it with the previous
    > user identity and context after maybe a dozen web queries or two. That
    > gets better if the user has a strong defensive posture, blocks web
    > trackers, etc. But it just takes one cookie, or one login, or some other
    > inference, and poof, the surveillance databases know that new_address_X
    > is the same user as old_address_Y.
    > 
    > The case of the household is even worse. It takes only one cookie,
    > login, etc, and the surveillance databases will learn that new_prefix_P
    > is the same household as old_prefix_Q. Even you run Ghostery or Privacy
    > Badger or the latest release of Firefox, you won't escape if you share a
    > prefix with someone in your household who doesn't. Or with one of those
    > surveillance devices that masquerade as thermostats or light switches or
    > voice assistants.
    
    Exactly.
    
    > 
    > So that's pretty bleak. If you want defense, you probably want to
    > allocate different /64 prefixes to different devices, and change them
    > really often. You may not need to change them for every devices -- no
    > point providing privacy to the surveillance thermostat. But for your
    > laptop, your tablet or your phone, they to change before the
    > surveillance advertisers see you access a dozen web pages or two.
    
    /64 for each device is fine. What I'm questioning is if we really need 
    to make underlying to be something that was never meant to be if L7 and 
    above is broken? I think L7 and above needs to be fixed first and then 
    changing of addresses in transport layer can have any effect. Until then 
    - let's transport packets in a way that doesn't break often and make 
    user grumpy.
    
    To put "lipstick on a pig" is a rhetorical expression, but quite useful 
    in our case :) :) :)
    
    Cheers, Jan
    
    --------------------------------------------------------------------
    IETF IPv6 working group mailing list
    ipv6@ietf.org
    Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
    --------------------------------------------------------------------
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

v2.23.0 | Report a Bug | By Email