Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 07 January 2014 19:32 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5869B1AE14D for <ipv6@ietfa.amsl.com>; Tue, 7 Jan 2014 11:32:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mv1M1TWRQ8SU for <ipv6@ietfa.amsl.com>; Tue, 7 Jan 2014 11:32:36 -0800 (PST)
Received: from mail-pd0-x232.google.com (mail-pd0-x232.google.com [IPv6:2607:f8b0:400e:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id E8AC81AE141 for <ipv6@ietf.org>; Tue, 7 Jan 2014 11:32:35 -0800 (PST)
Received: by mail-pd0-f178.google.com with SMTP id y10so756922pdj.23 for <ipv6@ietf.org>; Tue, 07 Jan 2014 11:32:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=WE/+YN5wRZ4g/a91toqIzxRg7sfnropoAxtnnLR+njw=; b=q+W2qTA1oXbM93PNXBQfItDLcYdOhhC4WuC5ACDsgk8MFItL0NBaWJS5ds3npAZgoj dttGZBCiCOXZ/Gk3nwBJvbdLEwcJWsMxeCCSBKboqAFaF+iEkpX8nZ9XWPOaE2DPT1xA Q5k2OhBEHYeRXA0XaIO59gzuWTtIcmkPwoueEkb4jqxsXi7d6B+15aMjinGzEyQdukqg SRJwi3dptncsBwsSY2q13BQhf8575jp54+AERJplmnqTTu93NvJ1skV1ToqJMAB43AmA Qnou2N5b0uvvp2X0JbNGH/+aiZQtD2B7FxXKMrX1AtSMGMT7TN8HdG071xYyJqpePRyP Q7PQ==
X-Received: by 10.66.11.202 with SMTP id s10mr7562501pab.86.1389123146732; Tue, 07 Jan 2014 11:32:26 -0800 (PST)
Received: from [192.168.178.21] (217.194.69.111.dynamic.snap.net.nz. [111.69.194.217]) by mx.google.com with ESMTPSA id zc6sm131176303pab.0.2014.01.07.11.32.24 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 07 Jan 2014 11:32:25 -0800 (PST)
Message-ID: <52CC564E.2070402@gmail.com>
Date: Wed, 08 Jan 2014 08:32:30 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Ray Hunter <v6ops@globis.net>
Subject: Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
References: <52C9D788.8060606@gmail.com> <52CBE0E6.5020107@globis.net>
In-Reply-To: <52CBE0E6.5020107@globis.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2014 19:32:38 -0000
Hi Ray, Thanks for the comments. On 08/01/2014 00:11, Ray Hunter wrote: ... > Where exactly is the requirement that IPv6 has to use /64 prefix length > really enshrined? I don't think it is enshrined in any one place; in fact at one level the architecture carefully avoids it. > I think the draft can help clarify that, and that alone makes it > worthwhile proceeding. > > > I humbly disagree with the conclusions in Section 9. > > The argument seems to assume that all n hosts must be allocated within > one single prefix with a prefix length >> 64. That is a very common deployment model, surely? I don't think the death of the L2 switch has been declared yet; I see plenty of them around. I agree that it *could* be done differently as you describe below. > Therefore it assumes that increasing prefix length reduces attack search > space (given some knowledge of one or more active IPv6 addresses) > > IMHO Address space is address space. Allocation density is allocation > density. IPv6 supports multiple prefixes per link and the concept of > determining "on link prefixes" via rfc5942 (unlike the "subnet mask" > mechanism of IPv4). > > It should be perfectly feasible to allocate a /64 to a router interface > in an IPAM tool, but then configure the equivalent of n prefixes each > containing 1 or 2 address with prefix length /128 or /127 (depending on > the implementation) for n hosts and which are equally sparsely assigned > across the /64, and all sharing a single L2 link. Even end node to end > node communication should flow directly (avoiding the router) as these > prefixes could be marked "on link" via the AdvOnLinkFlag = L flag. > > Anyway, in the majority of modern day wired deployments, the delta cost > of L3 over L2 is minimal, as the most dominant form of wired LAN > (Ethernet) are commonly switched in silicon, and multicast has to be > emulated. Wired Ethernet has in effect become a point to point protocol. > So deploying a dedicated L3 connection per end host is both technically > and financially feasible, and may have significant operational benefits > in certain scenarios. Allocating a /64 for each such port on a L3 switch > is sub optimal IMHO. And by the same privacy argument, allocating n > hosts sparsely over a single /64 of address space spread over multiple > L3 interfaces would have the same net effect for off-net attackers as n > hosts sharing a flat L2 LAN using a single /64, with the added advantage > that even locally the individual end nodes would not be able to > passively observe each other's traffic or addresses (advantageous in > shared hosting environments). > > An attacker that happens to discover the address of node A would not > find this information helpful in attempts to locate node B, any more > than if it were a flat /64. > > So to me it's a non-relevant argument one way or the other. > > Section 2.2 > > It may not be a widely held belief, but I remain concerned about the > potential for resource exhaustion for any number of processes due to the > "massive over sizing" of prefixes to /64: any number of untested > processes that track state based on /128 IPv6 address could be attacked. > The flip side of expanding privacy through address obfuscation at IID > level is that the source space available for attacks also increases. ND > cache exhaustion is probably just the first issue we've discovered of > many that exist. That is a bit of a vague argument to put in an RFC though. Can you find at least one example of such an attack? Brian > This may have knock on operational consequences, which > in the IPv4 world have relied on the scarcity of IPv4 address space to > be able to operate correctly under stress scenarios. We're going to > discover who has been swimming naked when the tide goes out. Call that > FUD, or operational expediency, whichever you like. BCP38 has saved me > on a number of occasions when all else has failed. > >
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- [Fwd: I-D Action: draft-carpenter-6man-why64-00.t… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… George Michaelson
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Zillions of addresses [Fwd: I-D Action: draft-car… Brian E Carpenter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Ray Hunter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Christian Huitema
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith