IETF Logo Mail Archive

Re: IPv6 Routing & ND vs. Addressing, (Was: Re: <draft-ietf-6man-rfc4291bis-09.txt>)

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 12 July 2017 02:39 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33F1212EB4A for <ipv6@ietfa.amsl.com>; Tue, 11 Jul 2017 19:39:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q9HPxJ4lKJbC for <ipv6@ietfa.amsl.com>; Tue, 11 Jul 2017 19:39:17 -0700 (PDT)
Received: from mail-pf0-x231.google.com (mail-pf0-x231.google.com [IPv6:2607:f8b0:400e:c00::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ABE512762F for <ipv6@ietf.org>; Tue, 11 Jul 2017 19:39:17 -0700 (PDT)
Received: by mail-pf0-x231.google.com with SMTP id q86so5303462pfl.3 for <ipv6@ietf.org>; Tue, 11 Jul 2017 19:39:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=0J6BYe9qu/8DE+owSbQklULvkSsnaKCdkTyAydnyb2U=; b=u3Jbdikhf9bXIFyKN2pUWkvElLFyMNkmiZL0zb/WDk7pbPJYffeeZgl/Rp/n3Hizua M7ZB9uehsXgTQ7n5JAOV6tf7G14OJKuTSiFEDQSAgD6hZRNj13R7Dz0q/ugDHZo32Xev Rmbxw4AVXW6DTfHSfFbhikjEFvFr1IGRoLZ5otRvuL5+RYPBVBvnLqE47ydS0Pp3nYKZ wKGv8lsteyCXSU42OwNSY0YsLMCCRgdZl0EGazN9VoJz3dMC69SYhFpTzt1v6zduoYIQ tzjLUQNL7+BoALfuT7rmNVTx2ohfBs9eisR+Fs5Y2OPYrf4IhN+WghenMZ0dN6jIaTAc rCPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=0J6BYe9qu/8DE+owSbQklULvkSsnaKCdkTyAydnyb2U=; b=KTnOPnJ6FPZj5qswCYSeB+IE80Z5chzF87QqJJblAOc37UeHEDab2nQAmf3DVe7on7 pVAoRAzP5a2TxIVeu7a7ArH1xM/tDUOVV5ywBgFTRBtyyTxWM0sPAoV5R3QAIF0lxWZm FvHeZiosMijkQQowXzHoLJ3j5dQ2pObhpEf6M3kOkv2FAy+O86RCQMAT361dSm+A9Txw NLzTb+v+yA6QekKKuTQNyPRXTn+kRzWE3aEl45QgqqzkSajzzuP9yJxhee15fqAlixm3 /Rpb7WLhSKD2+kb5Jn9sh2WEsv1YfrCwBHxg7JIzLlAMkrf53EBWRsIp3YkWixGHEXI8 e74w==
X-Gm-Message-State: AIVw110rqmIr/Ljrnd+UXxIoFXxBUekUmdNCkxVhjAZofQ2M0L9iocNp NMiIpFz7WYHy8rtJ
X-Received: by 10.98.223.141 with SMTP id d13mr53555862pfl.179.1499827156545; Tue, 11 Jul 2017 19:39:16 -0700 (PDT)
Received: from [192.168.178.21] ([118.148.76.144]) by smtp.gmail.com with ESMTPSA id a71sm1175119pfl.129.2017.07.11.19.39.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 19:39:15 -0700 (PDT)
Subject: Re: IPv6 Routing & ND vs. Addressing, (Was: Re: <draft-ietf-6man-rfc4291bis-09.txt>)
To: Mark Smith <markzzzsmith@gmail.com>, "Manfredi, Albert E" <albert.e.manfredi@boeing.com>
Cc: 6man WG <ipv6@ietf.org>
References: <CAN-Dau2zgthR2w9e5ZVUdGc-vm+YvK2uTUJ8O=vrcv0jNc58RA@mail.gmail.com> <CAKD1Yr2+Si_tzNF8p6ASf4=StgFSX9Gm3TEj9iiqdE2gHQaNmQ@mail.gmail.com> <CAN-Dau03r_CKW53kegaLa=F_R_RG4cWaCT1j6idrqPm9UuN03A@mail.gmail.com> <5963BF27.1050300@foobar.org> <ff09ffcd-df65-4033-8018-fbe7ae98cff8@gmail.com> <6bf7f3d0e9c047b1b86d4bcc220f8705@XCH15-06-11.nw.nos.boeing.com> <CAN-Dau1bxm5y0v_6kUBc_ym39bSSxepjdwrzcS7YHWD=CV9-bw@mail.gmail.com> <3b34d6e9718a45ae80877e36fb55f2b4@XCH15-06-11.nw.nos.boeing.com> <CAO42Z2x+282VK7nMFHjcCz9tBmJ_=d4OhkiRZFZDLcZhakGB1Q@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <30cb27b2-007a-2a39-803d-271297862cae@gmail.com>
Date: Wed, 12 Jul 2017 14:39:16 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CAO42Z2x+282VK7nMFHjcCz9tBmJ_=d4OhkiRZFZDLcZhakGB1Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/ln5001iT7CZ9D_K5OyLKn5sDA0Q>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jul 2017 02:39:19 -0000

On 12/07/2017 11:54, Mark Smith wrote:
>> On 12 Jul. 2017 03:21, "Manfredi, Albert E" <albert.e.manfredi@boeing.com>
>> wrote:
>> 
>> From: David Farmer [mailto:farmer@umn.edu]
>> 
>>> IPv6 as currently defined does actually require IIDs to be 64 bits,
>>> if this wasn't the case then you could use subnets of any length
>>> without any special requirements or considerations.
>> 
>> And in general, you can. I think this is a stumbling block. There are
>> examples where 64-bit IIDs are still required, and there are examples where
>> they were required for reasons that no longer apply. But as of now, if you
>> use static addresses, or similarly DHCPv6, you're not limited. Everything
>> works fine with shorter IIDs.
>>
> 
> This is not recognising that there are more than operational or functional
> properties of addresses. They have privacy and security properties too.

Very specifically, it would be irresponsible not to require pseudo-random
IIDs of at least N bits for automatically assigned addresses. RFC7217
doesn't define N, but I assume it would be at least 40 and probably more.

The advantage of requiring or recommending 64 bits is that it avoids the
debate about N. I prefer 'recommend' because it avoids enumerating all
possible exceptions. We've seen how hard it is to wordsmith the exceptions.

     Brian

> As an example, the stateful DHCPv6 server in OpenWRT currently compromises
> those security and privacy properties as it is enabled by default, as the
> range of IIDs it uses is the same size as the DHCPv4 server's address range
> e.g. 100 addresses. (OpenWRT supports both SLAAC and Stateful DHCPv6 by
> default, my hosts that support both had great private/secure addresses
> through SLAAC and terrible ones through DHCPv6)
> 
> In IPv4, this is less of a concern, because NAT provided a layer of
> security and privacy to individual hosts' addresses, in particular to
> residential users. If we advocate for removing NAT from IPv6, or more
> accurately advocate end-to-end addressing, we need to provide alternate
> methods to restore the privacy and security provided by NAT.
> 
> Those methods should also not be reliant on devices or functions in the
> network, because the hosts that need them the most are also very portable
> (i.e., smartphones and laptops), and are easily and commonly attached to
> untrustable public networks.
> 
> 
> If
> 
> you use SLAAC, you are limited to 64-bit IIDs, but that limitation is
> self-imposed, to try to keep other-than-64-bit-IIDs from becoming too easy
> to configure. In principle, it would be easy enough to remove that 64-bit
> limitation from SLAAC.
> 
> I'm opposed to continue to imply that 64-bit IIDs are "required," other
> than in cases like SLAAC, ULAs, LLAs. That word "required" is what causes
> the pushback.
> 
> Bert
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email