IETF Logo Mail Archive

Re: [IPv6] ULA vs. 1918

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 16 August 2023 21:34 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02127C14CF1E for <ipv6@ietfa.amsl.com>; Wed, 16 Aug 2023 14:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.197
X-Spam-Level:
X-Spam-Status: No, score=-7.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJoet4BUw6JU for <ipv6@ietfa.amsl.com>; Wed, 16 Aug 2023 14:34:57 -0700 (PDT)
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06FC8C14EB19 for <ipv6@ietf.org>; Wed, 16 Aug 2023 14:34:56 -0700 (PDT)
Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-1bc73a2b0easo47443815ad.0 for <ipv6@ietf.org>; Wed, 16 Aug 2023 14:34:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692221696; x=1692826496; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=nRPtcpTQyJZRQGVrqZZkCMKf3I3n80LToEqMDgAg7x8=; b=JpMKKLsMAU4rV2lCnxmmr6GiiNhPlOyQTTvA3Oe2OD6dEPBhj+cvfadIHh8gWuynDA fMiKD210LUf8NCQlUzngH/TIbHWob7fyWZ8NgmLgj5/04qByW+5xzXkmUZft5+i6IkxC L8/RIws39FQ0aUV6eEWXQHkm0TqXXhwkILg2FvDEu4MO1jMyeCZEUFJIoc6dV/9mEmh+ olv76yysm9TOc3MGvJuiG0ZppYseEB2raVqREBe+axUEybMfals2Gh/Caxizg7Dzb6l6 4JOlR0XgoLfDyb82vb35ZX3DrEsKUFjFJ7XcTbLQ9QJ8J+5s2BZrEuyYS4GWyd5+Dy5B AN2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692221696; x=1692826496; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=nRPtcpTQyJZRQGVrqZZkCMKf3I3n80LToEqMDgAg7x8=; b=DR+MZnGdV7fjK5kxNmpe2iThLuaALy9xUb5tYVMxSqhEx5QVM4K08K/hyEl6HpP/5k 6xoYztSuc034S09itpyg/gudGhGi8j15ktiKnmXTTnwBI/bZglu9fchQ036QsC0vltU7 XYl1kWTmRlIkcmmQ/Ro++fDTTliU+OyQ2mkVBieslIxtiDzjyYsxChcI1QHj9GTTfx1e JisGsieWxbSGX8ego/hSdYU5h6zZeP1lmB6bOjO7lfQaOx/SCu3lXM1ZCEobuDApV+4s mnOESNzrL4s8kN6zJob2WBv/ThKUbhZpsYGLCNj6a3h1G7kuhv0UjpUkUnKDvh408oyc xw4A==
X-Gm-Message-State: AOJu0YwtjhuJEBTK5P4Y9cs1suvzHxMZCv4SBgViJd9UmTPkvFJDBTBO p0e780jmhe1/gXPllDvCRgg=
X-Google-Smtp-Source: AGHT+IHHG9vsTAkJWxovPAtqJgSoj1GnkegdFML5D8phvUVn39tvJQU6b+VEKPi3rM19hb9LdYD+Dw==
X-Received: by 2002:a17:903:244f:b0:1bb:de7f:a4d4 with SMTP id l15-20020a170903244f00b001bbde7fa4d4mr3746784pls.61.1692221695800; Wed, 16 Aug 2023 14:34:55 -0700 (PDT)
Received: from ?IPV6:2406:e003:10cc:9901:b2e1:1101:7ba7:19fd? ([2406:e003:10cc:9901:b2e1:1101:7ba7:19fd]) by smtp.gmail.com with ESMTPSA id p2-20020a170902e74200b001b86e17ecacsm13621778plf.131.2023.08.16.14.34.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 16 Aug 2023 14:34:55 -0700 (PDT)
Message-ID: <3ed3fdf4-f25c-3350-9f66-bd88d7eb6b0d@gmail.com>
Date: Thu, 17 Aug 2023 09:34:50 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Ted Lemon <mellon@fugue.com>, "Pascal Thubert (pthubert)" <pthubert@cisco.com>
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
References: <CAJU8_nW36iEWvYHu6qAGvnEKeJ1P1w4BLov+VdSeZ06XLFXDRA@mail.gmail.com> <CAN-Dau3745bRSQS_Bgsb9yp0M-GK8wjToQLN9qf9PpiA=quBmQ@mail.gmail.com> <54d56b6a-1934-33fe-a8b5-e2b5408abf19@gmail.com> <DAFB73BA-D993-4957-A5A5-0B9D53E89AED@cisco.com> <99c35b98-71e3-f304-02df-0ba849220392@gmail.com> <FE8A0C37-0480-4D68-8343-B05C859BC2F9@cisco.com> <CAPt1N1=TYVbaYk1T-3RzVp+n-Uqmtmvkr=SxG=E-QbOuaEaOHA@mail.gmail.com> <CO1PR11MB48812878301CDDC2CA8D277DD858A@CO1PR11MB4881.namprd11.prod.outlook.com> <CAPt1N1=xgewgdMVLqgiYSPWR=htBYaWLS41vJfdxFLYmEwEd1g@mail.gmail.com> <02B40094-A14F-47E3-911F-9A314A5978A2@cisco.com> <CAPt1N1mWpweM-dKdtHK5jiCVb024s6nQ17PKDLNX+MBxSX5PJg@mail.gmail.com> <C0A33B04-AA2F-40C1-9B4F-63AC93F84D0C@cisco.com> <CAPt1N1nUY7e5EbiZotbXMVzLARSN4=v56nSWGUPR6t4i+GXvMQ@mail.gmail.com> <CO1PR11MB4881D59A3EDF82FA031E9125D815A@CO1PR11MB4881.namprd11.prod.outlook.com> <CAPt1N1=uGVbXN9CAXdqm_6D=yz+eq5YSKvMSW=x8HjBYDNMxoQ@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <CAPt1N1=uGVbXN9CAXdqm_6D=yz+eq5YSKvMSW=x8HjBYDNMxoQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/m6-0vEipmVKrVW4RTlAC9oHC6Tw>
Subject: Re: [IPv6] ULA vs. 1918
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2023 21:34:58 -0000

On 17-Aug-23 07:42, Ted Lemon wrote:
> At this point I can only answer generally. I think it makes sense to choose the most narrowly scoped source and destination address. But this shouldn't be solved by putting a ULA into a DNS RRset that's advertised globally. 

Of course not. (If anything, we should *advocate* putting ULAs into split-horizon DNS, either with the same name as a GUA, e.g. www.example.com, or with a localized name, e.g. w3.example.com.)

> The "hard problem we don't need to solve" is making a correct choice when we see a DNS RRset with AAAA records in a ULA prefix and other AAAA records in a GUA prefix, and the ULA prefix isn't reachable from where we did the query. 

Right, but this is where the distinction between a ULA in the same /48 and in a different /48 matters.

    Brian

> This is a misconfiguration—it shouldn't happen in practice, and is easy to fix. So hard coding something into an IP stack to do the right thing in this case seems unnecessary. If you want the scoping behavior I just described, scope your DNS as well, rather than expecting the network stack to be able to figure out what you mean.
> 
> 
> On Wed, Aug 16, 2023 at 11:43 AM Pascal Thubert (pthubert) <pthubert@cisco.com <mailto:pthubert@cisco.com>> wrote:
> 
>     Hello Ted:
> 
>     I realize I failed to respond. Sorry for that!
> 
>      > Two observations here. First, it's never a good security practice to make decisions based on source address. So I don't think this is a very convincing use case. Second, this use case presumes that we can solve the really hard problem that I think we all know we can't readily solve. We are throwing good use cases in the trash to support a use case of questionable value that's really hard to get right. I just don't see the benefit.
> 
> 
>     About observation 1) The decisions in question are
>     a) for SAS whether to prefer ULA<->ULA over GUA<->GUA.
>     b) for the destination to accept the packet and answer
>     c) for the hosts and network to play EH games that are only valid within a domain
> 
>     about a) see thread Best Source / Destination address pair
>     about b) the receiver knows at least that the answer stays within the domain. This can be a SYN attack, but once the 3-way is done, the receiver knows that the sender is inside the domain (or has a trojan inside). This is some level of security, not claiming absolute security.
>     About c) it's a safer to place EHs in ULA<->ULA packets because the EH may cause issues when leaked outside.
> 
> 
>     About observation 2) I'm missing the point. Can you provide an good use case example where GUA<->GUA is preferable over ULA<->ULA, provided that the ULA pair works?
> 
> 
>     All the best
> 
>     Pascal
> 
>     On Fri, Jun 16, 2023 at 2:11 PM Pascal Thubert (pthubert) <mailto:pthubert@cisco.com <mailto:pthubert@cisco.com>> wrote:
>     Oh you’re right, my logic is flawed there. I was expressing a real property but not applicable there as you point out.
> 
>     Step back:
> 
>     Say the stack has all addresses but knows that it can reach a server GUA with a ULA. The server that replies will know that the client is local and that can change the security posture of the connection. This is for the original case. In that regard ULA is better than GUA.
> 
>     And a node with only ULA as you point out can control its external reachability eg by obtaining temporary GUAs from a home agent at the border of the domain, using the ULA as CoA and the GUA as home address as in section 4.4 of RFC 4864. Compared to rfc 1918 and NAT this places the control in the host as opposed to the NAT box. In that regard ULA is better than rfc 1918.
> 
>     But it only works if the host knows that ULA will work proactively or very quickly on demand…
> 
>     Regards,
> 
>     Pascal
> 
> 
>     Le 16 juin 2023 à 19:33, Ted Lemon <mailto:mellon@fugue.com <mailto:mellon@fugue.com>> a écrit :
>     
>     The message I was replying to said:
>     packets to/from the ULA can only be injected within the ULA domain of routability. This creates an isolation against external attackers which have to be inside or use a trojan to attack an ULA only node.
>     So that means that the node is ULA-only, and is not reachable via GUA or 1918. If the node has all three, then isn't it the case that it's attackable using the GUA, and hence the security concern doesn't apply? And if it only has ULA, it's only attackable from within the routing domain of the ULA, and hence there's no security issue? Sorry to belabor the point, but if you think there's a security issue here it would be good to characterize it clearly.
> 
>     On Fri, Jun 16, 2023 at 1:23 PM Pascal Thubert (pthubert) <mailto:pthubert@cisco.com <mailto:pthubert@cisco.com>> wrote:
>     Ok we’re not on the same case that’s why.
>     I was discussing the preference between GUA ULA and 1918. When a node has them all. Saying that actually ULA when done well could have the best properties while the state of the art makes it least preferred…
> 
>     Regards,
> 
>     Pascal
> 
> 
>     Le 16 juin 2023 à 19:16, Ted Lemon <mailto:mellon@fugue.com <mailto:mellon@fugue.com>> a écrit :
>     
>     Okay, but it seems like there's no problem then, since the node is ULA-only. It's only when you number the node with a GUA and publish it that it becomes reachable. So, from an operational perspective, what is the use case you are thinking of where this is a problem in a practical sense?
> 
>     On Fri, Jun 16, 2023 at 11:12 AM Pascal Thubert (pthubert) <mailto:pthubert@cisco.com <mailto:pthubert@cisco.com>> wrote:
>     Hello Ted
> 
>     packets to/from the ULA can only be injected within the ULA domain of routability.
>     This creates an isolation against external attackers which have to be inside or use a trojan to attack an ULA only node.
> 
>     regards,
> 
>     Pascal
>     ________________________________________
>     De : Ted Lemon <mailto:mellon@fugue.com <mailto:mellon@fugue.com>>
>     Envoyé : vendredi 16 juin 2023 16:53
>     À : Pascal Thubert (pthubert) <mailto:pthubert@cisco.com <mailto:pthubert@cisco.com>>
>     Cc : Brian E Carpenter <mailto:brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>>; mailto:ipv6@ietf.org <mailto:ipv6@ietf.org> <mailto:ipv6@ietf.org <mailto:ipv6@ietf.org>>
>     Objet : Re: [IPv6] ULA vs. 1918
> 
>     What do you mean by “secure” here!
> 
>     Op vr 16 jun 2023 om 03:02 schreef Pascal Thubert (pthubert) <pthubert=mailto:40cisco.com@dmarc.ietf.org <mailto:40cisco.com@dmarc.ietf.org>>
>     Hello Brian
> 
>     If I have a ULA and my destination has a ULA and routing enables connectivity between the 2, ULA to ULA seems to be the most secured choice (because there’s some control on the diameter where an attacker can operate).
> 
>     But then how does my stack know? Sure, routing does to a point (default routes obfuscate). So I could leave it to trial and error / eyeballs. But isn’t that a demonstration that the information available at the stack is lacking?
> 
>     What we want is the stack to know which prefixes a ULA can reach from the routing standpoint, and if an ULA can reach a prefix, allow to prefer a ULA.
> 
>     The ULA to ULA routability could be expected / inferred within a 48, but my point above is that it’s doubly a mistake to resort on that.
> 
>     I’ll add that outside the 48 boundary, ULA longest match is not your friend. If you have 2 ULAs a and b and a destination c outside a’s and b’s 48s, but a longer bitwise match with b, does that mean anything about which of a or b can be routed to c? Ne.
> 
>     This is why for each PIO of an ULA there should be a train of prefixes that an address formed from the address in that PIO can reach, with a preference (vs other PiOs) That’s the only way to unleash the power of ULAs.
> 
>     Note along that vein: there’s no point making GUA prefixes special in that logic. If the ULA can reach a GUA, then the ULA is still a more secure source address. Placing a GUA in the train with a preference should be acceptable. For the return path, the GUA should assume symmetrical routability: if the ULA packet reaches me I can reach it back (because it is hopefully filtered at the site boundary).
> 
>     IOW we could consider RIO as the router-level “the originating router can reach this destination prefix with this preference “ and a RIO-prime attached to a PIO would be the source address-level “a source address formed from the prefix in the PIO above can reach this destination prefix with this preference “. This destination prefix being a global address, ULA or GUA.
> 
>     Note that RPL use that sort of semantics very successfully. More so with upcoming signaling in https://datatracker.ietf.org/doc/draft-ietf-roll-dao-projection/ <https://datatracker.ietf.org/doc/draft-ietf-roll-dao-projection/>. I’m not asking you to read the draft but it’s a good hint at how powerful the concept of AGP can become.
> 
>     Take care,
> 
>     Pascal
> 
> 
>     Le 15 juin 2023 à 22:40, Brian E Carpenter <mailto:brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> a écrit :
>     On 15-Jun-23 19:38, Pascal Thubert (pthubert) wrote:
> 
>     Hello Brian
>     Today the only reachability that is assumed seems to be the /64. Based on the current standards one could assume that /48 is reachable as well but I’d not like to case that in stone in the stacks. The /64 experience with SLAAC should have taught us a thing or 2.
> 
>     Routing will determine whether the whole /48 is reachable. There's not too much we can do about that at the address selection stage. This is more a matter of scope; and as things have evolved, the nearest thing we still have to site-local scope is a ULA /48. I completely agree that this is classful addressing (even link-local is classful). However, it would not be cast in stone in the code, since it would be in a configuration table. Do we have a better solution for the *default* behaviour?
> 
>     (There is an argument for the default table being defined by v6ops, not by 6man.)
> 
>         Brian
> 
> 
>     This is why I jumped in the thread. The ULA may reach a shorter aggregation (even if to Lorenzo’s point that is not fully legal with the current text), and it may reach other ULA prefixes. So hardcoding the /48 is not only repeating an error of the past but also not sufficient to avoid the need of DHCP, as soon as the network gets fancier.
>     And it will. SNAC is just one example.
>     I’m looking forward to seeing what the new draft proposes. I hope for a per PIO option inspired by RIO. Basically for ULA all the access le prefixes would be listed with a preference.
>     Along the same vein I hope for another per PIO option, also inspired by RIO, that indicates the router preference for a source address derived from that prefix.
>     Regards,
>     Pascal
>     Le 15 juin 2023 à 00:52, Brian E Carpenter <mailto:brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> a écrit :
> 
>     On 15-Jun-23 10:33, David Farmer wrote:
>     On Wed, Jun 14, 2023 at 17:01 Brian E Carpenter <mailto:brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com> <mailto:mailto <mailto:mailto>:brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>>> wrote:
>         On 15-Jun-23 04:56, David Farmer wrote:
>          > I've been thinking we should extend RFC 8028's use of a PIO with A=0 and L=0 for choosing the first-hop router. By adding to that, if the prefix is from the ULA range, then the host should also treat the prefix as a Local ULA prefix from an RFC 6472 section 10.3 perspective and add it to the table as a local ULA prefix.
>         What is specific about A=L=0 in this case? Why wouldn't this apply to any PIO in the ULA range?
>     If A=1 and the prefix length isn’t 64, some people are going to have words with you, I’m fine with it, but I’m not really looking to pick a fight today, and those seem to be fighting words.
> 
>     I was assuming the PIO would be for a prefix of whatever length happens to be in use on the subnet in question (which would be indeed be 64 today). But one can legitimately assume that if fdxx:xxxx:xxxx:yyyy::/64 is announced, the applicable ULA prefix is fdxx:xxxx:xxxx::/48.
> 
>        Brian
> 
>     Also, L=1 is making a different statement about the prefix. A=L=0 isn’t making any other statement about the prefix than it might be a ULA that the host should treat as local and the router announcing the RA knows how to route for.
>     But it doesn’t specifically have to be A=L=0, but that is probably the safest statement to make.
>     Thanks
>     -- 
>     ===============================================
>     David Farmer mailto:Email%3Afarmer@umn.edu <mailto:Email%253Afarmer@umn.edu> <mailto:mailto <mailto:mailto>:Email%253Afarmer@umn.edu <mailto:Email%25253Afarmer@umn.edu>>
>     Networking & Telecommunication Services
>     Office of Information Technology
>     University of Minnesota
>     2218 University Ave SE        Phone: 612-626-0815
>     Minneapolis, MN 55414-3029   Cell: 612-812-9952
>     ===============================================
>     --------------------------------------------------------------------
>     IETF IPv6 working group mailing list
>     mailto:ipv6@ietf.org <mailto:ipv6@ietf.org>
>     Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
>     --------------------------------------------------------------------
>     --------------------------------------------------------------------
>     IETF IPv6 working group mailing list
>     mailto:ipv6@ietf.org <mailto:ipv6@ietf.org>
>     Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
>     --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email