Re: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)

Tim Chown <Tim.Chown@jisc.ac.uk> Thu, 16 November 2017 15:26 UTC

Return-Path: <tim.chown@jisc.ac.uk>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B8BD1296B3 for <ipv6@ietfa.amsl.com>; Thu, 16 Nov 2017 07:26:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.321
X-Spam-Level:
X-Spam-Status: No, score=-4.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jisc.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DuLCr4qf_hil for <ipv6@ietfa.amsl.com>; Thu, 16 Nov 2017 07:26:51 -0800 (PST)
Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA82312944C for <ipv6@ietf.org>; Thu, 16 Nov 2017 07:26:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=mimecast20170213; t=1510846009; h=from:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:in-reply-to:references; bh=iIHoeEE3nwiQBdCfSEa2v/6r9JxlpvWSdafVkaqHJBQ=; b=I7RTX2ndRYNA3VcCdStgJVq699qjfq3+XKDj1K5u5o/oMUyF3WbLT4prc9pE4y14K8471mgXPBBb0qd6jJeIQRTVbobsmzuMZIWAZDPlkBhA1TrDQg9d/9YV2DPBPlGqi8FcNHpxxXrvy9S/cZBCex0vdM7i/Lwb7Q5HSHY6GM0=
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-am5eur03lp0116.outbound.protection.outlook.com [213.199.154.116]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-29-Ihi5BlXaOQ6ngLviMYW_HA-1; Thu, 16 Nov 2017 15:26:45 +0000
Received: from AM3PR07MB1140.eurprd07.prod.outlook.com (10.163.188.14) by AM3PR07MB1137.eurprd07.prod.outlook.com (10.163.188.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.260.2; Thu, 16 Nov 2017 15:26:44 +0000
Received: from AM3PR07MB1140.eurprd07.prod.outlook.com ([fe80::d9b7:5aa5:5084:74c2]) by AM3PR07MB1140.eurprd07.prod.outlook.com ([fe80::d9b7:5aa5:5084:74c2%13]) with mapi id 15.20.0239.005; Thu, 16 Nov 2017 15:26:44 +0000
From: Tim Chown <Tim.Chown@jisc.ac.uk>
To: Ca By <cb.list6@gmail.com>
CC: 6man WG <ipv6@ietf.org>, Mark Andrews <marka@isc.org>, Ole Troan <otroan@employees.org>, james woodyatt <jhw@google.com>
Subject: Re: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)
Thread-Topic: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)
Thread-Index: AQHTXsCEK1gNvYa+mkyDyUX+Qr6diqMW8xeAgAAuBIA=
Date: Thu, 16 Nov 2017 15:26:44 +0000
Message-ID: <75C8CD33-AF67-4669-8548-EF318FC69BDE@jisc.ac.uk>
References: <m1eEGbJ-0000EhC@stereo.hq.phicoh.net> <D43E103C-27B8-48CF-B801-ACCF9B42533E@employees.org> <m1eEHPS-0000FyC@stereo.hq.phicoh.net> <59B0BEC0-D791-4D75-906C-84C5E423291B@employees.org> <m1eEIGX-0000FjC@stereo.hq.phicoh.net> <73231F8D-498E-4C77-8DA8-044365368FC9@isc.org> <CAKD1Yr1aFwF_qZVp5HbRbKzcOGqn==MRe_ewaA8Qc8t3+CVu_Q@mail.gmail.com> <44A862B7-7182-4B3A-B46E-73065FC4D852@isc.org> <D42D8D7A-6D19-4862-9BB3-4913058A83B6@employees.org> <CAFU7BARCLq9eznccEtkdnKPAtKNT7Mf1bW0uZByPvxtiSrv6EQ@mail.gmail.com> <183A8772-6FEF-43BD-97F9-DD4A2E21DB90@google.com> <5D9D33A8-88F0-4758-84FA-BCB364E8013F@employees.org> <16B61573-E233-40ED-8A22-CD145EBB8F98@google.com> <A89E7192-0FD4-4750-8745-147AFCC364DC@jisc.ac.uk> <CAD6AjGQcF=+FRFke1P0+vcmEEqWQ0NUsfprS6qBvfsG+3HMXhA@mail.gmail.com>
In-Reply-To: <CAD6AjGQcF=+FRFke1P0+vcmEEqWQ0NUsfprS6qBvfsG+3HMXhA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.4.7)
x-originating-ip: [194.82.140.195]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM3PR07MB1137; 20:+t8KoFhdhZcXof5M66+NIQzyuc99pp1Y8kvbd+sMZYHTM5lOQdhGKqX9C+ZUn7YvAXubT1VcH0HSfPTQYQnCjGL/62dBgtJuttSuo2+IX9FSNGNMv/XDffgtzTu8+onx0Q5uMO+bPQ5RAZ0J5CuuD6tGw0fs2R1V42f+eGNe3+g=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 16f3c94e-628a-4848-d02d-08d52d0671a2
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603199); SRVR:AM3PR07MB1137;
x-ms-traffictypediagnostic: AM3PR07MB1137:
x-microsoft-antispam-prvs: <AM3PR07MB1137105CE8E8A8B98BA8E5C4D62E0@AM3PR07MB1137.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(274715658323672)(211936372134217)(153496737603132);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(3231022)(920507027)(10201501046)(3002001)(6041248)(20161123564025)(20161123560025)(20161123562025)(20161123558100)(20161123555025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:AM3PR07MB1137; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:AM3PR07MB1137;
x-forefront-prvs: 0493852DA9
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(376002)(346002)(199003)(24454002)(189002)(86362001)(6486002)(478600001)(101416001)(66066001)(6512007)(97736004)(6306002)(50226002)(5660300001)(105586002)(81156014)(2906002)(5250100002)(93886005)(6506006)(8936002)(14454004)(81166006)(3280700002)(3660700001)(6436002)(36756003)(72206003)(68736007)(8676002)(57306001)(316002)(74482002)(786003)(4326008)(7736002)(229853002)(82746002)(305945005)(25786009)(54906003)(76176999)(106356001)(83716003)(42882006)(53546010)(6916009)(2950100002)(3846002)(33656002)(6246003)(53936002)(50986999)(99286004)(189998001)(34040400001)(6116002)(102836003)(2900100001)(39060400002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM3PR07MB1137; H:AM3PR07MB1140.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <F71B175D20CA584E861BA8F9881587D6@eurprd07.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 16f3c94e-628a-4848-d02d-08d52d0671a2
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2017 15:26:44.1717 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM3PR07MB1137
X-MC-Unique: Ihi5BlXaOQ6ngLviMYW_HA-1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/mtZubWAxIlwcwxUcV5JVdFawdDQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 15:26:59 -0000

> On 16 Nov 2017, at 12:42, Ca By <cb.list6@gmail.com>; wrote:
> 
> On Thu, Nov 16, 2017 at 1:53 AM Tim Chown <Tim.Chown@jisc.ac.uk>; wrote:
> Hi,
> 
> > On 15 Nov 2017, at 23:04, james woodyatt <jhw@google.com>; wrote:
> >
> > On Nov 15, 2017, at 13:47, Ole Troan <otroan@employees.org>; wrote:
> >>
> >>>> IMHO the optimal solution is:
> >>>> - the network SHOULD provide a host with NAT64 prefix information in RA;
> >>>
> >>> Disagree. If the network has NAT64, then it should deploy RFC 7225. Ye gods, this is the very last thing that should be jammed into RA messages.
> >>
> >> Do we really want PCP in IPv6?
> >
> > If we have any kind of NAT, then we need PCP. Using NAT without PCP considered harmful. That goes for NAT64 and NAT66.
> 
> And PCP is still needed to negotiate firewall holes in a pure IPv6 scenario, isn’t it?  Assuming the host with PCP is behind Simple Security.
> 
> A question: is this something we should conducer for RFC6434-bis, or should we be silent on PCP?
> 
> No 
> 
> >> Is PCP successful in IPv4?
> >
> > Well, there was this: <https://www.ietf.org/proceedings/88/slides/slides-88-pcp-5.pdf>
> >
> >> Or does it even work well with A+P based solutions?
> >
> > Designed expressly for it.
> 
> I assumed PCP was designed with an eye firmly on future routed home networks where firewall holes need to be opened. What is the alternative?
> 
> The alternative is secure host and no firewall. There is no firewall at the ietf conference right now, right?  Are you secure ? Is there a malware outbreak?

Yet in practice pretty much every ISP deploying IPv6 to residential is doing so with RFC 6092, or stricter. Perhaps with a toggle to turn off firewalling, but that’s the reality.

OTOH it seems that PCP support in hosts / CPEs isn't exactly widespread.

> The fatal flaw in PCP (aside from the name) is that it assumes the host needs protection yet it gives the host the power to control the firewall.  Next gen malware will come via email (just like today), it will encrypt your hard drive, and then setup and c2 network on your pc via pcp controls.  Sad!

True, and that happens with UPnP today...

Tim