IETF Logo Mail Archive

Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]

Lorenzo Colitti <lorenzo@google.com> Fri, 10 January 2014 05:02 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EB1A1ADF94 for <ipv6@ietfa.amsl.com>; Thu, 9 Jan 2014 21:02:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.916
X-Spam-Level:
X-Spam-Status: No, score=-1.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJ17nwa-etqY for <ipv6@ietfa.amsl.com>; Thu, 9 Jan 2014 21:02:02 -0800 (PST)
Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) by ietfa.amsl.com (Postfix) with ESMTP id AF7581ADF4F for <ipv6@ietf.org>; Thu, 9 Jan 2014 21:02:02 -0800 (PST)
Received: by mail-ig0-f175.google.com with SMTP id j1so18137762iga.2 for <ipv6@ietf.org>; Thu, 09 Jan 2014 21:01:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=D0mD1PhzjmcaooBsx7djRrVt2V4kGtiJ4s2cOaZOEfs=; b=HhzuZBrApSZR3qWs1RXSgfFF0i233TTkBAUwiq6RV6Qt9ygHdZYDol8iIRapVQxvH4 t0MqSQ9b8sO9nF5X4YrzUuqAUEPKosavKHoET0uIFEsYXcjyim/qHjtx/VxhZLfNxgsF SGa3h5uiIIbe2LUvhv3T+7Px62uhwuDeEBwTlRU68UaSKPW802hIT5Ak/uiZ7S8SncQL e+z4SC4VQRA0PwZM27z0FyPELNbBCVgk7l4yCFdtkwh81SoDCcFfJiFVDgTj2i7ZWZg8 /Ud13J5Y6CAH4cgXzM2YoFHxUi/+DNJXKQ1u4CeE89CUSAi2pbA52x6xGcVWLcl40eIM YLjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=D0mD1PhzjmcaooBsx7djRrVt2V4kGtiJ4s2cOaZOEfs=; b=heZc2xtUqetASv/Z9JaRll6pgSVQ47rxmWrQoodheDkhUt8/PZEArSJCnPHnN9HXIF rs2cjFiDCzGAltGoRoVtQ041qac9YUcOcQTKZUnvXFi9+1dLvgZP7U+fFP4pUelEQ4RQ I8wDuqf5Sf/KCBYlBfY4nmNdLwsVE6H2BH+OZiW6exp14dAfKyzPMK94PZsm+pPf0ylg vTaZX33z3FCEnqQeGtmg6XGu2NjB5u//MCfNjh3eXd7WFzeyxPiva02VID5CQfrZRx3n TPRkNbLoRjKoTpVNJNxeaq0FbQmoAfTj/Stfb/v1JwEwnTpYIe9FRtK2EgJDe3lWdWZm RYXw==
X-Gm-Message-State: ALoCoQl6+VDWB6TafB9sQPSeBLxAiBvJVWAI70/t1zaRCq8TzoWTr3TKJZenl9axiVlK/uXGUmKzq74ZSZYHUND9FGvh5dieg1ZRZt6X5Zt6EhC8KHyRFNkHc1TARo9wgSrGoYmowwTRq0c0WGNSm6keK7eJ5AU8x/AZh/lEqIKtZfCd9CE09d/RRtSeYhSbrKnl08hWuI6i
X-Received: by 10.50.238.162 with SMTP id vl2mr845925igc.45.1389330112752; Thu, 09 Jan 2014 21:01:52 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.7.36 with HTTP; Thu, 9 Jan 2014 21:01:32 -0800 (PST)
In-Reply-To: <52CECC76.1030706@globis.net>
References: <52C9D788.8060606@gmail.com> <52CBE0E6.5020107@globis.net> <CAKD1Yr2yPzQHCJHUWBa9-+=nn9BbjLhBB4e896NPWne_Unnwgg@mail.gmail.com> <52CECC76.1030706@globis.net>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Fri, 10 Jan 2014 14:01:32 +0900
Message-ID: <CAKD1Yr3rvnDRPpkBEV4EVrrSAQYLutGg0qoweZkKv5em=4-dRw@mail.gmail.com>
Subject: Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
To: Ray Hunter <v6ops@globis.net>
Content-Type: multipart/alternative; boundary="001a11335cfcd941a004ef969f06"
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 05:02:04 -0000

On Fri, Jan 10, 2014 at 1:21 AM, Ray Hunter <v6ops@globis.net> wrote:

> The point is that people *could* trivially track and filter at /128 within
>> an enterprise *if* we give network infra people the ability to
>> control/register which /128(s) the end host uses.
>>
>
> Ideally, that ability to control/register active /128's should not rely on
> cooperation of L2 switches or other LAN functionality that requires
> purchasing new switches, or constant MIB scanning.
>
> I think that's a valid problem statement, and assigning >>/64
> (purposefully breaking SLAAC, whilst deploying stateful DHCPv6, or static
> addressing) is one way to address that problem.
>

In your network you are free to assign addresses exclusively using DHCPv6.

*However* - if you are doing this for the purpose of tracking, that only
makes any sense at all if the current switches you have (since you've
already said you're not going to buy new ones) can snoop DHCPv6 requests
for address assignments enforce IPv6-to-MAC address mappings.

Do they?

Because if they don't, disabling SLAAC gives you no security at all,
because malicious hosts on your network will still be free to create and
use arbitrary IPv6 addresses, which you will not be able to track. In fact,
this gives you the same level of security as you could by disabling privacy
addresses and using autoconf - malicious hosts can still do what they want,
and for well-behaved hosts, instead of having the MAC address in the IPv6
address, you now have to go and get it from the DHCPv6 server logs.
Lose/lose.

Or - as Tim points out, SNMP scraping will do this securely for you today,
and vendors are already building better and more scalable address
registration notification features (syslog, etc.) into switches.

And if you're not doing this for the purpose of tracking, then why are you
doing it? Is it just because it's what you do in IPv4? If so, then sorry,
that's not a valid technical argument.

v2.23.0 | Report a Bug | By Email