IETF Logo Mail Archive

Re: Zillions of addresses [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]

Tim Chown <tjc@ecs.soton.ac.uk> Sat, 11 January 2014 17:31 UTC

Return-Path: <tjc@ecs.soton.ac.uk>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 867111AE0B0 for <ipv6@ietfa.amsl.com>; Sat, 11 Jan 2014 09:31:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.759
X-Spam-Level:
X-Spam-Status: No, score=-1.759 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.538, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FoKlistOiHrs for <ipv6@ietfa.amsl.com>; Sat, 11 Jan 2014 09:31:23 -0800 (PST)
Received: from falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [IPv6:2001:630:d0:f102::25e]) by ietfa.amsl.com (Postfix) with ESMTP id 55DFC1AE0AB for <ipv6@ietf.org>; Sat, 11 Jan 2014 09:31:23 -0800 (PST)
Received: from falcon.ecs.soton.ac.uk (localhost [127.0.0.1]) by falcon.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id s0BHV5HV006726; Sat, 11 Jan 2014 17:31:05 GMT
X-DKIM: Sendmail DKIM Filter v2.8.2 falcon.ecs.soton.ac.uk s0BHV5HV006726
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ecs.soton.ac.uk; s=201304; t=1389461465; bh=GRiGSrNYRTXfb3kgGNsRwNekWqI=; h=Mime-Version:Subject:From:In-Reply-To:Date:Cc:References:To; b=CIR5JpoSlyvENNc+hfizntagHwr32TMmIQeY1E+ACma8cOjLh8JBiwSXZ6qLH6FYg Jm5q9n2Rvb/awZJOFusnae35K7qbdME4Qk7pOLDcdwtDB/ICjR0hKaVAxS2KVem+0f 3Sf5f5S4YUW0Lvzucj1mLwsx4YxKZdI8vjfYRcf4=
Received: from gander.ecs.soton.ac.uk (gander.ecs.soton.ac.uk [2001:630:d0:f102::25d]) by falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [2001:630:d0:f102::25e]) envelope-from <tjc@ecs.soton.ac.uk> with ESMTP (valid=N/A) id q0AHV50959609169o0 ret-id none; Sat, 11 Jan 2014 17:31:05 +0000
Received: from [192.168.1.101] (host213-123-213-183.in-addr.btopenworld.com [213.123.213.183]) (authenticated bits=0) by gander.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id s0BHTiBF031710 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 11 Jan 2014 17:29:45 GMT
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
Subject: Re: Zillions of addresses [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
From: Tim Chown <tjc@ecs.soton.ac.uk>
In-Reply-To: <52D15486.1030705@globis.net>
Date: Sat, 11 Jan 2014 17:29:44 +0000
Content-Transfer-Encoding: quoted-printable
Message-ID: <EMEW3|660818ead7dc05482075600901a14926q0AHV503tjc|ecs.soton.ac.uk|A97CF267-BB7F-4650-86BB-E29D0F01D094@ecs.soton.ac.uk>
References: <52C9D788.8060606@gmail.com> <52CBE0E6.5020107@globis.net> <CAKD1Yr2yPzQHCJHUWBa9-+=nn9BbjLhBB4e896NPWne_Unnwgg@mail.gmail.com> <52CECC76.1030706@globis.net> <CAKD1Yr3rvnDRPpkBEV4EVrrSAQYLutGg0qoweZkKv5em=4-dRw@mail.gmail.com> <52CFAB11.4070404@globis.net> <52D073CC.6070205@gmail.com> <52D15486.1030705@globis.net> <A97CF267-BB7F-4650-86BB-E29D0F01D094@ecs.soton.ac.uk>
To: Ray Hunter <v6ops@globis.net>
X-Mailer: Apple Mail (2.1827)
X-ECS-MailScanner: Found to be clean, Found to be clean
X-smtpf-Report: sid=q0AHV5095960916900; tid=q0AHV50959609169o0; client=relay,ipv6; mail=; rcpt=; nrcpt=3:0; fails=0
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: s0BHV5HV006726
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2014 17:31:26 -0000

Hi,

On 11 Jan 2014, at 14:26, Ray Hunter <v6ops@globis.net> wrote:

>> Brian E Carpenter <mailto:brian.e.carpenter@gmail.com>
>> 10 January 2014 23:27
>>> But problems in their /48 with a rogue node assigning zillions of addresses and creating zillions of sessions should not spill over into the rest of the network managed by others.
>> 
>> Who says that is a rogue node? It sounds like perfectly legitimate
>> behaviour for a virtual machine environment that is designed to
>> virtualise at layer 3. If you want those VM addresses to be
>> unguessable for an off-path attacker, you might well spread them
>> sparsely across a /64.
>> 
>> Anyway -- I am not seeing much in this thread that suggests text changes
>> in the -why64 draft (which is intended to be factual). I take Ray's
>> original point that there *might* be other risks than ND exhaustion,
>> and we'll add that to the next version.
>> 
>> Regards
>>    Brian
>> 
>> 
> Agreed.
> 
> I would also like to reiterate a basic requirement from network and system operators, and propose the following text for -why64.
> 
> 
> /
> There is a desire by many network operators to

Many, or some?

> 1) know and audit which nodes are active on a network (perhaps by carrying out exhaustive scanning of address space that is allowed to communicate off link)

Or polling the network devices via SNMP or similar.  Exhaustive scanning of v6 space…no.

> 2) be able to limit the total number of active addresses and sessions that can be sourced from a particular host, LAN or site, in order to prevent potential resource depletion attacks or other problems spreading beyond a certain scope of control.

Documenting some examples of this would be useful.  ND cache is one, which I think is already mentioned.

> One way of limiting the scan space, or limiting the number of possible source addresses and sessions from a LAN, is to increase the prefix length >> 64.

Which is what makes this relevant to ‘why64’.

> This may currently break many widely-deployed solutions, such as SLAAC.

Well, ‘This will cause significant issues for the operation of the network, as described elsewhere in this document’

> There are alternatives, which present a different set of trade offs e.g. with respect to the right of privacy of the end user versus the rights of the operator to control and protect their network.
> /

Those alternatives are more likely to be viable in a tightly managed environment, where there is administrative control of all devices, e.g. so provacy addresses can be disabled by policy.

Tim

> 
> Whether you think the solution of extending prefix length >>64 is good or not is a separate debate.
> IMHO Technically it should be possible. CIDR has NOT been deprecated.
> 
> I think imposing a hard limit of /64 is harmful, as it limits operators choice of operations model and protocols
> e.g. flow-based WFQ becomes vulnerable to trivial attacks from a single node, whereas there's nothing fundamentally wrong with flow-based WFQ technology per se, or indeed other mechanisms that require tracking state to /128.
> e..g exhaustive network scanning to check for vulnerable open ports on unpatched machines becomes impractical, whereas there's nothing fundamentally wrong with the concept in an enterprise environment.
> 
> Lorenzo and I clearly disagree on this point, but I see no value in continuing the debate on list wrt this draft.
> it took long enough to get to the current status on allowing use of /127 instead of /64 for point to point links (3627, 6164, 6547)
> 
> -- 
> Regards,
> RayH
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.31.3 | Report a Bug | By Email | System Status