IETF Logo Mail Archive

Re: draft-bourbaki-6man-classless-ipv6-00

Ca By <cb.list6@gmail.com> Sun, 04 June 2017 14:01 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6D82129AE0 for <ipv6@ietfa.amsl.com>; Sun, 4 Jun 2017 07:01:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.151
X-Spam-Level:
X-Spam-Status: No, score=0.151 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7FpQtjzdI1F for <ipv6@ietfa.amsl.com>; Sun, 4 Jun 2017 07:01:07 -0700 (PDT)
Received: from mail-yb0-x233.google.com (mail-yb0-x233.google.com [IPv6:2607:f8b0:4002:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E246129505 for <ipv6@ietf.org>; Sun, 4 Jun 2017 07:01:07 -0700 (PDT)
Received: by mail-yb0-x233.google.com with SMTP id 202so27524119ybd.0 for <ipv6@ietf.org>; Sun, 04 Jun 2017 07:01:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4e9oMHUfxTkpPjp+CzKulXB8NCs95Fqxa/4fIz7K/7E=; b=kGLYJx80vAZKgiBdXXzZ5qSdW2v1TAsiMHOUboXItUAkxgCspZ4fGzgWQtzmQw84sL 0BG8vquJ43Nj/+xQFutYjEfoVhAa2pjEOEI1wQna0oGCT9ZmE9AzImls5eQiW8A0zPPC uCx8CU3VmfUN0roERScpZrGNmCwXLT/t0UOiavrudotHdJIqJF+5gChbCmgLAFbOtezO CJcHNmKK/Wfj5pzjze160bfMzFEIi4Hja57/CwGuC7R2sy8MaXGtBZlHfhcGrxruez8m Swd8/tJeHoY6ceksL2lPtoinO17zGtaThrBiHvRtYr01sS27VZ057kZmfbKGh0YBgHkz gCRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4e9oMHUfxTkpPjp+CzKulXB8NCs95Fqxa/4fIz7K/7E=; b=hjHlbIj7UB27d7LKg/64FylLdMiIq/gHur+etjmc//UqDnaMs5ZMOY6k4XkjEVdwi3 5E+tzzJ1cP5GgUkq7ioa753+sqc46uwWsGhbMbhV3jhurCm5dt70sNoMCnLab/fLdYBh i6+lT83gjkR325VlZOLMgibd1z7tMLQ771tPq+GSTQfZ1bHFa+V/k2a81pCeTiWdQcEx rllBsD5LzKQYJ/9v7aUIzp0GbQn0i7FYcc3ynkq7/a7TTbaJz7a2Q9mJReyZm3ozoZkx VyehdT75RnbWHedvPzEpIWT3fJtMXtvbg7rtDiX6XS3OTXa07PVYCEEa4bZZ2P9pYy6u zvGA==
X-Gm-Message-State: AODbwcDO835cfcdrqzuITgyU/rTsatA+DREKgW1H/Ic/wl82yAXuqIN5 1nwvq/vo/oPNdCytq1BhiaxQ2w9YaA==
X-Received: by 10.37.54.20 with SMTP id d20mr6308598yba.191.1496584866428; Sun, 04 Jun 2017 07:01:06 -0700 (PDT)
MIME-Version: 1.0
References: <20170602141112.x64nleqclygz7dwd@Vurt.local> <20170602141259.GD30896@gir.theapt.org> <CAKD1Yr0DtQYvCYLQexhXe_nhb5rjeyhnB4bCveqyO5Xbuwdg1A@mail.gmail.com> <CAKFn1SEdjhsQ3tKPZdbdfF4ArDzw-FZfjQT68gV55Fc-5vzBvw@mail.gmail.com> <CAKD1Yr3ppM0UF8HoN8PgS7F0iEmK26ebiuJK=tkAdZnuLWpkZg@mail.gmail.com> <CAKFn1SHASt34ihJmGN0iRFQQzLTMspZfxXHgBjBatXXcRYF4cw@mail.gmail.com> <20170604093119.nt733rb3ymmjssww@Vurt.local> <m1dHTLx-0000DcC@stereo.hq.phicoh.net> <CAKD1Yr0ZZwRar6D-2bkXBKPYehqqW99+BMtDOjyovR8WDXKzxw@mail.gmail.com>
In-Reply-To: <CAKD1Yr0ZZwRar6D-2bkXBKPYehqqW99+BMtDOjyovR8WDXKzxw@mail.gmail.com>
From: Ca By <cb.list6@gmail.com>
Date: Sun, 04 Jun 2017 14:00:55 +0000
Message-ID: <CAD6AjGTjikAWutcenW8qn7OW8kPM9c_x_yDUy5vQxJmXKL85dg@mail.gmail.com>
Subject: Re: draft-bourbaki-6man-classless-ipv6-00
To: Lorenzo Colitti <lorenzo@google.com>, Philip Homburg <pch-ipv6-ietf-4@u-1.phicoh.com>
Cc: IETF IPv6 Mailing List <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1b1dd0576672055122d1a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/oftDFt3FBjc_oxhmRIhNbLMm_cM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Jun 2017 14:01:09 -0000

On Sun, Jun 4, 2017 at 6:10 AM Lorenzo Colitti <lorenzo@google.com> wrote:

> On Sun, Jun 4, 2017 at 8:05 PM, Philip Homburg <
> pch-ipv6-ietf-4@u-1.phicoh.com> wrote:
>
>> Moving on to a network architecture point of view, when using pseudo
>> random
>> IIDs there will be a longest prefix that can be supported. Lets say for
>> the
>> sake of argument we can support of /96.
>>
>> Then the effect will be that if in the future hosts support SLAAC upto /96
>> then we are back at the same hard limit. We have just moved be boundary by
>> 32 bits.
>>
>
> That's *exactly* right.
>
>
>> There is no reason to expect this to change if we make longer prefixes
>> possible.
>> It is just that end users will then end up with a /96 and find that they
>> can't subdivide it any further.
>>
>
> Right. So then someone will say, "we need to extend the network at the
> edges!". And we move the boundary again, to /112. And then to 120, and then
> to /124, until we get to one /128 per device. But long before that, a)
> SLAAC is dead because there's not enough space in the prefix to form a
> random IID, b) the hosts start doing NAT because they don't want to waste
> their time. We now have 128-bit IPv4. Except that at least in IPv4, address
> shortage was real. In IPv6 it isn't.
>
> Or, if we remove the boundaries altogether, we end up with /128 straight
> away, because operational consistency. We now have 128-but IPv4 again.
>

Assuming the above path is true ....

A 64 bit random iid is a very real security advantage.  i will point out
that things like the recent "wannacry" worm (like many worms before it)
relied on dense guessable host ip addressing scheme that make address
scanning effective.

Making small guessable prefixes increases discoverability and decreases
security. Please update the security section to include this massive
regression in security  posture for ipv6 that favors known and commonly
used network scanning malware techniques of ipv4 will now be used in ipv6.


--------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email