Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
Emmanuel Thierry <ml@sekil.fr> Fri, 10 January 2014 10:57 UTC
Return-Path: <ml@sekil.fr>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15F901AD738 for <ipv6@ietfa.amsl.com>; Fri, 10 Jan 2014 02:57:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVeUqGZiNONJ for <ipv6@ietfa.amsl.com>; Fri, 10 Jan 2014 02:57:16 -0800 (PST)
Received: from host1.ip6-networks.net (host1.ip6-networks.net [95.130.10.56]) by ietfa.amsl.com (Postfix) with ESMTP id 7FDB21AD93D for <ipv6@ietf.org>; Fri, 10 Jan 2014 02:57:16 -0800 (PST)
Received: from [IPv6:2001:660:7301:3728:226:b0ff:fefa:237d] (unknown [IPv6:2001:660:7301:3728:226:b0ff:fefa:237d]) by host1.ip6-networks.net (Postfix) with ESMTPSA id 305C76054E for <ipv6@ietf.org>; Fri, 10 Jan 2014 11:57:04 +0100 (CET)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Apple Message framework v1085)
Subject: Re: [Fwd: I-D Action: draft-carpenter-6man-why64-00.txt]
From: Emmanuel Thierry <ml@sekil.fr>
In-Reply-To: <52CFB51E.60501@gmail.com>
Date: Fri, 10 Jan 2014 11:57:00 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <CBDF0DD5-D5EF-41D1-AF7A-B7552105D9D0@sekil.fr>
References: <52C9D788.8060606@gmail.com> <F0C49F28-42D5-49CD-AF4E-DFE65CF8B911@sekil.fr> <52CFB51E.60501@gmail.com>
To: 6man <ipv6@ietf.org>
X-Mailer: Apple Mail (2.1085)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 10:57:19 -0000
Hello, Thanks for your answer. Le 10 janv. 2014 à 09:53, Alexandru Petrescu a écrit : > Hello, > > Thanks for the post. > > I could understand the need to spam block an entire /64 instead (a > single line in a configuration file) rathern than 2^64 lines each > telling an address in that file. > > Yes, this is relevant when writing other firewalling rules as well. > > In this sense it is good to have an 'overall' number - like a /64 - to > designate one particular link and subnet. > > And one may like to use other such overall numbers such as a /65 or a > /63 to designate these links. > > And yes, the privacy extensions RFC4941 makes that attacker may use that > overall number /64 to generate addresses, and defender may need to use > same number /64 to comfortably protect against it. A smarter attacker > would use a /63 and a smarter defender too. Definitely. However, as an attacker, having a smaller prefix than a IPv6 /64 to exploit for your attack could correspond in IPv4 to use a smaller prefix than /32. I mean that as a defender, i would use against an attacker who smartly uses its /63 or smaller, the same techniques than an attacker who have access to an IPv4 /31 or smaller: blacklist sequentially all IPv6 /64 that this attacker is using. So anyway, a /64 boundary would at least help to leverage the problem. This could also be a good hint to network operators or hosters. Some virtual machine providers (for instance) divide their /64 into smaller prefixes (i saw /96), which may imply that a bad behavior from one of their clients might influence other servers. I think there should be a clear mention of the consequences it may have. Such a mention may help to promote best practices (TODO: define best practices). Best regards Emmanuel Thierry > > Le 09/01/2014 18:51, Emmanuel Thierry a écrit : >> Hello, >> >> (first message on these lists, hope it is accurate) >> >> I'm generally thinking that the /64 limit helps to structure the >> address space from the receiver point of view. Let's say i'm running >> a mail server which tries to reduce spam by temporarily blacklisting >> some senders. if i'm facing spammers who use their IPv6 address >> space in a smart way, they will just have to generate RFC 4941 >> addresses to exhaust a firewall memory. The pragmatic way to face >> such attacks is to blacklist the whole /64, never a unique /128. >> >> I don't know if it is to be considered as a best practice, but for >> these reasons, as a receiver, i personally consider a /64 to be >> assigned to a unique link, or at least a network managed by a unique >> network administrator. Enforcing this limit in protocol standards >> strengthen this assumption. This might be an additional argument for >> the "please keep /64 for unique links". >> >> As a consequence, subdivide a /64 into several prefixes in order to >> assign it on several networks might create a risk for devices on one >> network to be blacklisted by actions performed by some devices on >> another network, in case the whole /64 have been blacklist by a >> "pragmatic" receiver. >> >> Best regards Emmanuel Thierry >> >> Le 5 janv. 2014 à 23:07, Brian E Carpenter a écrit : >> >>> Hi, >>> >>> A group of us put this together following a discussion some weeks >>> ago on the v6ops list about the 64-bit boundary in IPv6 addresses. >>> Discussion belongs in 6man, please. >>> >>> This draft is incomplete but we'd welcome input. Let me underline >>> an important comment in the introduction: >>> >>> _The purpose of this document is to analyse the issues around this >>> question. We make no proposal for change, but we do analyse the >>> possible effects of a change._ >>> >>> >>> Brian + co-authors >>> >>> -------- Original Message -------- Subject: I-D Action: >>> draft-carpenter-6man-why64-00.txt Date: Sun, 05 Jan 2014 13:59:17 >>> -0800 From: internet-drafts@ietf.org Reply-To: >>> internet-drafts@ietf.org To: i-d-announce@ietf.org >>> >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. >>> >>> >>> Title : Analysis of the 64-bit Boundary in IPv6 >>> Addressing Authors : Brian Carpenter Tim Chown Fernando >>> Gont Sheng Jiang Alexandru Petrescu Andrew Yourtchenko Filename : >>> draft-carpenter-6man-why64-00.txt Pages : 14 Date : >>> 2014-01-05 >>> >>> Abstract: The IPv6 unicast addressing format includes a separation >>> between the prefix used to route packets to a subnet and the >>> interface identifier used to specify a given interface connected >>> to that subnet. Historically the interface identifier has been >>> defined as 64 bits long, leaving 64 bits for the prefix. This >>> document discusses the reasons for this fixed boundary and the >>> issues involved in treating it as a variable boundary. >>> >>> >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-carpenter-6man-why64/ >>> >>> There's also a htmlized version available at: >>> http://tools.ietf.org/html/draft-carpenter-6man-why64-00 >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -------------------------------------------------------------------- >>> >>> >>> > IETF IPv6 working group mailing list >>> ipv6@ietf.org Administrative Requests: >>> https://www.ietf.org/mailman/listinfo/ipv6 >>> -------------------------------------------------------------------- >> >>> >>> >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list ipv6@ietf.org Administrative >> Requests: https://www.ietf.org/mailman/listinfo/ipv6 >> -------------------------------------------------------------------- >> >> > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- [Fwd: I-D Action: draft-carpenter-6man-why64-00.t… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Templin, Fred L
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… George Michaelson
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Ray Hunter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Lorenzo Colitti
- Zillions of addresses [Fwd: I-D Action: draft-car… Brian E Carpenter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Ray Hunter
- Re: Zillions of addresses [Fwd: I-D Action: draft… Tim Chown
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Alexandru Petrescu
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Emmanuel Thierry
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith
- RE: [Fwd: I-D Action: draft-carpenter-6man-why64-… Christian Huitema
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Brian E Carpenter
- Re: [Fwd: I-D Action: draft-carpenter-6man-why64-… Mark ZZZ Smith