IETF Logo Mail Archive

Re: you have running code ... I-D Action: draft-ietf-6man-ipv6only-flag-03.txt

Nick Hilliard <nick@foobar.org> Mon, 05 November 2018 12:13 UTC

Return-Path: <nick@foobar.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55AEA1298C5 for <ipv6@ietfa.amsl.com>; Mon, 5 Nov 2018 04:13:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 92T-2TyGqTXd for <ipv6@ietfa.amsl.com>; Mon, 5 Nov 2018 04:13:51 -0800 (PST)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30E9B1277CC for <ipv6@ietf.org>; Mon, 5 Nov 2018 04:13:50 -0800 (PST)
X-Envelope-To: ipv6@ietf.org
Received: from cupcake.local (089-101-195156.ntlworld.ie [89.101.195.156] (may be forged)) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id wA5BDGfq026713 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Nov 2018 11:13:17 GMT (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host 089-101-195156.ntlworld.ie [89.101.195.156] (may be forged) claimed to be cupcake.local
Subject: Re: you have running code ... I-D Action: draft-ietf-6man-ipv6only-flag-03.txt
To: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Cc: ipv6@ietf.org
References: <153973137181.9473.10666616544238076833@ietfa.amsl.com> <6264F7A1-59EB-467D-A576-E5F2F0DEE7DD@lists.zabbadoz.net> <CACWOCC-xL0PfkNHgCqhB28GE-jCWUUagQE4PukdpXK+YHgWpyg@mail.gmail.com> <97ba35ff-b4a7-314c-3010-297d06be645d@foobar.org> <01c2a55e-1888-3ebc-3252-11b9005b8272@gmail.com> <0abd7b4d-b0e0-b1bc-2468-678befbc7cac@asgard.org> <3e155df0-5799-8788-5fbe-767a7421828c@gmail.com> <18646396-e3f7-b9ad-3871-69868468859a@asgard.org> <d080497b-4f39-b877-1524-f23d9b1446e0@gmail.com> <95654922-acd1-3cb3-c650-942c97e3cc85@asgard.org> <cb3e14a8-91d7-f247-e6aa-d08f38b58bc5@gmail.com> <b067b06e-084b-b32f-21fb-137b39985b83@foobar.org> <95330b88-890b-731e-236b-e25d96c738d6@gmail.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <219d0746-affa-a993-9b0e-fa12b79383ae@foobar.org>
Date: Mon, 05 Nov 2018 12:13:47 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.4
MIME-Version: 1.0
In-Reply-To: <95330b88-890b-731e-236b-e25d96c738d6@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/q3-p0NWxZcm5NkPyF8tRHaQzWfQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 12:13:54 -0000

Alexandre Petrescu wrote on 05/11/2018 11:49:
> Well there is the Secure Neighbor Discovery protocol (SeND).  With it 
> one can claim the link to be secure if IPv6-Only and insecure if IPv4 is 
> present.

well, there isn't because the presence or absence of SEND won't stop 
anyone from using ipv4, particularly if the use case is malicious.

> Simpler but less strong than SeND, there can be mechanisms to ensure a 
> certain level of security, about the MAC address in the L2 header of the 
> RA.

"secure" mac addresses can only be deployed if the network supports l2 
filtering at the user edge, in which case the ipv6only flag is largely 
pointless because you can make ipv4 go away with the same style of ACL, 
with the added benefit that it will actually make your network ipv6-only.

Nick

v2.23.0 | Report a Bug | By Email