[IPv6] Can We Turn the Global Network into a Firewall Protecting All End Users?
Hubert W <hubert.wisniewski@gmail.com> Tue, 23 April 2024 06:51 UTC
Return-Path: <hubert.wisniewski@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A01FC14F71C; Mon, 22 Apr 2024 23:51:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id umqzAjrwkIYW; Mon, 22 Apr 2024 23:51:53 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A321C14F70B; Mon, 22 Apr 2024 23:51:53 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id af79cd13be357-78f049ddd7dso400994185a.1; Mon, 22 Apr 2024 23:51:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713855112; x=1714459912; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=qjrUtNwQJpYVvJTd1UtpqMVzlcmjIVHB7yApjVnrECc=; b=IW83TqJvsm4tbU6p2meVKe9MA6JASbS3R+ijnySSMGNaD/5OAXaPWQsY0RiYIwKqkM jdgUquzijvAJzA0Mrn4FXjPhnO+w/0K60B7q8E8R8xLqIs/jjyPI4jhAo5KLgqT7mtNy nLal8Uop6eVKsnPZFewUvzXW72GOCYr2IA771ZcqvAVJ5uUxLVyfNcBdn3NLCGzfxof9 k98iKuqxvyz3gbr7T7bbRRDOeVmtvPkGOMU08gqQrkgEqgVTojaiFRokzIq6QlLBpM+p vvmHSmrsRt5D5yPRRHMqNRS6Zmf72vG7mARTLlIR0ohpuqyFMlYiMtgT+ZGL3Ji1cpr5 wiRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713855112; x=1714459912; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=qjrUtNwQJpYVvJTd1UtpqMVzlcmjIVHB7yApjVnrECc=; b=dtleEteA100P2axh4bMpbqaEg0kzRW6SSxVfanLyWJWagkhkkt1Q1PgIG3SpXhjU4C 43W++pcz+YRh2oO2dUUEDyPK76G8u7dKiiIHACnI1tGhgphf/aK++zGVSXfGefmfbud9 aCiJIOCL3gzRRnWFUtOepgI1k5uRBDlfRH/tTTWeN4vIYxsBBoltour5sBwSJeu972RX TnctGEWq0rQTHk1K744OQLZVmHuAkypvZtWeV9CTVkxtFK8YLiRRHoLW3uKcs8bWEEhf 1wwW5kKxByMogKBcmhs1C49gHSD3/TOs26Ue9ySi7CCvbdvN6rbIIBlKNAGB2oVzC/KN yjpw==
X-Forwarded-Encrypted: i=1; AJvYcCVAvobFzpSa0eHJgfhXAD9g7CGrwKQJIp5kpKjyVWCB9O8xqB48Xwt1lrkWagjJY441slKQP3DG58/vURQ=
X-Gm-Message-State: AOJu0Yz7sMKC2o+EyxEoJg/AaB/oCa4zbJM1oi4HOd9GC/8ciQyJ1/l6 7GPwVLL+QLytDe5dWb5yVkarB00uvSyqIRHX8YxhfT4int1dAbLR1OMnnAVFkUvZduKSNlpKC7d STjhhppU8sEkL++V072Z4cazgfBwwmO9U7CbW4g==
X-Google-Smtp-Source: AGHT+IEFq5cLb944bYVJ1e2nna4Xf+OtGmyuZMsMLGz6oVgNufW4tUqdr3iX92GSSPM3HwTZHjhQWHUxTqPSFhWzVrg=
X-Received: by 2002:a05:622a:4c9:b0:437:9f6e:779b with SMTP id q9-20020a05622a04c900b004379f6e779bmr16632239qtx.43.1713855111947; Mon, 22 Apr 2024 23:51:51 -0700 (PDT)
MIME-Version: 1.0
From: Hubert W <hubert.wisniewski@gmail.com>
Date: Tue, 23 Apr 2024 08:51:41 +0200
Message-ID: <CAMkkUf3UqjJbuBQwvaOAsV=4VwPYBCUTBNLfUB2ZF4gAv4CHnQ@mail.gmail.com>
To: ipv6@ietf.org, 6lo@ietf.org
Content-Type: multipart/alternative; boundary="00000000000024f08e0616bdfdca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/t41NnlbWv75jBpc6x4hbRTHHor8>
Subject: [IPv6] Can We Turn the Global Network into a Firewall Protecting All End Users?
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2024 06:51:55 -0000
Dear WG, I woke up with one idea and I would like to challenge it. In IPv6, every device receives a routable address. To protect endpoints effectively, we require firewalls to filter unwanted traffic. But what if we could stop such traffic at the source? Could this approach convince more people toward adopting IPv6? According to RFC 7381: “In a /48 assignment, typical for a site, there are then still 65,535 /64 blocks.” and “All user access networks should be a /64.” Can we use then bit 63 to convey a message: “I don’t want any incoming traffic initiated towards me!!!”? Of course a response would be accepted. We could divide the /64 allocations into two groups: one for servers, and these accept incoming traffic (bit 63 = 0): for example 2001:0db8:0000:0000::/64 And the second group: endpoints, these never accept incoming traffic (bit 63 = 1): for example 2001:0db8:0000:0001::/64 We only need all systems to understand the message. If a router or firewall sees such a packet, then drops it. Every TCP packet with flag SYN, where destination address (IPv6) has bit 63 equal 1, must be dropped. Would it be theoretically possible? Best regards Hubert Wisniewski
- [IPv6] Can We Turn the Global Network into a Fire… Hubert W
- Re: [IPv6] Can We Turn the Global Network into a … Mark Andrews
- Re: [IPv6] Can We Turn the Global Network into a … Hubert W
- Re: [IPv6] Can We Turn the Global Network into a … Jared Mauch
- Re: [IPv6] Can We Turn the Global Network into a … Ted Lemon