IETF Logo Mail Archive

Re: A Plea for Architectural & Specification Stability with IPv6

Glen Turner <gdt@gdt.id.au> Mon, 24 March 2014 02:09 UTC

Return-Path: <gdt@gdt.id.au>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49C5C1A00A7 for <ipv6@ietfa.amsl.com>; Sun, 23 Mar 2014 19:09:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.207
X-Spam-Level:
X-Spam-Status: No, score=-1.207 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3UVHu6IsRFEc for <ipv6@ietfa.amsl.com>; Sun, 23 Mar 2014 19:09:29 -0700 (PDT)
Received: from neotokyo.gdt.id.au (neotokyo.gdt.id.au [IPv6:2001:388:4000:4001:ba27:ebff:fed3:9fa1]) by ietfa.amsl.com (Postfix) with ESMTP id 95B211A00A6 for <ipv6@ietf.org>; Sun, 23 Mar 2014 19:09:28 -0700 (PDT)
Received: from thrace.44ansell.gdt.id.au (eth6445.sa.adsl.internode.on.net [150.101.30.44]) by neotokyo.gdt.id.au (Postfix) with ESMTPSA id CB9B61FA0C7D; Mon, 24 Mar 2014 12:36:41 +1030 (CST)
Subject: Re: A Plea for Architectural & Specification Stability with IPv6
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="us-ascii"
From: Glen Turner <gdt@gdt.id.au>
In-Reply-To: <75B6FA9F576969419E42BECB86CB1B891162D486@xmb-rcd-x06.cisco.com>
Date: Mon, 24 Mar 2014 12:39:20 +1030
Content-Transfer-Encoding: quoted-printable
Message-Id: <98F0E9C9-6867-409D-8A91-B4AD3FAC1A7F@gdt.id.au>
References: <E2C06D73-99FF-42B5-A3BE-337C307BCB0E@gmail.com> <84411F3C-455C-4382-88E2-8EE397A907B9@gdt.id.au> <0E222788-7CDA-4962-B03B-BD069956A471@employees.org> <5AFA59A4-A4F1-48C4-B402-0CAA1E752ED1@gdt.id.au> <75B6FA9F576969419E42BECB86CB1B891162D486@xmb-rcd-x06.cisco.com>
To: "Hemant Singh (shemant)" <shemant@cisco.com>
X-Mailer: Apple Mail (2.1283)
X-Virus-Scanned: clamav-milter 0.97.8 at neotokyo
X-Virus-Status: Clean
Archived-At: http://mailarchive.ietf.org/arch/msg/ipv6/wLH80QwPbRmgFTJjZjjETNc8mZU
Cc: RJ Atkinson <rja.lists@gmail.com>, 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Mar 2014 02:09:30 -0000

Hemant Singh wrote:

> ACL and source address for protocols should use the network interface of the card to be immune to card replacement.

ACLs could use interface names, but none of the vendors I know offer a facility like:
  ipv6 access-list ILLUSTRATIVE-EXAMPLE
   permit My_IP(Ethernet0)

I can understand that from a vendor's point of view. It does seem like a rather fragile feature (you've got to remember to rewrite ACLs into the line card ASIC or TCAM every time a interface flaps and every time a SLAAC or DHCP address expires). Having said that, "permit My_IP(*)" would be a godsend to anyone writing code to protect the router from abuse.

>  It is also realistic that if a card is replaced, some configuration may need to change

Firstly, card swaps and router configuration changes are not done by the same people. Involving two groups of people in a card change leads to considerably more cost. Secondly, there's the issue of certainty: were all ACLs, etc updated? This gives a card swap a risk which didn't previously exist.

>  The router interface can also use SLAAC to obtain its ipv6 global address.

No point, you have to predict the SLAAC address to be able to protect the router against attacks on that address and then use that address in ACLs. So you get all the fragility and vulnerability to SLAAC-based attacks but don't get automated configuration of the entire interface-referencing configuration.

> mac-address 0000.0101.9843

Using locally-administered MAC addresses does seem the only reasonable way forward, but again this increases the cost of deployment of IPv6 compared with other protocols (now we need a scheme for assigning local MAC addresses).

Of course there is an Internet-Draft in the works to remove the relationship between MAC address and the interface ID. I would have liked that draft or draft-gont-6man-deprecate-eui64-based-addresses to SHOULD allow the static configuration of interface IDs within a subnet of host using draft-ietf-6man-stable-privacy-addresses.

I do take Brian's point:

> Regardless, there's no recent spec change that "MUST NOT"s small integer IIDs, afaik.

and so I will take this up with the vendor and ask which specification they were relying upon.

Best wishes to all,
glen

v2.23.0 | Report a Bug | By Email