Re: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)

Ca By <cb.list6@gmail.com> Thu, 16 November 2017 18:26 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC87126C83 for <ipv6@ietfa.amsl.com>; Thu, 16 Nov 2017 10:26:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I-UJ4Np3M80E for <ipv6@ietfa.amsl.com>; Thu, 16 Nov 2017 10:26:47 -0800 (PST)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7B531205F1 for <ipv6@ietf.org>; Thu, 16 Nov 2017 10:26:47 -0800 (PST)
Received: by mail-yw0-x22d.google.com with SMTP id r186so11706360ywe.13 for <ipv6@ietf.org>; Thu, 16 Nov 2017 10:26:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z+tNBFm2h6ldBjI7SnL8vqlmg3/jsoOjiEnQ7zXsfqA=; b=AB3lXqbvW8T2MurvdZHzwORDduZ52NwieHXQRQvclDeAsnHFAVkeE04zK+f4osnHzP O0BWya1C0MjaIJvnoc0cGSiTHU2bYcL4ajseFBBWMb4W3Dgg3iaER4hMvjkJJK92vH1g rvtY0l+UKOujIZFDAaQe+HPhsz7i98Pouz1N4q1BsUJm7O1J/gnB0rYhq3T8fF2B7zkr xCG8kM/mXvceEmCVF8qGUPc7JzWJ6pUYr1G94EUHdTxchP92KCL0xRXTZaI91LwAl4Wv /HcmHrA3FLYD680OSnqKnVzrYE/klgpB0vwyGPA60F1zaDC74R+nnz5RmPn/zv7gSSiv Gy/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z+tNBFm2h6ldBjI7SnL8vqlmg3/jsoOjiEnQ7zXsfqA=; b=jRx3zo8B4fmW6wuhAASqM4TMgLKK+xUAkRKuf2TP4XX4ZWANg/+DNEW77wDOUkEWz1 Gvc10g2oYZZizxjI01575YWO6TH4LzEn4WcqN25TWGLtR5TaiGGofxWq2oQVpOfb2XT9 DCvRubTta85byjJiTRrmR0+jgtWnsM6GY1sWeFXGHMDAHTCpqBei2CdtmBQu0R2AuoXg KI5VhqPgMoDTS9Ua1ux0SoSOdt/l+wYAbmEb2s2yvt/M7KfU7Fn6RViRbaPDFxUauJTG s4XqZvaUxtfH0AMvNC/LJIYA+srTsYRV/2/g12z9RlaymDkvuBmlRZ0SVdQv1p7FnMYM r04A==
X-Gm-Message-State: AJaThX4QjlIx9lPPfbGPESiV3Dvuy/Oe3m76IT8GsuUiSCj2hIpiVn61 wYUhFbL0DmU1o7DSjkPQGxmJxff4zPPoPCm44Zg=
X-Google-Smtp-Source: AGs4zMYYK48B8Vehe/vwsjybdn7H/iJzWq4U95lU66ah9OUE0p4ovnocDnW2t0tqJ3dzPYKMqb4D6wue39qPWTrXFmY=
X-Received: by 10.13.192.198 with SMTP id b189mr1558808ywd.336.1510856806944; Thu, 16 Nov 2017 10:26:46 -0800 (PST)
MIME-Version: 1.0
References: <m1eEGbJ-0000EhC@stereo.hq.phicoh.net> <D43E103C-27B8-48CF-B801-ACCF9B42533E@employees.org> <m1eEHPS-0000FyC@stereo.hq.phicoh.net> <59B0BEC0-D791-4D75-906C-84C5E423291B@employees.org> <m1eEIGX-0000FjC@stereo.hq.phicoh.net> <73231F8D-498E-4C77-8DA8-044365368FC9@isc.org> <CAKD1Yr1aFwF_qZVp5HbRbKzcOGqn==MRe_ewaA8Qc8t3+CVu_Q@mail.gmail.com> <44A862B7-7182-4B3A-B46E-73065FC4D852@isc.org> <D42D8D7A-6D19-4862-9BB3-4913058A83B6@employees.org> <CAFU7BARCLq9eznccEtkdnKPAtKNT7Mf1bW0uZByPvxtiSrv6EQ@mail.gmail.com> <183A8772-6FEF-43BD-97F9-DD4A2E21DB90@google.com> <5D9D33A8-88F0-4758-84FA-BCB364E8013F@employees.org> <16B61573-E233-40ED-8A22-CD145EBB8F98@google.com> <A89E7192-0FD4-4750-8745-147AFCC364DC@jisc.ac.uk> <CAD6AjGQcF=+FRFke1P0+vcmEEqWQ0NUsfprS6qBvfsG+3HMXhA@mail.gmail.com> <75C8CD33-AF67-4669-8548-EF318FC69BDE@jisc.ac.uk>
In-Reply-To: <75C8CD33-AF67-4669-8548-EF318FC69BDE@jisc.ac.uk>
From: Ca By <cb.list6@gmail.com>
Date: Thu, 16 Nov 2017 18:26:35 +0000
Message-ID: <CAD6AjGR3ZORGCz-71VBPTmC16xQjeHYEiYngC2KV126XE1zTPQ@mail.gmail.com>
Subject: Re: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)
To: Tim Chown <Tim.Chown@jisc.ac.uk>
Cc: 6man WG <ipv6@ietf.org>, Mark Andrews <marka@isc.org>, Ole Troan <otroan@employees.org>, james woodyatt <jhw@google.com>
Content-Type: multipart/alternative; boundary="001a114e6f6248d4d3055e1dc3b7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/zGd23vFsbh12scciIdYJ8iK91k4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 18:26:50 -0000

On Thu, Nov 16, 2017 at 7:26 AM Tim Chown <Tim.Chown@jisc.ac.uk>; wrote:

> > On 16 Nov 2017, at 12:42, Ca By <cb.list6@gmail.com>; wrote:
> >
> > On Thu, Nov 16, 2017 at 1:53 AM Tim Chown <Tim.Chown@jisc.ac.uk>; wrote:
> > Hi,
> >
> > > On 15 Nov 2017, at 23:04, james woodyatt <jhw@google.com>; wrote:
> > >
> > > On Nov 15, 2017, at 13:47, Ole Troan <otroan@employees.org>; wrote:
> > >>
> > >>>> IMHO the optimal solution is:
> > >>>> - the network SHOULD provide a host with NAT64 prefix information
> in RA;
> > >>>
> > >>> Disagree. If the network has NAT64, then it should deploy RFC 7225.
> Ye gods, this is the very last thing that should be jammed into RA messages.
> > >>
> > >> Do we really want PCP in IPv6?
> > >
> > > If we have any kind of NAT, then we need PCP. Using NAT without PCP
> considered harmful. That goes for NAT64 and NAT66.
> >
> > And PCP is still needed to negotiate firewall holes in a pure IPv6
> scenario, isn’t it?  Assuming the host with PCP is behind Simple Security.
> >
> > A question: is this something we should conducer for RFC6434-bis, or
> should we be silent on PCP?
> >
> > No
> >
> > >> Is PCP successful in IPv4?
> > >
> > > Well, there was this: <
> https://www.ietf.org/proceedings/88/slides/slides-88-pcp-5.pdf>
> > >
> > >> Or does it even work well with A+P based solutions?
> > >
> > > Designed expressly for it.
> >
> > I assumed PCP was designed with an eye firmly on future routed home
> networks where firewall holes need to be opened. What is the alternative?
> >
> > The alternative is secure host and no firewall. There is no firewall at
> the ietf conference right now, right?  Are you secure ? Is there a malware
> outbreak?
>
> Yet in practice pretty much every ISP deploying IPv6 to residential is
> doing so with RFC 6092, or stricter. Perhaps with a toggle to turn off
> firewalling, but that’s the reality.
>

Yes, security FUD marketing is very real

Speaking for one largish mobile network ipv6 deployment, we have not hand
any issues related to lack of stateful traffic inspection in the last 4
years of ipv6 deployment. So if we are doing a science experiment, we have
a control group which has faired the same as the experimental group.

I will accept landlines are a slightly different animal.


> OTOH it seems that PCP support in hosts / CPEs isn't exactly widespread.
>
> > The fatal flaw in PCP (aside from the name) is that it assumes the host
> needs protection yet it gives the host the power to control the firewall.
> Next gen malware will come via email (just like today), it will encrypt
> your hard drive, and then setup and c2 network on your pc via pcp
> controls.  Sad!
>
> True, and that happens with UPnP today...
>
> Tim