IETF Logo Mail Archive

Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 15 August 2012 07:49 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AC5521F86F9; Wed, 15 Aug 2012 00:49:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.205
X-Spam-Level:
X-Spam-Status: No, score=-101.205 tagged_above=-999 required=5 tests=[AWL=-0.114, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yv0ZJL7AE4hh; Wed, 15 Aug 2012 00:49:50 -0700 (PDT)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id D0C9121F86F4; Wed, 15 Aug 2012 00:49:43 -0700 (PDT)
Received: by wgbdr13 with SMTP id dr13so770719wgb.13 for <multiple recipients>; Wed, 15 Aug 2012 00:49:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=qNW3F+b6iZPt2Xe+CpdpbVkEFSTN0r+Hu/4rtyyF/DE=; b=GWZppTwJNQoAbKd7bJX2S8tmsJZMOOw3RVJEfYHQGNU3Gtyn7yPabAWkhB64pBXE6Y dIabxXEKb9BKUnMGJqBqHJfbpyBUSHC19lbs1QqgNl+3zgCXl91t0uVKww3aYTYPSzrS FX47Tc76ex/FGGUxSoaAStSLZi1ZcsCL4bnNXTJO9OmXEma4hAdhPnoIBodyrKG8SOmd G/Ag6b05HZo/8QlufUVMutrvb+JeTlaEPho0SkSjAQcriOuCjJMB2vTMkxz71IhXUEyz CXsvRxm6zYR5JfHhORpSPix79U92OOeBrs9oDCzonP/299qsXVT6JRObhrsjQgWqt185 MlmA==
Received: by 10.180.82.39 with SMTP id f7mr35011356wiy.2.1345016982841; Wed, 15 Aug 2012 00:49:42 -0700 (PDT)
Received: from [192.168.1.65] (host-2-102-218-63.as13285.net. [2.102.218.63]) by mx.google.com with ESMTPS id fr4sm2366457wib.8.2012.08.15.00.49.41 (version=SSLv3 cipher=OTHER); Wed, 15 Aug 2012 00:49:41 -0700 (PDT)
Message-ID: <502B549A.4010708@gmail.com>
Date: Wed, 15 Aug 2012 08:49:46 +0100
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <724010AF-C8BA-4D97-BE5D-48A53AAB960A@cisco.com>
In-Reply-To: <724010AF-C8BA-4D97-BE5D-48A53AAB960A@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla-only@tools.ietf.org)" <draft-behringer-lla-only@tools.ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "v6ops v6ops WG (v6ops@ietf.org)" <v6ops@ietf.org>
Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2012 07:49:51 -0000

Carlos,

On 14/08/2012 22:08, Carlos Pignataro (cpignata) wrote:
> Michael, Brian,
> 
> Should "The Suggested Approach" http://tools.ietf.org/html/draft-behringer-lla-only-01#section-2.1 also include some prescriptiveness or specific recommendation regarding the use of RFC 5837, instead of including that solution to interface identification as a "Caveats and Possible Workarounds" only?

I have no strong opinion on this. Just indicating the existence of 5837
seems OK, though.

Looking at the current text, it says that the loopback GUA MUST be used for all
ICMPv6 messages, which is good, but it also says
"ICMP error message can also be sourced from the global scope loopback address."
That seems unnecessary in view of the MUST, but in any case, s/can/will/.

Actually my main comment on the draft is on this text in the Introduction:

"We propose to configure neither globally routable IPv6 addresses nor
 unique local addresses on infrastructure links of routers, wherever
 possible.  We recommend to use exclusively link-local addresses on
 such links."

I suggest a more neutral approach, since some operators clearly prefer
to use GUAs:

 It is possible to configure neither globally routable IPv6 addresses nor
 unique local addresses on infrastructure links of routers. This document
 describes how to use exclusively link-local addresses on such links.

(and s/proposes/describes how/ in the Abstract)

Thanks
    Brian

> Thanks,
> 
> -- Carlos.
> 
> On Aug 6, 2012, at 5:24 AM, Brian E Carpenter wrote:
> 
>> Hi,
>>
>>>   o  Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo
>>>      request ... can be addressed to loopback addresses of routers with
>>>      a global scope address.  Router management can also be done over
>>>      out-of-band channels.
>>>
>>>   o  ICMP error message can also be sourced from the global scope
>>>      loopback address.
>> These statements seem too weak. Using GUAs for ICMP in particular
>> needs to have a normative MUST somewhere (preferably in a BCP). In the
>> context of this Informational draft, the language needs to state a requirement
>> ("must" not "can") even if you don't use RFC 2119 terminology.
>>
>> This matters because packets with a LL source address MUST NOT be forwarded,
>> so a router that is misconfigured to send ICMP replies with a LL source
>> address breaks both ping and traceroute.
>>
>> I think the rule is that any packet that is *not* sent to a LL address must
>> have a GUA as the source address. That takes care of ICMP, and everything else
>> as well.
>>
>> Furthermore, that GUA needs to be associated with a prefix that belongs to
>> the organisation operating the router in question. Otherwise the traceroute
>> results can be very confusing. We discussed that on v6ops back in March.
>>
>> Regards
>>   Brian Carpenter
>>
>>
>>
>>
>> On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote:
>>> (distributed to OPSEC WG and in cc v6ops)
>>>
>>> Dear all,
>>>
>>> During the OPSEC WG meeting last Wednesday there was consensus to adopt the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as working group document with Informational status.
>>>
>>> Please read the draft, and if there is no violent objection on the list, the document will be requested to be submitted as WG document in 7 days.
>>>
>>> Ciao,
>>> G/, KK & Warren
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
> 
>

v2.23.0 | Report a Bug | By Email