IETF Logo Mail Archive

Re: [OPSEC] ULAs [was WGLC for draft-ietf-opsec-v6]

james woodyatt <jhw@google.com> Wed, 19 April 2017 21:15 UTC

Return-Path: <jhw@google.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 877EA129B0D for <opsec@ietfa.amsl.com>; Wed, 19 Apr 2017 14:15:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iaX6YHkw3Fzi for <opsec@ietfa.amsl.com>; Wed, 19 Apr 2017 14:15:56 -0700 (PDT)
Received: from mail-yb0-x22f.google.com (mail-yb0-x22f.google.com [IPv6:2607:f8b0:4002:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2A801293D9 for <opsec@ietf.org>; Wed, 19 Apr 2017 14:15:55 -0700 (PDT)
Received: by mail-yb0-x22f.google.com with SMTP id 81so16907221ybp.0 for <opsec@ietf.org>; Wed, 19 Apr 2017 14:15:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=upV80KC12V4hIAaF9bCzrG0Fr/GPrVML96VHHbRohAM=; b=slbvLTa8uctCuoLTjuo/yEW+kIUhpNPv4C6ajdUhqsTlUMbAnVv4IqtAtsyLujVne6 uUwMsko8eoPReIhecGdtJb+usV57i7/bn6UTCOrswaI6vtWqoasXICRoKjBm+KrlnsDq Zmx5QOCf2WEV97JBsEcJkPf/wrAHs/4OuOl+/6Lq0YgyOWGLD01TqFaOEVmJ9Awed0N9 W6/gGvOgyVk/P4cqWlWdCakvSzjZcr5WvdDd853Tj0uEeSHsnDYeeT7ihAr1wcA/Ye2D YKrbnPbCn1xBZKm7gQrR2E25XZyH+xHGM1wATIfrs3NFz+ZoBYJ5IkbiqCUD4htH08sz IR0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=upV80KC12V4hIAaF9bCzrG0Fr/GPrVML96VHHbRohAM=; b=qCTnuNZ79GsecoSngmSEHhaehiIwd/sH/xcTf9OA6mUNb/eTEX1pLyo1X+ZA3Wpnm6 6iNQbco1jrIxgUy7nkRMoNg+WArFJsw2Vgl3LRXSrU/cs6TCT6j1ImxxsHbGxBUI47/n F1F5IRwvFx24L3SZv3rcPQw8PAhMr2zSkcq3ymwAzLuqfqmZhAsQasC5VpwFeqUW26um PcWwRe3oMuC+X7MOZJURJjvauka3byNd9hg7ze1ncXBq8NY8rHHpyVx/XRcRBnN7kwwv hC88DroVorjpxGtCGZ4jAAXGpJl5vyNlCl9upM5D0rAuzrgIPYOWUghTLzlmPzY3yt7H a45A==
X-Gm-Message-State: AN3rC/7sB3C/dEC1R1vdWGaxfe+55l1LWM0ABE1slwCTvXnMsJYWe60y NP8hX+fE0+4aCc0B
X-Received: by 10.84.213.8 with SMTP id f8mr6368822pli.156.1492636555084; Wed, 19 Apr 2017 14:15:55 -0700 (PDT)
Received: from ?IPv6:2620::10e7:10:2dd0:a83f:1f58:e25? ([2620:0:10e7:10:2dd0:a83f:1f58:e25]) by smtp.gmail.com with ESMTPSA id z123sm6223509pfz.56.2017.04.19.14.15.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Apr 2017 14:15:54 -0700 (PDT)
From: james woodyatt <jhw@google.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_76074DC4-BCBE-4B93-A609-45A758EEBBA4"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 19 Apr 2017 14:15:53 -0700
References: <55cb757e-ee2d-4818-9fc2-67d559006f34@me.com> <3E179F05-ACCD-4290-A65F-57E4202FAA15@icloud.com> <CAKD1Yr019Ga4jg6gVUHnTwh89hWArXKdAcAYEcW0m4gskrO7Ow@mail.gmail.com> <098b84a4-80d4-2404-72a1-5d1cd32a9968@gmail.com>
To: "opsec@ietf.org" <opsec@ietf.org>, "v6ops@ietf.org WG" <v6ops@ietf.org>, "6man@ietf.org" <6man@ietf.org>
In-Reply-To: <098b84a4-80d4-2404-72a1-5d1cd32a9968@gmail.com>
Message-Id: <4E19A596-5B69-4535-A29A-D08874DDC365@google.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/O5zzbwt9pqVo_fb6033sFKok5eE>
Subject: Re: [OPSEC] ULAs [was WGLC for draft-ietf-opsec-v6]
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2017 21:15:58 -0000

On Apr 18, 2017, at 21:02, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> 
> ULAs are intended for scenarios where IP addresses are not globally
> reachable, despite formally having global scope. They must not appear
> in the routing system outside the administrative domain where they
> are considered valid. Therefore, packets with ULA source and/or
> destination addresses MUST be filtered at the domain boundary.


I don’t think it's quite right yet. It’s greatly improved, but I have a quibble.

ULA are intended for scenarios where IP addresses are not *publicly* reachable. Nothing about them constrains their private routing or usage over any geographic area. They may appear as source or destination in packets in transit across any private routing system, including any system organized in a private multilateral agreement between domain administrators.

Therefore, packets with ULA source and/or destination addresses MUST be filtered at the public boundary of a routing domain, and SHOULD be filtered at private boundaries to limit their reachability according to local policy.

I would amend Brian’s proposed text for §2.1.2 Use of Unique Local Addresses like so:

>> Unique Local Addresses (ULA) [RFC4193] are intended for scenarios where IP addresses are not publicly reachable, despite their global address scope. They MUST NOT appear in the default-free routing domain of the public Internet, and gateways at the boundaries of private routing domains SHOULD NOT forward packets from or to ULA addresses where multilateral transit agreements do not explicitly recognize them.
>> 
>> Routing prefixes for ULA are /48 prefixes, and contain 40-bit pseudo-random global identifiers. which are generated according to [RFC4193]. They could be useful for infrastructure hiding as described in [RFC4864]. They could also be useful for communication between hosts in private routing domains, and private groups of autonomous routing systems organized by multilateral agreement. Hosts that require connectivity to the public Internet SHOULD communicate using publicly routed general-unicast (GUA) addresses. No form of address translation is required where ULA addresses for private connectivity are used in conjunction with GUA addresses for public connectivity.
>> 
>> The usage of ULA as described here could simplify the filtering rules needed at domain boundaries, by allowing a regime in which only hosts that require communication with the public are assigned general-unicast addresses (GUA). However, this does not remove the need for careful design of filtering rules at domain boundaries.


--james woodyatt <jhw@google.com <mailto:jhw@google.com>>

v2.23.0 | Report a Bug | By Email