Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested
"Gunter Van de Velde (gvandeve)" <gvandeve@cisco.com> Mon, 06 August 2012 09:36 UTC
Return-Path: <gvandeve@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F46221F8617; Mon, 6 Aug 2012 02:36:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.117
X-Spam-Level:
X-Spam-Status: No, score=-10.117 tagged_above=-999 required=5 tests=[AWL=-0.119, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBDutU9hycz7; Mon, 6 Aug 2012 02:36:20 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 5E9C921F8616; Mon, 6 Aug 2012 02:36:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=4172; q=dns/txt; s=iport; t=1344245780; x=1345455380; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=HfICAQuLFJnRHlPLt0ENIRtDz42BUu17PEyrzbeVoPw=; b=Pr0EdVY5v3amqMtfSbXBiYittmWLuNNAkfLvXvzLLWiNT7PQFh6VY1F0 gmOud5L/ouQkxfm8C1O4go4KsKOOa02j4Blwz019lBXJyXpmjfMI1iATu BLxeicQeuainrAB1uWsQDMyAFMK1LMR6I8Y5/Rt/cjdBNhwiYU7JqcEud 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMFAF2PH1CtJV2d/2dsb2JhbABFhXuyTXaBB4IgAQEBAwEBAQEPARAROgsFBwQCAQgRBAEBAQICBh0DAgICHwYLFAEICAEBBA4FCBqHXAMGBgubSI0ZiGgNiU6BIYlCZ4VyMmADk3aCZ4l1gx2BZoJf
X-IronPort-AV: E=Sophos;i="4.77,718,1336348800"; d="scan'208";a="108731552"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-5.cisco.com with ESMTP; 06 Aug 2012 09:36:19 +0000
Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id q769aJag027302 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Aug 2012 09:36:19 GMT
Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.02.0298.004; Mon, 6 Aug 2012 04:36:19 -0500
From: "Gunter Van de Velde (gvandeve)" <gvandeve@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Thread-Topic: [v6ops] IPv6 LL-only as WG document - feedback requested
Thread-Index: Ac1zsaLKu65hBuxGQ1mVPU9TRZLT7QALZhOAAApGAYA=
Date: Mon, 06 Aug 2012 09:36:18 +0000
Message-ID: <67832B1175062E48926BF3CB27C49B2406858F@xmb-aln-x12.cisco.com>
References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com>
In-Reply-To: <501F8D5F.5000805@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.88.65]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19088.006
x-tm-as-result: No--44.211700-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "opsec@ietf.org" <opsec@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "v6ops v6ops WG (v6ops@ietf.org)" <v6ops@ietf.org>, "'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla-only@tools.ietf.org)" <draft-behringer-lla-only@tools.ietf.org>
Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2012 09:36:21 -0000
Answer as individual contributor. Fred B. and myself did a draft to exactly address the traceability of interfaces without increasing the attack vector on interfaces: Passive IPv6 addresses No new class of addresses at all... no new IANA allocation... just behaviour of the address: 1) it is configured as a normal address 2) just an extra keyword attached to the address identifying its behavior 3) It can only be used as a 'source' address 4) if it is used as destination address, then when reaching the router it will be directed to the Null0 interface This will help visibility of the trace-route in cases of LL-only... G/ -----Original Message----- From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] Sent: 06 August 2012 11:25 To: Gunter Van de Velde (gvandeve) Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); opsec-chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla-only@tools.ietf.org) Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested Hi, > o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo > request ... can be addressed to loopback addresses of routers with > a global scope address. Router management can also be done over > out-of-band channels. > > o ICMP error message can also be sourced from the global scope > loopback address. These statements seem too weak. Using GUAs for ICMP in particular needs to have a normative MUST somewhere (preferably in a BCP). In the context of this Informational draft, the language needs to state a requirement ("must" not "can") even if you don't use RFC 2119 terminology. This matters because packets with a LL source address MUST NOT be forwarded, so a router that is misconfigured to send ICMP replies with a LL source address breaks both ping and traceroute. I think the rule is that any packet that is *not* sent to a LL address must have a GUA as the source address. That takes care of ICMP, and everything else as well. Furthermore, that GUA needs to be associated with a prefix that belongs to the organisation operating the router in question. Otherwise the traceroute results can be very confusing. We discussed that on v6ops back in March. Regards Brian Carpenter On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote: > (distributed to OPSEC WG and in cc v6ops) > > Dear all, > > During the OPSEC WG meeting last Wednesday there was consensus to adopt the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as working group document with Informational status. > > Please read the draft, and if there is no violent objection on the list, the document will be requested to be submitted as WG document in 7 days. > > Ciao, > G/, KK & Warren > > > > ---------------------------------------------------------------------- > -- > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops
- [OPSEC] IPv6 LL-only as WG document - feedback re… Gunter Van de Velde (gvandeve)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Gunter Van de Velde (gvandeve)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Gunter Van de Velde (gvandeve)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Gunter Van de Velde (gvandeve)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Brian E Carpenter
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Brian E Carpenter
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Brian E Carpenter
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Michael Behringer (mbehring)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Carlos Pignataro (cpignata)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Brian E Carpenter
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Mark ZZZ Smith
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Michael Behringer (mbehring)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Eric Vyncke (evyncke)