IETF Logo Mail Archive

[OPSEC] ULAs [was WGLC for draft-ietf-opsec-v6]

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 19 April 2017 04:02 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F21D1200DF; Tue, 18 Apr 2017 21:02:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dfC1IO2hCfgR; Tue, 18 Apr 2017 21:02:56 -0700 (PDT)
Received: from mail-pf0-x242.google.com (mail-pf0-x242.google.com [IPv6:2607:f8b0:400e:c00::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE56D126CF6; Tue, 18 Apr 2017 21:02:56 -0700 (PDT)
Received: by mail-pf0-x242.google.com with SMTP id a188so1855081pfa.2; Tue, 18 Apr 2017 21:02:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=4+RnCCMSY4QLUn2YKL6B+5CQfjMeD0F85oDxQGe3etI=; b=mSVkhc1P+UMjd3DjE5jqKdcSammtpfVLakd3nXTMT540l58gVqvLKEexMgf36dGmMA hCuxoqkYKX3YnN10dVHa4Iqt+uyURq+5iylXoEz4F9wFPMJHUjqBxpUvzbQZYalvjDrc mWkTnNqy8Y/htKqRQ5A0/EmAbYj5taQFPt8tgxIOoWMvyfV2tJVhGAxTQLpdZsKH0nST R1N2CCbHXbOasN2gjt25KHQ9oY6/lCpxHu8usNE10WGsVdEeO9cDd8/zZUoVUO9aASpc WEq2STns6c8l9SKolxaAmFNjYr0uLfTtFNI0kOJYUXMML1hkOaLoXUZgFA1lg9KmrIwj QOvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=4+RnCCMSY4QLUn2YKL6B+5CQfjMeD0F85oDxQGe3etI=; b=efjBoGMB5cSxJT76wPDUIw/OweQXNExN24rg06bwt9xfqd52eCSC+R4oF2+IjPRaYs t3a+0KXvIDGogI6qeb882Vm+00v9lzA5fjx/4sdH5AjN1o0k9wZk/rOkwAubgnWxpa+7 /6fA4MnO5EdNAsQVmJ2OAEouWCzxguNn2FB7PWLmhPvFz3onEdzICfQNSQw6SCaHav71 cIV5lTxbes5g9pZg3ahBpsy75lt6v9VcITCfo0P0qZy9qNqo/tQ2+fpb7MMEaLG7c5JM Xa0Sjfo+QpvcN45HzNGeDRJDCEiSn7UNEimMc02dd6ZrAJ89+jqE7QkwYD+SLV6AM1Pp BQzQ==
X-Gm-Message-State: AN3rC/4urD4XNhjybd9dyP28dy+CXroVSTKqFPjkqyn55YFDLE5I/v2q W8qtNEMbwVlW8A==
X-Received: by 10.98.71.202 with SMTP id p71mr899509pfi.39.1492574576291; Tue, 18 Apr 2017 21:02:56 -0700 (PDT)
Received: from ?IPv6:2406:e001:5724:1:28cc:dc4c:9703:6781? ([2406:e001:5724:1:28cc:dc4c:9703:6781]) by smtp.gmail.com with ESMTPSA id m4sm1152766pfi.74.2017.04.18.21.02.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Apr 2017 21:02:55 -0700 (PDT)
To: Gunter Van De Velde <guntervandeveldecc@icloud.com>, "opsec@ietf.org" <opsec@ietf.org>
References: <55cb757e-ee2d-4818-9fc2-67d559006f34@me.com> <3E179F05-ACCD-4290-A65F-57E4202FAA15@icloud.com> <CAKD1Yr019Ga4jg6gVUHnTwh89hWArXKdAcAYEcW0m4gskrO7Ow@mail.gmail.com>
Cc: Lorenzo Colitti <lorenzo@google.com>, "v6ops@ietf.org WG" <v6ops@ietf.org>, "6man@ietf.org" <6man@ietf.org>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <098b84a4-80d4-2404-72a1-5d1cd32a9968@gmail.com>
Date: Wed, 19 Apr 2017 16:02:55 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAKD1Yr019Ga4jg6gVUHnTwh89hWArXKdAcAYEcW0m4gskrO7Ow@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/ltFK16qpsziP3t3mro-4DI0q9aY>
Subject: [OPSEC] ULAs [was WGLC for draft-ietf-opsec-v6]
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2017 04:02:58 -0000

There are several issues in this section, not just the NAT:

> 2.1.2.  Use of ULAs
> 
>    ULAs are intended for scenarios where IP addresses will not have
>    global scope so they should not appear in the global BGP routing
>    table. 

We need to align that with the clarification in draft-bchv-rfc6890bis:

 ULAs are intended for scenarios where IP addresses are not globally
 reachable, despite formally having global scope. They must not appear
 in the routing system outside the administrative domain where they
 are considered valid. Therefore, packets with ULA source and/or
 destination addresses MUST be filtered at the domain boundary.
 
>    ULAs could be useful for infrastructure hiding as described in
>    RFC4864 [RFC4864].  Alternatively Link-Local addresses RFC7404
>    [RFC7404] could also be used.

LL addresses don't help if you have multiple LANs. I suggest simply
deleting the second sentence; it will confuse people.

>  Although ULAs are supposed to be used
>  in conjunction with global addresses for hosts that desire external
>  connectivity

Change that to

 ULAs may be used for internal communication, in conjunction with
 globally reachable unicast addresses (GUAs) for hosts that also
 require external connectivity through a firewall. For this reason,
 no form of address translation is required in conjunction with ULAs.

Then I suggest deleting *all* the rest of the section, but add this
at the end:

 Using ULAs as described here might simplify the filtering rules
 needed at the domain boundary, by allowing a regime in which
 only hosts that require external connectivity possess a globally
 reachable address. However, this does not remove the need for
 careful design of the filtering rules.

Thus the whole section would read (with a little more editing):

2.1.2.  Use of Unique Local Addresses

 Unique Local Addresses (ULAs) [RFC4193] are intended for scenarios
 where IP addresses are not globally reachable, despite formally
 having global scope. They must not appear in the routing system
 outside the administrative domain where they are considered valid.
 Therefore, packets with ULA source and/or destination addresses
 MUST be filtered at the domain boundary.

 ULAs are assigned within pseudo-random /48 prefixes created as
 specified in [RFC4193]. They could be useful for infrastructure
 hiding as described in [RFC4864].

 ULAs may be used for internal communication, in conjunction with
 globally reachable unicast addresses (GUAs) for hosts that also
 require external connectivity through a firewall. For this reason,
 no form of address translation is required in conjunction with ULAs.

 Using ULAs as described here might simplify the filtering rules
 needed at the domain boundary, by allowing a regime in which
 only hosts that require external connectivity possess a globally
 reachable address. However, this does not remove the need for
 careful design of the filtering rules.

     Brian

v2.23.0 | Report a Bug | By Email