Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested
"Michael Behringer (mbehring)" <mbehring@cisco.com> Mon, 06 August 2012 11:27 UTC
Return-Path: <mbehring@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4FDF21F85FC; Mon, 6 Aug 2012 04:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.999
X-Spam-Level:
X-Spam-Status: No, score=-9.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTVVE0oxBluX; Mon, 6 Aug 2012 04:27:00 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 66A1321F85FF; Mon, 6 Aug 2012 04:27:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mbehring@cisco.com; l=8962; q=dns/txt; s=iport; t=1344252420; x=1345462020; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=D4HHGlZP+1lg8u0t4YIUd53wsbRnOz+/5UoAvJL/Yus=; b=OJmNLUZMALr9rzz7K+bxwJB/4Ul32x7H+5avichSFscEQVAS+eModzaS LVfT9dLXk43Nbr7IJwD3CJyBaeNJg+tpWYK/e2xRVbOpJwpAvLshq/SC+ qpA+lVf83bXi3KJw/ofnh9d31s2QAPgwoTH0LACIacT9xuFPbMATK9neT 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAIepH1CtJXG8/2dsb2JhbABEhXuyTXaBB4IgAQEBAwEBAQEPARAROgsMBAIBCBEEAQEBAgIGHQMCAgIfBgsUAQgIAgQBDQUIGodcAwYGC5spjRmIeA2JToEhiUJnhXIyYAOTdoJniXWDHYFmgl8
X-IronPort-AV: E=Sophos;i="4.77,718,1336348800"; d="scan'208";a="108787187"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-4.cisco.com with ESMTP; 06 Aug 2012 11:26:59 +0000
Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id q76BQx7K007296 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Aug 2012 11:26:59 GMT
Received: from xmb-rcd-x14.cisco.com ([169.254.4.3]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.02.0298.004; Mon, 6 Aug 2012 06:26:59 -0500
From: "Michael Behringer (mbehring)" <mbehring@cisco.com>
To: "Gunter Van de Velde (gvandeve)" <gvandeve@cisco.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Thread-Topic: [v6ops] IPv6 LL-only as WG document - feedback requested
Thread-Index: Ac1zsaLKu65hBuxGQ1mVPU9TRZLT7QALZhOAAApGAYD//7IZAIAASnFA///J44CAAFMmwIAAnfCw
Date: Mon, 06 Aug 2012 11:26:58 +0000
Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4E1300@xmb-rcd-x14.cisco.com>
References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <67832B1175062E48926BF3CB27C49B2406858F@xmb-aln-x12.cisco.com> <501F90F8.1050409@gmail.com> <67832B1175062E48926BF3CB27C49B240685F6@xmb-aln-x12.cisco.com> <501FA205.1020203@gmail.com> <67832B1175062E48926BF3CB27C49B2406878F@xmb-aln-x12.cisco.com>
In-Reply-To: <67832B1175062E48926BF3CB27C49B2406878F@xmb-aln-x12.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.61.92.37]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19088.006
x-tm-as-result: No--65.578700-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 06 Aug 2012 09:50:03 -0700
Cc: "opsec@ietf.org" <opsec@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "v6ops v6ops WG (v6ops@ietf.org)" <v6ops@ietf.org>, "'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla-only@tools.ietf.org)" <draft-behringer-lla-only@tools.ietf.org>
Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2012 11:27:07 -0000
> -----Original Message----- > From: Gunter Van de Velde (gvandeve) > Sent: 06 August 2012 11:57 > To: Brian E Carpenter > Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); opsec- > chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' (draft-behringer- > lla-only@tools.ietf.org) > Subject: RE: [v6ops] IPv6 LL-only as WG document - feedback requested > > I agree... packets with LL source-address should not leave the link indeed. > > I expect the Behringer editor team to make that more specific in the draft > text. This was sort of implied (and mentioned during presentations), but needs to be made clearer, agreed. We'll include this in the next revision. Thanks for the feedback Brian! Michael > > G/ > > -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > Sent: 06 August 2012 12:53 > To: Gunter Van de Velde (gvandeve) > Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); opsec- > chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' (draft-behringer- > lla-only@tools.ietf.org) > Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested > > On 06/08/2012 11:18, Gunter Van de Velde (gvandeve) wrote: > > I am confused. Please correct my understanding if possible. > > > > 1) You are ok with the Behringer-LL draft being an informational > > draft? (not BCP) > > Yes. All I'm saying is that it should insist on a valid source address, which > means that a LL source address is not allowed for packets that leave the > local link. > > Section 2.5.6 of RFC 4291 makes this clear but people seem to ignore it: > "Link-Local addresses are for use on a single link." > > Obviously, therefore, packets whose destination is not LL must not have a LL > source address. > > > 2) Passive addresses is something that creates potential issues in your > view? > > I said I have no problem with that. It doesn't affect the above point. > > Brian > > > > For (2) I would say... It is just as a normal address... no need at all to > discard them on any other box then the receiving box as those boxes just > see the address as being a normal IPv6 address. Nothing special about it. It > is just a normal address. The behaviour of passive addresses is to do with > the way the recipient device deals with this address. > > > > G/ > > > > > > > > > > -----Original Message----- > > From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > > Sent: 06 August 2012 11:40 > > To: Gunter Van de Velde (gvandeve) > > Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); > > opsec-chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' > > (draft-behringer-lla-only@tools.ietf.org) > > Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested > > > > Hi Gunter, > > > > I have no problem with the passive address idea, but the immediate issue > is that routers must not source ICMP packets that other routers must discard > - hence no LL source addresses. > > > > Brian > > > > On 06/08/2012 10:36, Gunter Van de Velde (gvandeve) wrote: > >> Answer as individual contributor. > >> > >> Fred B. and myself did a draft to exactly address the traceability of > >> interfaces without increasing the attack vector on interfaces: > >> Passive > >> IPv6 addresses > >> > >> No new class of addresses at all... no new IANA allocation... just > behaviour of the address: > >> > >> 1) it is configured as a normal address > >> 2) just an extra keyword attached to the address identifying its > >> behavior > >> 3) It can only be used as a 'source' address > >> 4) if it is used as destination address, then when reaching the > >> router it will be directed to the Null0 interface > >> > >> This will help visibility of the trace-route in cases of LL-only... > >> > >> G/ > >> > >> > >> -----Original Message----- > >> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > >> Sent: 06 August 2012 11:25 > >> To: Gunter Van de Velde (gvandeve) > >> Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); > >> opsec-chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' > >> (draft-behringer-lla-only@tools.ietf.org) > >> Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested > >> > >> Hi, > >> > >>> o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo > >>> request ... can be addressed to loopback addresses of routers with > >>> a global scope address. Router management can also be done over > >>> out-of-band channels. > >>> > >>> o ICMP error message can also be sourced from the global scope > >>> loopback address. > >> These statements seem too weak. Using GUAs for ICMP in particular > needs to have a normative MUST somewhere (preferably in a BCP). In the > context of this Informational draft, the language needs to state a > requirement ("must" not "can") even if you don't use RFC 2119 terminology. > >> > >> This matters because packets with a LL source address MUST NOT be > forwarded, so a router that is misconfigured to send ICMP replies with a LL > source address breaks both ping and traceroute. > >> > >> I think the rule is that any packet that is *not* sent to a LL address must > have a GUA as the source address. That takes care of ICMP, and everything > else as well. > >> > >> Furthermore, that GUA needs to be associated with a prefix that belongs > to the organisation operating the router in question. Otherwise the > traceroute results can be very confusing. We discussed that on v6ops back in > March. > >> > >> Regards > >> Brian Carpenter > >> > >> > >> > >> > >> On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote: > >>> (distributed to OPSEC WG and in cc v6ops) > >>> > >>> Dear all, > >>> > >>> During the OPSEC WG meeting last Wednesday there was consensus to > adopt the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as > working group document with Informational status. > >>> > >>> Please read the draft, and if there is no violent objection on the list, the > document will be requested to be submitted as WG document in 7 days. > >>> > >>> Ciao, > >>> G/, KK & Warren > >>> > >>> > >>> > >>> -------------------------------------------------------------------- > >>> - > >>> - > >>> -- > >>> > >>> _______________________________________________ > >>> v6ops mailing list > >>> v6ops@ietf.org > >>> https://www.ietf.org/mailman/listinfo/v6ops
- [OPSEC] IPv6 LL-only as WG document - feedback re… Gunter Van de Velde (gvandeve)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Gunter Van de Velde (gvandeve)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Gunter Van de Velde (gvandeve)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Gunter Van de Velde (gvandeve)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Brian E Carpenter
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Brian E Carpenter
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Brian E Carpenter
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Michael Behringer (mbehring)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Carlos Pignataro (cpignata)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Brian E Carpenter
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Mark ZZZ Smith
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Michael Behringer (mbehring)
- Re: [OPSEC] [v6ops] IPv6 LL-only as WG document -… Eric Vyncke (evyncke)