IETF Logo Mail Archive

Re: [v6ops] ULA draft revision #2 Regarding isolated networks

David Farmer <farmer@umn.edu> Thu, 29 May 2014 13:47 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4071A0909 for <v6ops@ietfa.amsl.com>; Thu, 29 May 2014 06:47:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.851
X-Spam-Level:
X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MfWhhYFiVb47 for <v6ops@ietfa.amsl.com>; Thu, 29 May 2014 06:47:50 -0700 (PDT)
Received: from vs-m.tc.umn.edu (vs-m.tc.umn.edu [134.84.135.97]) by ietfa.amsl.com (Postfix) with ESMTP id 429191A092B for <v6ops@ietf.org>; Thu, 29 May 2014 06:47:50 -0700 (PDT)
Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com [209.85.223.174]) by vs-m.tc.umn.edu (UMN smtpd) with ESMTP for <v6ops@ietf.org>; Thu, 29 May 2014 08:47:41 -0500 (CDT)
X-Umn-Remote-Mta: [N] mail-ie0-f174.google.com [209.85.223.174] #+LO+TS+TR
X-Umn-Classification: local
Received: by mail-ie0-f174.google.com with SMTP id lx4so291102iec.33 for <v6ops@ietf.org>; Thu, 29 May 2014 06:47:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:reply-to:organization :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=ifzJ7UWIzYm3PoWSjQsP3yTRtWC4AYuvaKxeh3a271I=; b=Nq//RAe8OT7xqpVDvE4yr0MAjnyO5PaZHHHGweBDji85cc0UKKadN+3FpaBrY5s3bW 7S6wgYZY1PV4+wdg+zyM4bJ/ZaAzYaDOo4MvZP1vIID4lEPzLp3XkODUUQTa8Pvx+ZBG 5v1ku5IQbiOzAVKQv6AD9UzCcGKWZWAjlEWYoSW9nIf1xCw6fhiddzSheeG+x93wOUCy M1BHoe5v2sTRWXT/4R1RBVVnwYqHC8UYhV34pR4VbGPTBN0L/BnKkwU9XNg20o6EU7YX pPOJHkpxbjiZpPstJEGZ5Pov4AdDYFmkjclRDXy6aXBxn4rkTsApzEWted4E1UD3Fnxi +9dg==
X-Gm-Message-State: ALoCoQkyG19Wzj65Z3pcqlhzXQv0HMXEbwT/OgySnLN9yRkeQRBHB3aLsWoXdY5diXXkG/7HtVD0tc6PqFbK7DqeYCY7W/K3BJspc3/aiohoSInqlrf7pAU=
X-Received: by 10.42.191.202 with SMTP id dn10mr7951434icb.14.1401371260766; Thu, 29 May 2014 06:47:40 -0700 (PDT)
X-Received: by 10.42.191.202 with SMTP id dn10mr7951416icb.14.1401371260599; Thu, 29 May 2014 06:47:40 -0700 (PDT)
Received: from oit201651646.local ([38.109.32.164]) by mx.google.com with ESMTPSA id fx1sm24011188igd.1.2014.05.29.06.47.38 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 29 May 2014 06:47:39 -0700 (PDT)
Message-ID: <53873A35.9090501@umn.edu>
Date: Thu, 29 May 2014 08:46:29 -0500
From: David Farmer <farmer@umn.edu>
Organization: University of Minnesota
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Randy Bush <randy@psg.com>
References: <8AE0F17B87264D4CAC7DE0AA6C406F453D8B6B9A@nkgeml506-mbx.china.huawei.com> <53840723.8010606@gmail.com> <CAKD1Yr1O_poMR200sjU=ttRvGaeQRkC1ZfXC0Ok4uQxdq3K=NQ@mail.gmail.com> <m2mwe37tbn.wl%randy@psg.com> <CAKD1Yr2t3-vxuG=iDi4biBNFpJwuzuHgfpB74i_uydWWRV7qZg@mail.gmail.com> <8AE0F17B87264D4CAC7DE0AA6C406F453D8B6E02@nkgeml506-mbx.china.huawei.com> <m2fvjv7q4h.wl%randy@psg.com> <m1WpDcc-0000BMC@stereo.hq.phicoh.net> <43BB867C-7BCA-45F6-8ADC-A49B34D6C0DC@nominum.com> <m1WpHrp-0000BQC@stereo.hq.phicoh.net> <9DB71B37-999E-4F7F-A7DA-6B243574E818@nominum.com> <2E2EC822-60EB-4B09-8BB3-D8FB098EB181@delong.com> <CD77B261-5F6F-4177-AA50-0B2DD3D15260@nominum.com> <B95BEA59-B1A2-4CEF-ACF4-63F65FB544AA@delong.com> <4FF6E348-6BB5-473A-8E94-4A3EE8BD32DC@nominum.com> <alpine.DEB.2.02.1405280707260.29282@uplift.swm.pp.se> <0ED911FA-D24C-4FC8-9D6A-F38F9711F115@steffann.nl> <m2fvjt1m0l.wl%randy@psg.com> <5386AA9F.7000001@gmail.com> <m2sintz1tq.wl%randy@psg.com> <5386B0DF.9060401@gmail.com>
In-Reply-To: <5386B0DF.9060401@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/-R_KqrgxaVKZBJKx5fEU833hd50
Cc: v6ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] ULA draft revision #2 Regarding isolated networks
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: David Farmer <farmer@umn.edu>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 May 2014 13:47:52 -0000

On 5/28/14, 23:00 , Brian E Carpenter wrote:
> On 29/05/2014 15:44, Randy Bush wrote:
>>>> red herring.  global prefixes designed to be used in place of ula should
>>>> not be in the global routing table
>>> Indeed they shouldn't, but since everybody should be filtering ULAs
>>> (and most people will do so), ULAs won't propagate but routeable GUAs
>>> might.
>>
>> explain why the two probability distributions will differ
>
> Because I have considerable confidence that the majority of transit
> operators will know they need to filter fc00::/7, but the same cannot
> be said of arbitrary /48s from RIR space.

Here is some data supporting the idea that GUA used as ULA can and will 
be leaked, leaked a lot in some cases.

See slide 20 of the following presentation;
https://www.nanog.org/meetings/abstract?id=2289

And this is discussed in more detail in section 5.2 of the full research 
paper at;
http://www.merit.edu/research/pdf/2013/ipv6_darknet_paper_r6098.pdf

Yes, I'm sure ULA is leaked too.  However, it's a much safer assumption 
and operationally much easier to filter external ULA sourced traffic. 
Even if I'm exchanging ULA traffic with other parties, it would seem 
likely for me to know the ULA prefixes that matter to me.

Where as, if someone uses GUA as if it were ULA and it's leaked, it's 
extremely unlikely that I would know to filter it.  The only way I can 
even think of is for the other entity to publish ROAs sourced to AS0. 
However, I suspect the security guys would object to that, as I'm now 
leaking that traffic from that prefix might be interesting.  One of 
those dammed if you do, dammed if you don't kind of situations.

Those of you suggesting no one should use ULA and should get GUA and use 
it as if it's ULA need to write up some recommendations for how to do it 
safely.  It seems many people are following your recommendations but 
doing it badly.

Thanks

-- 
================================================
David Farmer               Email: farmer@umn.edu
Office of Information Technology
University of Minnesota
2218 University Ave SE     Phone: 1-612-626-0815
Minneapolis, MN 55414-3029  Cell: 1-612-812-9952
================================================

v2.23.0 | Report a Bug | By Email