IETF Logo Mail Archive

Re: [v6ops] Fwd: New Version Notification for draft-collink-v6ops-ent64pd-01.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 21 December 2022 04:02 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F55FC14CE29 for <v6ops@ietfa.amsl.com>; Tue, 20 Dec 2022 20:02:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rK8vgGjhxg3F for <v6ops@ietfa.amsl.com>; Tue, 20 Dec 2022 20:02:25 -0800 (PST)
Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CDC1C14CE26 for <v6ops@ietf.org>; Tue, 20 Dec 2022 20:02:25 -0800 (PST)
Received: by mail-pl1-x62c.google.com with SMTP id t2so14348387ply.2 for <v6ops@ietf.org>; Tue, 20 Dec 2022 20:02:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=LRzDWcJUfu0a001eEFu6/J+hSDXB3rmiOCeqqS8q/0M=; b=mEwt9bliBWYTHttNrjtVumB+qdNMLnVWcXDUPI3S5NUli0Jf/ziKcycap0oZrzxYlI mD9d5MQJR6UuNoAzYCdNX8kf32YaTA1uITllysYuK1PVtWrZL4+D5pQB1s3CxXlZklwY TbuvVO8QmddUW5bIPO3AOwZ+pF9QAS4hPjnbf/qMwLpZeqaw9++41dyQN5fiMhzswruw dTIbmaITCz+RzR94svpjRJa573X/y5GTptFmeXOwvLzskRfZojCUhd0IYWtq08xD3OQH p+OcbSFP1X8aYwMWeNfg2cU6KEAqdKhumt7gyjINe+38ef9J8YFiWtG7+LICzvAT9Mn4 76Jw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=LRzDWcJUfu0a001eEFu6/J+hSDXB3rmiOCeqqS8q/0M=; b=whys0HrDCxn4D8wR52YFfsn4F7jQtSIEo6vS3mHzMkUQDfNDwfP4kWAmXK/IdKcGJ1 VgxbZx6O1SthJpGm1WY4Ffqm6E7/xmkXbOQb3HLgf/KouuKL90/OFBjlPDAG5QtyfyLN eR7i4ekra4HyG11ws5Jze/sesx2y3fseqbOz6Q9U3HzoJBgMtxqyDGv1YzxOK2UlXp3n 2N61RSOvDAJdl4NGwcQI403EOTNL5+2ThwdXtI1dWVnEM3L8hcLYgnjRx/iAwCWM8DxO 6Gdo/gA+vGHsm7RjLt/rkQF8vk1Xsib8uhxNZ17MBCSsNDgGpAWD0yhHR6NkCyH6/Uzl GvFA==
X-Gm-Message-State: AFqh2kqKLYDxDzZ6FImZM8+Bv4wHoNf9g0zBxeMwpYpw1UGrAoKW2HZB 0PlqdB44oG9K+GKzYH65drX68XKeeyW/YA==
X-Google-Smtp-Source: AMrXdXuOYIyQFW+BIqkZNdLlOhDkQnPRE8seePoSMztbcrvoQROT2fv3WknSAqst27zyWDD4/z9dQQ==
X-Received: by 2002:a17:902:9f97:b0:18d:4b59:cae5 with SMTP id g23-20020a1709029f9700b0018d4b59cae5mr14431564plq.49.1671595344629; Tue, 20 Dec 2022 20:02:24 -0800 (PST)
Received: from ?IPV6:2406:e003:10c2:2501:6969:5efe:7979:3937? ([2406:e003:10c2:2501:6969:5efe:7979:3937]) by smtp.gmail.com with ESMTPSA id d11-20020a170902654b00b0017f73dc1549sm10174480pln.263.2022.12.20.20.02.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 20 Dec 2022 20:02:24 -0800 (PST)
Message-ID: <b0799fdf-49af-d5ac-803f-2a838c1537fb@gmail.com>
Date: Wed, 21 Dec 2022 17:02:19 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Martin Huněk <martin.hunek@tul.cz>, v6ops@ietf.org
References: <167107554671.48477.568330207202509840@ietfa.amsl.com> <2859685.e9J7NaK4W3@asclepius.adm.tul.cz> <3cac1c98-8cdb-8b5b-4d03-7b03c24f8124@gmail.com> <2148317.C4sosBPzcN@asclepius.adm.tul.cz>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <2148317.C4sosBPzcN@asclepius.adm.tul.cz>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/-VplIOBbAoW5kXiMhUYIwQowQlA>
Subject: Re: [v6ops] Fwd: New Version Notification for draft-collink-v6ops-ent64pd-01.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2022 04:02:29 -0000

On 21-Dec-22 13:19, Martin Huněk wrote:
> Hi Brian,
> 
> Dne pondělí 19. prosince 2022 21:59:12 CET, Brian E Carpenter napsal(a):
>> On 19-Dec-22 23:30, Martin Huněk wrote:
>>
>>> Furthermore, this address has to be predictable for an ISP/netadmin, so it is possible to make an AAAA record for it
>>
>> Er, no, the creation of such an AAAA record should be automated (subject to some kind of authorization).
> 
> I would certainly not want arbitrary (BYOD) connected devices to be allowed to manipulate DNS records in my domain by the DDNS. There are security reasons for that. If I know the DUID of the device providing some service to the Internet users and the IID where the device listens is known, I can make static prefix delegation, and then I can make an AAAA record for it. Without it, I can run only IPv4 services there.

Completely understood. But the bad old days of using the MAC address to create the IID are gone, and numbering hosts from 1 upwards would be extremely helpful for some kinds of attack.

> Is there some existing solution for it other than that? Open, not vendor specific.

I doubt it, this is too new, but I'm no expert. It would be a use case for the ANIMA autonomic work.

     Brian

>>
>> An IID cannot be zero, since that value is reserved (https://www.iana.org/assignments/ipv6-interface-ids/ipv6-interface-ids.xhtml). There are reasonable arguments why it should be pseudo-random, even for a server.
> 
> Sorry, I've missed that zero is not allowed.
> 
> Anyway, network administrator predictable IID would be a huge help in providing IPv6 services from it (without resolving it by static configuration). I see no such arguments if the prefix doesn't leave a single device and when this predictable IID is used only when it is configured with a service that needs to be reachable from outside.
> 
> By the way, in this case, the admin predictable IID source is even the DUID, and that is not predictable for the rest of the Internet.
>>
>>      Brian
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>

v2.23.0 | Report a Bug | By Email