Re: [v6ops] new draft: draft-colitti-v6ops-host-addr-availability
Ray Hunter <v6ops@globis.net> Tue, 07 July 2015 12:49 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDCED1A01CB for <v6ops@ietfa.amsl.com>; Tue, 7 Jul 2015 05:49:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.51
X-Spam-Level:
X-Spam-Status: No, score=-0.51 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJwZUfStVrCL for <v6ops@ietfa.amsl.com>; Tue, 7 Jul 2015 05:49:20 -0700 (PDT)
Received: from globis01.globis.net (mail.globis.net [IPv6:2001:470:1f15:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 21A7A1A01AA for <v6ops@ietf.org>; Tue, 7 Jul 2015 05:49:20 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 48E7F400E1; Tue, 7 Jul 2015 14:49:19 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yVTGOOwOyq_P; Tue, 7 Jul 2015 14:49:17 +0200 (CEST)
Received: from Rays-iMac.local (unknown [IPv6:2001:470:1f15:73a:483:f00c:db00:800]) (Authenticated sender: v6ops@globis.net) by globis01.globis.net (Postfix) with ESMTPSA id DCC0640093; Tue, 7 Jul 2015 14:49:16 +0200 (CEST)
Message-ID: <559BCACB.3000106@globis.net>
Date: Tue, 07 Jul 2015 14:49:15 +0200
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Lorenzo Colitti <lorenzo@google.com>
References: <201507061147.t66Bl1AE028312@irp-lnx1.cisco.com> <9290D0D1-062A-4DE0-A437-9A5F5045ACAC@gmail.com> <39F63B55-977F-4B84-8B55-52E2F0B1A851@cisco.com> <CAKD1Yr07M6mXtbL=ewpL7daR4MdvB7fJ_Vu1tyDvmQkzM6zN0w@mail.gmail.com>
In-Reply-To: <CAKD1Yr07M6mXtbL=ewpL7daR4MdvB7fJ_Vu1tyDvmQkzM6zN0w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------070309070607050005050707"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/1-FP-1bZGwCUPFgJtu5gTzfkK5U>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "draft-colitti-v6ops-host-addr-availability@tools.ietf.org" <draft-colitti-v6ops-host-addr-availability@tools.ietf.org>
Subject: Re: [v6ops] new draft: draft-colitti-v6ops-host-addr-availability
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 12:49:23 -0000
Lorenzo Colitti wrote: > On Tue, Jul 7, 2015 at 9:02 AM, Fred Baker (fred) <fred@cisco.com > <mailto:fred@cisco.com>> wrote: > > The statement that I don't see in the document, which would help > me personally, is a problem statement. I would guess that the > problem statement is "we think some networks are limiting host > interfaces to a single IPv6 address." I'd want a little more > detail, but I'll bet that's the crux of it. > > > Not necessarily "are limiting" today, but "will limit" in the future. > > Suppose that all operating systems of interest to a given network > support DHCPv6 and it is thus possible to run a network without SLAAC > and without IPv4 without denying service to substantial percentages of > users. > > Let's consider what would happen in such a DHCPv6-only network. How > many addresses would be available to each host? Because DHCPv6 > requires an explicit request to the network before an address can be > used, the answer is, by definition, "as many as the network > administrators decide to make available". > > In some of these networks, the "as many as the network administrators > decided to make available" may equate to just one. There could be lots > of reasons for this: technical reasons such as "our IPAM and logging > systems support only one address per host and it's tied into our legal > intercept system so we can only give out one address per host", "we > only have enough TCAM entries for one address per host", "one address > per host is what we do in IPv4, and we want to be consistent with that". > > If that sounds unreasonable, now consider what would happen in a hotel > network that charges $5 per device. How many addresses would be > available to hosts on such a network? At best, one for every $5 paid. > More likely, if the billing system does not support more than one IPv6 > address (why would it?), the answer would become "one per MAC address". > > I hope we agree that such networks provide suboptimal service, and > that there are a number of things that users would like to do that > require either the availability of more than one IPv6 address. > > If we are able to agree on that, then it is a useful statement to > make, for two reasons: > 1. The network administrators might listen to the statement. > 2. Client and server implementations can implement network > configuration protocols such as DHCPv6 in a way that does not lead to > this suboptimal scenario. > > Cheers, > Lorenzo If I might add some comment to the "problem statement" I'd like apps and users to be able to enjoy privacy from the "bad guys", and also be shielded from general attack and casual scans. However, I'd also like the "good guys" to be able to track security relationships at some abstract level for audit and security purposes. IMVHO That's still very much an area of "work to be completed" and is also the main reason why network operators want to limit the addresses in use (rather than the $5 per address reason cited). As an example, inbound sessions can be clearly directed to a particular stable/well known destination address e.g. using DNS. And application daemons can generally be configured to listen only on particular addresses. But has anyone tried to force apps to use a particular source address as a source for related sessions, or "mirror at L7" outbound sessions to use the same source address as the destination address of the inbound message? In OSI speak that's the session layer, and we don't really have one. So the problem isn't just a matter of supporting multiple addresses at the network adapter layer; it's a matter of how those addresses are bound to apps, and how/when they are selected. As one example, I recently came across an app that bound quite happily to a particular address on a VM adapter for inbound sessions/messages, but defaulted to using the first address configured on the underlying VM for all outbound sessions (rendering any stateful firewall pretty much useless, because the 1st underlying address was at the mercy of the cloud operator, who could shift load around between physical machines at will). As another example, I've also come across plenty of firewalls or proxies that use NTLM or some other L7 protocol to identify a "user", but are then stuck to IP authentication for further follow up sessions, because NTLM or equivalent mechanism is either too slow, or not supported on that particular app. You also have the "https first" problem. In some cases/countries it is illegal to intercept/break https encryption (e.g. using fake certs). So if a user first connects to a proxy for a site that uses https, there's no way of authenticating them, and they are blocked until they use a standard http session (to another site). In short: Is there any intention to include a shim (containing some sort of nonce) to allow (legitimate) tracking and authentication (within an AS)? equivalent of http cookie at the network layer? That could even be stripped when leaving an AS/site boundary to alleviate privacy concerns. Or at least some more clarification on socket binding? I fear that this isn't as trivial a problem as the draft seems to suggest. regards,
- [v6ops] new draft: draft-colitti-v6ops-host-addr-… fred
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Simon Perreault
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Sander Steffann
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Andrew Yourtchenko
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Fred Baker (fred)
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Lorenzo Colitti
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Erik Kline
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Yury Shefer
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Tore Anderson
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Ray Hunter
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Erik Kline
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Tore Anderson
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Andrew 👽 Yourtchenko
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Hemant Singh (shemant)
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Hemant Singh (shemant)
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Brian E Carpenter
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Fred Baker (fred)
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Brian E Carpenter
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Hemant Singh (shemant)
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Sander Steffann
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Fred Baker (fred)
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Tom Taylor
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Jouni Korhonen
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Erik Kline
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Alexandru Petrescu
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Mukom Akong T.
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Dave Thaler
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Mikael Abrahamsson
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Ross Chandler
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Mark Smith
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Lorenzo Colitti
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… George, Wes
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… George, Wes
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Mark Smith
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… George, Wes
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Templin, Fred L
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Lorenzo Colitti
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Fred Baker (fred)
- Re: [v6ops] new draft: draft-colitti-v6ops-host-a… Alexandru Petrescu