IETF Logo Mail Archive

Re: [v6ops] Are we competitive?

Fernando Gont <fgont@si6networks.com> Mon, 15 August 2022 15:21 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B0B7C1524BE for <v6ops@ietfa.amsl.com>; Mon, 15 Aug 2022 08:21:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5qrtCL4SRdL for <v6ops@ietfa.amsl.com>; Mon, 15 Aug 2022 08:21:30 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B650CC1522A6 for <v6ops@ietf.org>; Mon, 15 Aug 2022 08:21:21 -0700 (PDT)
Received: from [IPV6:2800:810:464:f13:6623:ffb1:f7bf:cc40] (unknown [IPv6:2800:810:464:f13:6623:ffb1:f7bf:cc40]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id DA8B72800BD; Mon, 15 Aug 2022 15:21:14 +0000 (UTC)
Message-ID: <2a1a99bb-df97-8215-0588-f52112b6d2b0@si6networks.com>
Date: Mon, 15 Aug 2022 12:21:11 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: Ted Lemon <mellon@fugue.com>
Cc: v6ops@ietf.org
References: <c43e3ce9-86d3-307c-270b-ed3a8cf33ecc@si6networks.com> <101D1787-3A08-42A2-A6BB-E71154D515C1@fugue.com>
From: Fernando Gont <fgont@si6networks.com>
In-Reply-To: <101D1787-3A08-42A2-A6BB-E71154D515C1@fugue.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/24QLKePwJhDW5DthceLQGuYzlvI>
Subject: Re: [v6ops] Are we competitive?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2022 15:21:34 -0000

Hi, Ted,

On 15/8/22 12:03, Ted Lemon wrote:
> I think the thread model for which you’d want to conceal IIDs is that
> you want to prevent callbacks: if a host on the protected network
> makes a connection to a host on the Internet, you don’t want that
> host (or some other host) to be able to attempt to connect back to
> that IP address on a different port looking for a vulnerability.

Yes, that's the obvious case you want to tackle.


> If that’s the case, then you can accomplish this with a firewall. All
> you have to do is default-block incoming SYN packets and incoming UDP
> packets, and you’re done.

Few obvious questions:

1) How do you do this automagically?

2) How do you block "incoming UDP packets" without keeping state?

3) How is the above super different/better than the NAT66 case?

FWIW, we discuss this topic in: 
https://datatracker.ietf.org/doc/html/draft-gont-v6ops-ipv6-addressing-considerations


> This is a lot cheaper than maintaining
> per-connection state. The only problem is that it breaks QUIC. I
> think it might be possible to do the same thing with QUIC, but I
> don’t actually know how the initial handshake works for QUIC, so
> that’s an open question in my mind.

For UDP, the rule of thumb is that you keep state, and if you get a 
packet from the external realm, it's considered an "incoming packet" 
unless you have previously seen a packet with the corresponding (local 
socket, remote socket) in the opposite direction.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

v2.23.0 | Report a Bug | By Email