IETF Logo Mail Archive

Re: [v6ops] Why should IP networks be different? [DHCP Option 108 Issue with Mac and iOS devices]

Daryll Swer <contact@daryllswer.com> Wed, 03 January 2024 17:17 UTC

Return-Path: <contact@daryllswer.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1F6EC00891D for <v6ops@ietfa.amsl.com>; Wed, 3 Jan 2024 09:17:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=daryllswer.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qQ4B2q17rALz for <v6ops@ietfa.amsl.com>; Wed, 3 Jan 2024 09:17:21 -0800 (PST)
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59E7BC008916 for <v6ops@ietf.org>; Wed, 3 Jan 2024 09:17:15 -0800 (PST)
Received: by mail-pj1-x1029.google.com with SMTP id 98e67ed59e1d1-28bd85bda06so4856727a91.3 for <v6ops@ietf.org>; Wed, 03 Jan 2024 09:17:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daryllswer.com; s=google; t=1704302235; x=1704907035; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1ZPuwwDiai54kl22y1Lkh6Z7/3wNeqWDL7hPP+k3j18=; b=IPYttOqiG0SVShwRth37DhhE6jL3UTQDcNhIo6mENAAR5QhGUrN3UxpwTwVtg0tc9z 8AkdCPEqIiBH15dWSYgGH45ka5uqFMDAmBV5mDSD1iAUGOqQ+3QpD6LOgQrAoG/OM949 061vTWyLn7hjU3pGRIdqBfbL+lVaqpAUkeNjWivwZtnHkb6ogNH2+U1BgO+BdziL1Zmy YVyaJylhQAqs8iHBmWdTsAg8YAasua9Zyc0tye3W43uRqsAxoXQMKl0HKtSXFUMVepYB 7Bp5j3iztfMtZiiDTr6qOQsmrbUSTPKnknTG2244F7+dn6ztZBcp+9e2fetwXwsqiSrh CmGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704302235; x=1704907035; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1ZPuwwDiai54kl22y1Lkh6Z7/3wNeqWDL7hPP+k3j18=; b=tyIdP1SVCPIsh7tXRULVTHRkX+wWRdeAjwfi4LHPYnbM+sQWmGzGbErIWkbYWeUybT BIuMNteszO55ZlaJHse9RUzhwF+mX3j9+4RonvC6nQR3dKsMh6pCIbHx7fQqNIdqxuZs qrOlgP38XgDGvp7EOnYDwW3iCsuW3DckT3WIHasTQQK0kO/SCo5GrZy7lcLZAwD69xAM TVMNj9+CPVIys92edpd5x+TTVEQ7v/oL1xnHA2tLkijGKZBKfAn443T7YenzFY48J4H+ X+wFpYsBxVWKHRxkojQWXDFEvwuFI5/63uC3WoGlBXyTBANKKto097S0mBBoPLAg20Kw DJRg==
X-Gm-Message-State: AOJu0YzQEgQVIaMvxM+afF8goH/R+g8NvcP3KouIDQ/NF4ZsjuK5wBuT HrBJOSkub7CIH2WHU3sTtu2Jg+nr0+wgK/lCIgoQIv7nXK0vweHw
X-Google-Smtp-Source: AGHT+IFUCDZKTcTGIiFRytQJXHyNY6l6IBO9oNFHXO8HKH+oJdA5JevaNI8q8GUnZxR1aukLCuCSIg==
X-Received: by 2002:a17:90a:7a87:b0:286:6cc1:289 with SMTP id q7-20020a17090a7a8700b002866cc10289mr6809082pjf.84.1704302234823; Wed, 03 Jan 2024 09:17:14 -0800 (PST)
Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com. [209.85.210.170]) by smtp.gmail.com with ESMTPSA id sr8-20020a17090b4e8800b0028ceb19d822sm1790981pjb.55.2024.01.03.09.17.14 for <v6ops@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Jan 2024 09:17:14 -0800 (PST)
Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-6d9bbf71bc8so2778413b3a.1 for <v6ops@ietf.org>; Wed, 03 Jan 2024 09:17:14 -0800 (PST)
X-Received: by 2002:a05:6a00:802:b0:6d9:a96e:eba9 with SMTP id m2-20020a056a00080200b006d9a96eeba9mr7875024pfk.46.1704302233963; Wed, 03 Jan 2024 09:17:13 -0800 (PST)
MIME-Version: 1.0
References: <CACyFTPHbCc00z36PRSUCsP=8Av=z4Ms0KHwk1Rxd=19TXzdyhg@mail.gmail.com> <CAPt1N1=82h05qZRqhtDirXwS1Fvz8OPt0iFRWasFHMXkEp4Fuw@mail.gmail.com> <CACyFTPFJ=CjiYbZjdF8T63a14SgeNAKaAQeTVSbAxde4J9ZfRQ@mail.gmail.com> <CAO42Z2zfzwx2NuCYZh_-ncTvmQ0T1+AsOi540RQ2BjQC0w6Kkg@mail.gmail.com> <ZYSv6CZllItMyNSQ@Space.Net> <CAO42Z2y-zKtWWJXX837RfD9XuxKaXkhg75TiEGHF=hFdnnsydQ@mail.gmail.com> <CACyFTPHDhrANP+tssS3x14Dm19TiyAYpeEF=sZdLJsrwUpAWjw@mail.gmail.com> <CAPt1N1nFk1QYmcJe4vmnj_vKp2EZ8iLipcrW3QixPKayER50LA@mail.gmail.com> <8d990f81-d4ae-b602-1f58-a0aa0fc9de28@gmail.com> <CAO42Z2wBZ3EQVtH0-EBsDhkR8owCpxTAJZJE59pVC5-jSMjUzA@mail.gmail.com> <ZYayNL9kuwH37EqP@Space.Net> <CACyFTPEn2ag2ZtgFag1N+0MqJbagw6HzYkVw0rC=0VV+DDCm+g@mail.gmail.com> <8fb2c7c5-938c-3728-17c9-85e7004883e6@gmail.com> <CACyFTPHWCCLsiUT0GEuvpq5fhnaDdD-w910x3R0wMprUGnZ9nA@mail.gmail.com> <CAO42Z2z9bFemih_0_wDa8TA1ez4zSnACF6gU5yU74rknHKCwgw@mail.gmail.com> <CACyFTPGXNyhBHV_w0Uj3QQdz3OCQ-hqtAmPNNNgUKCFGoEbxow@mail.gmail.com> <CAPt1N1kQB9PYrt70vRTQT=cgvVOaRms=+OsH117_-H9Uj9kS1A@mail.gmail.com> <53322B92-1354-4CF9-98C8-A56EE5EA8EBD@jisc.ac.uk> <CAPt1N1=k9NO_ci_zJus8LM0_eH9QBvdtoZc3FR8h8TU0_+50_g@mail.gmail.com> <5E6C7984-EED0-46DD-82BB-86F554E20795@employees.org> <CAPt1N1mHvpfbqaocnc6nBwDZ2RocMfi3ydtiSxqRq7dZwF1EQg@mail.gmail.com> <2D0D28C9-F1EE-4AB7-987E-CD9D6A28A4F1@employees.org> <CAPt1N1m5Jdt7+AzB7_r0EmsV-yP0DUh5uFxy_3WyooMrCbJ7qQ@mail.gmail.com> <705971AB-BCE4-46D1-B043-396C59BC552C@employees.org> <CAPt1N1kM0g3nbEsodaUMGsNx93FG5o=PWyr+VFfp24_sv6PL5A@mail.gmail.com> <CACyFTPG91wc3LAZ1QRBm6t-cDL1OtyVh2P6zrh_zGiAeBnVeBg@mail.gmail.com> <CAO42Z2zMmezZVRCnkYSse-u93pNQk0WB5qi_R=Zm+JzmC=SmDw@mail.gmail.com>
In-Reply-To: <CAO42Z2zMmezZVRCnkYSse-u93pNQk0WB5qi_R=Zm+JzmC=SmDw@mail.gmail.com>
From: Daryll Swer <contact@daryllswer.com>
Date: Wed, 03 Jan 2024 22:46:35 +0530
X-Gmail-Original-Message-ID: <CACyFTPFOYg2wO9+VHicmaLiJcCq8mwHDwrKg3w=_kHv8fS9osw@mail.gmail.com>
Message-ID: <CACyFTPFOYg2wO9+VHicmaLiJcCq8mwHDwrKg3w=_kHv8fS9osw@mail.gmail.com>
To: Mark Smith <markzzzsmith@gmail.com>
Cc: Ted Lemon <mellon@fugue.com>, v6ops list <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003ed503060e0dc91d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/4cXQbopjwoNMwkKsO_TXAPI2kRI>
Subject: Re: [v6ops] Why should IP networks be different? [DHCP Option 108 Issue with Mac and iOS devices]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2024 17:17:26 -0000

>
> If you wish Kea's state sync mechanism to be documented and possibly
> standardised in an RFC, it is up to you to write or get written the
> Internet Drafts and submitted to the appropriate IETF working group, as the
> start of the process to gain consensus, which then may or may not result in
> an RFC (which are also fundamentally voluntary to comply with).
>

I'll see if I can do something there, I may already know some folks who may
be interested.

But honestly, it's far easier and faster for an operator like me to ask a
vendor XYZ “Hey can you port over Kea state sync to your platform,
please?”, and they go “Oh, we'll look into it” and chances are in a few
months, “Change log line number 5: Added DHCPv6 state sync from Kea”, than
it is to politick in the mailing list for who knows how long before such a
draft gets approved if ever, full stop.

*--*
Best Regards
Daryll Swer
Website: daryllswer.com
<https://mailtrack.io/link/d6348bc12fc364707fff9381511c0a27a1d56aee?url=https%3A%2F%2Fwww.daryllswer.com&userId=2153471&signature=eb649cf546b8fda6>


On Wed, 3 Jan 2024 at 03:21, Mark Smith <markzzzsmith@gmail.com> wrote:

>
>
> On Wed, 3 Jan 2024 at 03:41, Daryll Swer <contact=
> 40daryllswer.com@dmarc.ietf.org> wrote:
>
>> I've given much thought to this DHCPv6/SLAAC debate over the week, and my
>> final opinion is.
>>
>> 1. The “address notification” mechanism likely just adds more complexity
>> (and the time required for devices to support it) vs just fixing ia_na
>> specific issues
>> 2. The “state sync” problem is fixed in ISC Kea, which means there's no
>> technical reason for the IETF to not adopt the open source protocol into a
>> standard
>>
>
> If you wish Kea's state sync mechanism to be documented and possibly
> standardised in an RFC, it is up to you to write or get written the
> Internet Drafts and submitted to the appropriate IETF working group, as the
> start of the process to gain consensus, which then may or may not result in
> an RFC (which are also fundamentally voluntary to comply with).
>
> Don't expect the IETF to do that work just because you ask for it. That's
> not how the IETF works. You have to invest your own time and resources in
> the work if you want that work to occur. Other IETF participants may help
> you if they're interested in what you're proposing.
>
>
>> 3. I will recommend enterprises do “Do IPv6 for everything but Android”
>> (already the reality as is)
>> 4. ia_na does help with traceroutes/troubleshooting vs link-local for
>> PD-only
>>
>> I'm not sure if the time/energy required for “address notification” top
>> to bottom, is significantly less than what would be required to patch ia_na
>> specific issues.
>>
>> *--*
>> Best Regards
>> Daryll Swer
>> Website: daryllswer.com
>> <https://mailtrack.io/link/b8fbb9af84a504e9046468dc0a0438e543cb4486?url=https%3A%2F%2Fwww.daryllswer.com&userId=2153471&signature=dd709ee618d93ac2>
>>
>>
>> On Tue, 2 Jan 2024 at 21:28, Ted Lemon <mellon@fugue.com> wrote:
>>
>>> It's rather unkind of you to respond to a thoughtful answer that I took
>>> some time to compose with an accusation that it came from ChatGPT. I have a
>>> lot going on today, and participating in this conversation isn't free for
>>> me. I would encourage the chairs to weigh in on whether they think this is
>>> appropriate.
>>>
>>> That said, I agree with (what I think is) your point: if the DHCP
>>> address registration is not enforced with e.g. 802.1x, it's actually
>>> harmful. But the same criticism is also valid for the DHCPv6 IA_NA use
>>> case, so I don't think you've said anything new. This is precisely why
>>> there isn't consensus to require these mechanisms: by default they don't do
>>> what people want them to do. But it's easy to pretend that they do, and
>>> that leads to bad outcomes for end users. As the service provider, unless
>>> you can be held liable for false accusations (and they can be proven) you
>>> can freely accuse your users of bad behavior and back it up with your
>>> DHCPv6 logs, and it's likely that you won't be held accountable for any
>>> accidental false accusations that you make in good faith.
>>>
>>> In case it's not obvious, I'm not actually advocating for this. I think
>>> it's a bad idea. It's not an accident that I used the term "surveillance"
>>> in my previous message.
>>>
>>> On Tue, Jan 2, 2024 at 10:44 AM Ole Troan <otroan@employees.org> wrote:
>>>
>>>> Ted,
>>>>
>>>> ChatGPT?
>>>>
>>>> For an idea of what the network does already:
>>>>
>>>> https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/IPv6_Security.pdf
>>>>
>>>>
>>>> Again, I can’t quite see how the DHCPv6 registration mechanism would
>>>> help the network in tracking endpoints.
>>>> Given that the network cannot trust the hosts that support the
>>>> mechanism to provide a truthful answer, then you have the other set of
>>>> endpoints that do not support the mechanism at all, which the network also
>>>> has to handle.
>>>>
>>>> I may have missed it, but I have not seen this question answered in the
>>>> draft, nor in your reply.
>>>>
>>>> O.
>>>>
>>>>
>>>> > On 2 Jan 2024, at 16:31, Ted Lemon <mellon@fugue.com> wrote:
>>>> >
>>>> > If the problem is attributing flows to particular users, then you
>>>> need a way to associate a particular flow with a particular user. The
>>>> easiest way to do this is with the IP address of the non-server endpoint of
>>>> the flow (that is, the IP address the surveilled device is using to
>>>> communicate). So you have two things you need to do to be able to
>>>> successfully do this attribution:
>>>> >
>>>> > 1. Establish an association between a device/user and every IP
>>>> address that device will use to communicate with other devices where
>>>> surveillance is required.
>>>> > 2. Make sure only the owner of the device is able to successfully use
>>>> each such IP address to communicate.
>>>> > 3. Maintain a record of what IP addresses were in use by what devices
>>>> during what time periods.
>>>> >
>>>> > So, DHCPv6 IA_NA and DHCPv6 address registration provide a way for a
>>>> host to communicate the IP addresses it is using to a DHCPv6 server. The
>>>> DHCPv6 server can log these addresses. It can also reach out and enable
>>>> those addresses on the per-port filter for ethernet, or per 802.1x identity
>>>> for WiFi. This is all stuff we've talked about many times before.
>>>> >
>>>> > One slight issue we'd need to be sure of is that the DHCPv6 address
>>>> registration packet comes from a link-local address, so that it's not
>>>> filtered. I think that's contrary to what the document currently says.
>>>> >
>>>> >
>>>> > On Tue, Jan 2, 2024 at 9:54 AM Ole Troan <otroan@employees.org>
>>>> wrote:
>>>> > Since the network has to do enforcement anyway, then it can do so
>>>> with existing mechanisms.
>>>> > Are you suggesting that network enforcement of devices somehow become
>>>> easier with the proposed mechanism?
>>>> > If so, how exactly?
>>>> >
>>>> > O.
>>>> >
>>>> > > On 2 Jan 2024, at 15:49, Ted Lemon <mellon@fugue.com> wrote:
>>>> > >
>>>> > > Presumably if the user disables tracking on their host, the network
>>>> won't allow them transit, so problem solved. Without that enforcement
>>>> mechanism, there's no point in implementing DHCPv6-based tracking: the
>>>> notion that you can just assume based on the source address that the packet
>>>> originated from a particular host is actively harmful, because it creates
>>>> an opportunity for malware to spoof a host and engage in bad actions, which
>>>> will then be blamed on the legitimate owner of that host.
>>>> > >
>>>> > > Indeed, in order to be able to reliably attribute traffic from a
>>>> particular IP address to a particular host or user, the filtering would
>>>> need to be done in a way that can't be spoofed—at Tim says, using 802.1x
>>>> might prevent this since the packets are all signed with a per-host key (if
>>>> I understand it correctly—not claiming to be an expert).
>>>> > >
>>>> > > On Tue, Jan 2, 2024 at 9:33 AM Ole Troan <otroan@employees.org>
>>>> wrote:
>>>> > > > In order to disable it, you have to be on a network that allows
>>>> arbitrary devices to be DHCPv6 servers. So I think it's still useful, since
>>>> blocking DHCP from unauthorized servers isn't that hard. Even if you aren't
>>>> actively blocking it, finding a DHCPv6 server that's poisoning the well
>>>> isn't that hard.
>>>> > >
>>>> > > The user of a host that doesn’t want tracking can disable it for
>>>> that host.
>>>> > > Rendering the mechanism less than useful for the problem of
>>>> tracking hosts on a network.
>>>> > >
>>>> > > O.
>>>> >
>>>> >
>>>>
>>>>
>>>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>

v2.23.0 | Report a Bug | By Email