Re: [v6ops] [OPSEC] IPv6 LL-only as WG document - feedback requested
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Thu, 16 August 2012 12:23 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8C7421F849C; Thu, 16 Aug 2012 05:23:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.113
X-Spam-Level:
X-Spam-Status: No, score=-10.113 tagged_above=-999 required=5 tests=[AWL=-0.114, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-z1JXHl9w-k; Thu, 16 Aug 2012 05:23:04 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 66BB421F8462; Thu, 16 Aug 2012 05:23:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=evyncke@cisco.com; l=4837; q=dns/txt; s=iport; t=1345119783; x=1346329383; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=FPxUUunk3PWelemJlhABuUmFNYpZiz85FHUsHzPrDIA=; b=QhS0IE5cWHTZ8PuIFZ1ENdIKIfutDG6JhhNKX6RqZAuu5zryVvbSb/El Cgy4ajva64vNB5ZHVe70C2hiYcuXdgAI8ndSfiaEm8oVXZhrR+9J02wy5 lRbWUS/msSPf13x3xip7ftz/IPphg953ffKyo4rvozsyTgzyDALY11TkU c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAOXkLFCtJXG+/2dsb2JhbABFuiKBB4IgAQEBAwEBAQEPAVsLDAQCAQgRBAEBAQodBycLFAkIAQEEDgUIEweHZQYLmjegHYsJhXdgA4gZjkqNGIFmgl8
X-IronPort-AV: E=Sophos;i="4.77,778,1336348800"; d="scan'208";a="112178436"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-5.cisco.com with ESMTP; 16 Aug 2012 12:23:02 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id q7GCN2sk006558 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 16 Aug 2012 12:23:02 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.72]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.02.0298.004; Thu, 16 Aug 2012 07:23:01 -0500
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Thread-Topic: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested
Thread-Index: Ac1zsaLKu65hBuxGQ1mVPU9TRZLT7QALZhOAAarsawAAFmF/AAAxVTWA
Date: Thu, 16 Aug 2012 12:23:01 +0000
Message-ID: <97EB7536A2B2C549846804BBF3FD47E10C6555@xmb-aln-x02.cisco.com>
References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <724010AF-C8BA-4D97-BE5D-48A53AAB960A@cisco.com> <502B549A.4010708@gmail.com>
In-Reply-To: <502B549A.4010708@gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.185.71]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19116.000
x-tm-as-result: No--58.110100-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "opsec@ietf.org" <opsec@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla-only@tools.ietf.org)" <draft-behringer-lla-only@tools.ietf.org>, "v6ops v6ops WG (v6ops@ietf.org)" <v6ops@ietf.org>
Subject: Re: [v6ops] [OPSEC] IPv6 LL-only as WG document - feedback requested
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2012 12:23:05 -0000
Brian Thanks for your suggestion about wording. I think we agree on the content and your format is better :-) -éric > -----Original Message----- > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of > Brian E Carpenter > Sent: mercredi 15 août 2012 09:50 > To: Carlos Pignataro (cpignata) > Cc: 'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla- > only@tools.ietf.org); opsec-chairs@ietf.org; opsec@ietf.org; v6ops v6ops WG > (v6ops@ietf.org) > Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback > requested > > Carlos, > > On 14/08/2012 22:08, Carlos Pignataro (cpignata) wrote: > > Michael, Brian, > > > > Should "The Suggested Approach" http://tools.ietf.org/html/draft- > behringer-lla-only-01#section-2.1 also include some prescriptiveness or > specific recommendation regarding the use of RFC 5837, instead of including > that solution to interface identification as a "Caveats and Possible > Workarounds" only? > > I have no strong opinion on this. Just indicating the existence of 5837 > seems OK, though. > > Looking at the current text, it says that the loopback GUA MUST be used for > all > ICMPv6 messages, which is good, but it also says "ICMP error message can > also be sourced from the global scope loopback address." > That seems unnecessary in view of the MUST, but in any case, s/can/will/. > > Actually my main comment on the draft is on this text in the Introduction: > > "We propose to configure neither globally routable IPv6 addresses nor > unique local addresses on infrastructure links of routers, wherever > possible. We recommend to use exclusively link-local addresses on such > links." > > I suggest a more neutral approach, since some operators clearly prefer to > use GUAs: > > It is possible to configure neither globally routable IPv6 addresses nor > unique local addresses on infrastructure links of routers. This document > describes how to use exclusively link-local addresses on such links. > > (and s/proposes/describes how/ in the Abstract) > > Thanks > Brian > > > Thanks, > > > > -- Carlos. > > > > On Aug 6, 2012, at 5:24 AM, Brian E Carpenter wrote: > > > >> Hi, > >> > >>> o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo > >>> request ... can be addressed to loopback addresses of routers with > >>> a global scope address. Router management can also be done over > >>> out-of-band channels. > >>> > >>> o ICMP error message can also be sourced from the global scope > >>> loopback address. > >> These statements seem too weak. Using GUAs for ICMP in particular > >> needs to have a normative MUST somewhere (preferably in a BCP). In > >> the context of this Informational draft, the language needs to state > >> a requirement ("must" not "can") even if you don't use RFC 2119 > terminology. > >> > >> This matters because packets with a LL source address MUST NOT be > >> forwarded, so a router that is misconfigured to send ICMP replies > >> with a LL source address breaks both ping and traceroute. > >> > >> I think the rule is that any packet that is *not* sent to a LL > >> address must have a GUA as the source address. That takes care of > >> ICMP, and everything else as well. > >> > >> Furthermore, that GUA needs to be associated with a prefix that > >> belongs to the organisation operating the router in question. > >> Otherwise the traceroute results can be very confusing. We discussed that > on v6ops back in March. > >> > >> Regards > >> Brian Carpenter > >> > >> > >> > >> > >> On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote: > >>> (distributed to OPSEC WG and in cc v6ops) > >>> > >>> Dear all, > >>> > >>> During the OPSEC WG meeting last Wednesday there was consensus to adopt > the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as working > group document with Informational status. > >>> > >>> Please read the draft, and if there is no violent objection on the list, > the document will be requested to be submitted as WG document in 7 days. > >>> > >>> Ciao, > >>> G/, KK & Warren > >>> > >>> > >>> > >>> -------------------------------------------------------------------- > >>> ---- > >>> > >>> _______________________________________________ > >>> v6ops mailing list > >>> v6ops@ietf.org > >>> https://www.ietf.org/mailman/listinfo/v6ops > >> _______________________________________________ > >> v6ops mailing list > >> v6ops@ietf.org > >> https://www.ietf.org/mailman/listinfo/v6ops > >> > > > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec
- [v6ops] IPv6 LL-only as WG document - feedback re… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Michael Behringer (mbehring)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Carlos Pignataro (cpignata)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Mark ZZZ Smith
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Michael Behringer (mbehring)
- Re: [v6ops] [OPSEC] IPv6 LL-only as WG document -… Eric Vyncke (evyncke)