IETF Logo Mail Archive

[v6ops] Some comments on draft-ietf-v6ops-ipv6-deployment

Fernando Gont <fernando.gont@edgeuno.com> Fri, 22 April 2022 11:48 UTC

Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E014B3A10B3; Fri, 22 Apr 2022 04:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-sbzOWwnGck; Fri, 22 Apr 2022 04:48:24 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on20707.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e89::707]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C4003A109A; Fri, 22 Apr 2022 04:48:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hsNuUqkQzn0hT/WI6PG8hwWJhDII3SqoKvWlmwoXbaVYb/9/jYUhjK6CO4X6xEUECBlOuDGNnw4vIvp1nYjmnWhNmJUatDa6SjeekJAEy+FhlK1tKBbEVCGpPQxYknZeiI+xHS4U1yAB6FNBHDtQLaex/V540W1zopWaSbNbYoxrE7GuQwW/cfvdU5caST1Dyt91cRvd/xO7a8cX8Wv/Rr2kSR6DxPHFv27pIdc9iR3P22S9sVBZBoK5u60CJW+wtIICGInhb01OZl/DHky9ET9HvnOKfRNoBu8B/B00bNYYpqtnRYe6JNRep/FvPKIHC5d0GXLO9dcskAvhtk/LOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lpD81YSWCNXKnlvm8yP+S1FNbHxuXBbOAZ6j1tKd3Y8=; b=GvgNqucvBfPTSi5j7VDR2dJJ0thspFPpyoO5KVDiXDzoq/JXS4UyOsCcrOiZURy9/GXek9OdSo0Qwcdw62B0eN8vn/9cLsNhME51qV2ARlFqbM9CfbXdWNlA2J46w5tMNyG5SDPgIUIrVN/WJvPjylruaWscSTnT5ACjDUQ+z5U2JDWldABBkqmtE7G+fWS+BUarXE3WCh3U9xhlK69voXyxGiPq3v3ELCPgYS8fYQVZLYVwB38gUljnFWvwvZzFo3kG3deqm28lQFy4MuB9+cOgKVDeYzRV312+5p3Di1OZhB+0X2cJiH2JEtwU33p92OViiDOtdnMAEuNqFxmNEg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=edgeuno.com; dmarc=pass action=none header.from=edgeuno.com; dkim=pass header.d=edgeuno.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lpD81YSWCNXKnlvm8yP+S1FNbHxuXBbOAZ6j1tKd3Y8=; b=U3vhQ3gp4FowkTu54CUoxubXFqhhQHtRQ/EsUQEnaMBnEKR7Z3k+OBYaQYGEcO2+2ptHwhRSJfWlTHtaLODd2n4oFHHf4hB2NgFVhI0H9NdFXkSjYyw9Xgo7xPa9PSUCflRXUfCIvgUSS6E2pYAHmZh6v+Thmi8+nEeIo3d47jA=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=edgeuno.com;
Received: from CO1PR05MB8039.namprd05.prod.outlook.com (2603:10b6:303:f0::7) by DM6PR05MB4201.namprd05.prod.outlook.com (2603:10b6:5:89::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.6; Fri, 22 Apr 2022 11:48:17 +0000
Received: from CO1PR05MB8039.namprd05.prod.outlook.com ([fe80::845c:4e39:6d65:430f]) by CO1PR05MB8039.namprd05.prod.outlook.com ([fe80::845c:4e39:6d65:430f%9]) with mapi id 15.20.5206.006; Fri, 22 Apr 2022 11:48:17 +0000
Message-ID: <3008655b-2af6-7df0-1302-63cf81bad8b4@edgeuno.com>
Date: Fri, 22 Apr 2022 08:48:04 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: V6 Ops List <v6ops@ietf.org>
From: Fernando Gont <fernando.gont@edgeuno.com>
Cc: draft-ietf-v6ops-ipv6-deployment@ietf.org
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: CP0PR80CA0003.lamprd80.prod.outlook.com (2603:10d6:103:14::15) To CO1PR05MB8039.namprd05.prod.outlook.com (2603:10b6:303:f0::7)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 440c405b-9846-4f3a-98be-08da2455fd55
X-MS-TrafficTypeDiagnostic: DM6PR05MB4201:EE_
X-Microsoft-Antispam-PRVS: <DM6PR05MB420178621467B46F5BC5E1F0E5F79@DM6PR05MB4201.namprd05.prod.outlook.com>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: HPBWmYgkR6HGfNgenviX+XEobBxuOCWVdkTuQXTfZJfaTbrFhq1D9clR9e0+C2ZdxDDHcS8G6I+DPDNvV8YnOvVPR6IJRUi01wgexhczLyrg1dWZSffpNbhdY3YB5w+Bwq+t21MUA14iwONyCgVT4ByMNZs4/pYu4icS9eochwlz7P0bFVCtEMLA/1FT2fXG62rkkMyG+EX3k0VUxIMzBADVVk9PKAsrO2bLfjmu67ROy9fYZgsUSGdcRvDd6HcnScfGhAue8b6jEfXICh+JAYyXzm6RLqIfHLrawQgh3hVU9ESdH1H1XQ8ERqme5Hn6wc3jFbiTt+yGeXwZCwQ0RkiAnyxbDrViuW5xDGAcqKTtgz2xXAuXcdPBdMZt1B6MVQzNc4gnhcXHJHcWGozgOOiKTtvUmzXDa6F4+3ogXa5C5XXHMV11Y6CE7T2n0fdDvI+L1Et/8bCowADdEg9c4hoNUU8vo5UqFoVfq5R0V1Hcx4QULbUpydsq2vY8uCclRICO1e4zLhyHR+PHmTMX4iSgR5wAFv76XvZvHFcIPxTYo/FmRdKVi4cFXCCYkBMlgx4PLRgKdzZ7g7uLcLLt6GJhVyS03RhIZzXceiM1Uigz0Ng/CK42mst3AbeXS4OBbPHIDa9m273yF1UVFoPkQdiSpc/AuLtIqV1EaG83z+7bcE9cw7R8EkUUyZjSu/V4OpcPIBibAqkDABtXs4PbP3jiwBrUR+rgTtNeDuHIrw+DmfF1wa6LVS97jCOfnZbGOINwud1tt0GttAS1gcCTuY0XLy3kI5cjCLGkOJzWPe7gbQz5n4TZZPvZPQMaDnQ3
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR05MB8039.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(39840400004)(346002)(136003)(376002)(396003)(66946007)(6666004)(66574015)(8936002)(6506007)(316002)(5660300002)(31686004)(186003)(36756003)(966005)(6486002)(6512007)(86362001)(31696002)(38100700002)(508600001)(2906002)(66476007)(6916009)(2616005)(4326008)(52116002)(44832011)(8676002)(83380400001)(66556008)(450100002)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2
X-MS-Exchange-AntiSpam-MessageData-0: Eaox3QvJ6X+58Z0vUpFHBeti6sV5Ki5eUEojGO68p/O5lzBCZSzAIyEUWEGN2HnIMk64tr63pKpZRXN8LUn26jnbVnOqFickTk+AQQjS0sxmTj2urPWRJBB43EzE+ah/u83m2vZFkXDIkGEIZsmscrSi6m+olPjsvCXFzHnr19JCj4C3nyINMWcHHns4EdiCghmKLkIiNiW7e7Ngsqg0/SAj5havIZM47neWR7hkbYPgKXE58362fN7rS9sp5fsZ6psxctcZokWIWc+ac6u6mdISrvJP+X49bez/vAPXp3/OXmogLbZuBIUJq5Fn9SDuLTsLqkKaIdbv9zRTohoYifbQtjTK8D6nvi843RKZzIbYqR85HPoqI44Ppbx5UV78eXDzriMnhS8FCw5hqaPa9W5awOnLsLeWcBGdQDvP6hGEXxDhd62sXb4MIyff2UV00DiqfjQOeDDussH2dgX5OtXirOggqj1c1RqjPu/xw9BFV8lQSS06bpU18AQPb+UYgHXi0DHsCZ0gfNUsZorMNs08P2LRBiUPU9Kj8FhaWwu7xXTb6i9N9gJ2PcqBDZAyYjjIO68QCqRjOBubXTE4SBMEIHulXSQUR1FuZ5Kg2UKlv+Y2I/XvTr1C6QKVamzRDqwxMSwTBGqOJml7SbOH4Qyjp99Ttr6Acgs9XzZSCnnduHoR8n62H5DcIjuUKZ97BcFH45oth9BHsmRrN/Ggd28pByEMjJrHgnHgAdRCuDlbJ5EwEnyJfz4F/SzwlIBQCH+e52fXZhD64EmrCR7IQcM5QTwOYOev48c7Y2X0RO7VKTp/09JT1K260Bzee9jUOedEDUMfhawoN5mTUeZoSZVTQWImTciSl7HQ1fpk3q7OjwX6USr9Glkh+x8cWqCfyPPOaQClRLGl8r3xNYDs8CraLxR5JPZabHu4/DPsvuPPzkXgHKFATPI6bpxppGihCAKt/vlO4yMKUIhwj+CY7+Uhjtd2Sty7D2TTU77ykKYlHugu+vwmCVPAouCK/3mWfcd1eMIFbouCEmz8YBVjqoAeiW6AQo0mI4sAwschQMQ7nBqmh4KBm80sTaDfHYO/0s0g6h8ri4XBAGq7adFxqI1VlAYFe6chn9RMVQFVg/sv728Fc8PfVbUOtxHy4SqmpvBVcDBjpA78XDJFcjv1aCyR+V2ZWr+IYFqj22Qxr8bta8E/ktbfhPHr6beMHe2btTvnskleSeCPxJvaXtSh/THglGrQGZnBe4D5JVAoZhXxqCKrEDzJhCCF1nape69chf6BAkkJMDW7wAfO+OVdJGxEJg3u1R63fL/la1vczooI3Mv88mOZaTZ63W4JOO/7Ki8Quy09Utib6r42zKrutOMH4jSvE6lU2f0yafhigrS2CfumKwDNCBM4CVNu19Ly3zGliKa2u4DCxauafES91OEUG7vFWH6L8N4v9Lgwqz1Au/5KsRwLqKlm+Dxl5fQeuHNLa3es/W2RjL8+hGo0+Afzs8xJ8KzOd8nFEDjd4pwjR6kSVrmgAlBehpZqat2990P4bUAb2R1FNQcI1V0iBLoP1I/O//Z+NWknTagK0kTrNptW4XNOYsfOZJSCsBAs3TfBQsjAaXB9CzlY4b5BjE01Wvq2AW3Zs9tt+Fd7AeUW5T5uRWNSObSzbd2JWAPp/5KmDX2051ekoT/NVMw0X3HduXKWZ/fVPm1h9SVKq7srQEq1oq2xwxc0Nbh+IAqvMxtfpPaoE1P8etGADJp8YYmtt1/TBt+1RBEFTSLzPKCwEHNZ7u6YIhDlx51s/LftyLxbzmP+
X-MS-Exchange-AntiSpam-MessageData-1: N2hAQLimZSdLQkX6p3zHLnHCQBc7QGhP0Dc=
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 440c405b-9846-4f3a-98be-08da2455fd55
X-MS-Exchange-CrossTenant-AuthSource: CO1PR05MB8039.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Apr 2022 11:48:16.9130 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: s8dLeJuYJeDdUu46W69+3rBZSklQ8KwQUeirE8mgWWcqUCccyaEwLypsJxPXDolTGFICB67/epF7lA6DSPKQ91D0BReCsF5696V7iyOX9rg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4201
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/8OYVQOyVU_SmKBXm_TMV3Z4qmus>
Subject: [v6ops] Some comments on draft-ietf-v6ops-ipv6-deployment
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 11:48:29 -0000

HI, All,

Apologies for the bad timing (I guess it could still be worse... i.e.,
past IETF-LC ;-)  ).

I've read through the I-D, and it seems that there are a number of
claims that seem to be technically inaccurate.

These are my comments:


* Section 6, page 24:

"   4.  Future Proof: IPv6 was designed from scratch to be future-proof,
        despite some incompatibilities with IPv4. "

Isn't IPv6 *fully* incompatible with IPv4?


* Section 6, page 24:
  "     A side effect to that, this approach brings the
        connectivity model back to the end-to-end client/server
        paradigm."

It's not just NATs, but firewalls and other middle-boxes. So no, I think
that ship has sailed already. (see e.g.:
https://datatracker.ietf.org/doc/html/draft-gont-v6ops-ipv6-addressing-considerations#section-4.3)


* Section 6, page 24:
       "The introduction of new functionality is
        one of the technical benefit of IPv6 due to the flexible
        structure of the packet header.  The IETF is currently active in
        defining operational recommendations for the usage of Extension
        Headers and Options left open by the base standards."

But then Geoff Huston argues in
https://blog.apnic.net/2022/03/25/notes-from-the-iepg-meeting-at-ietf-113/
that:

"....all IPv6 extension headers are unusable in the public IPv6 Internet
and proposals to carry information in such headers are completely
unrealistic in this context. The conclusion is simple: If you want to
deploy a robust service on the IPv6 public Internet then you should
avoid any use of extension headers."



* Section 7.5, page 31:

"  There are some concerns in terms of the security but, on the other
    hand, IPv6 offers increased efficiency.  There are measurable
    benefits to IPv6 to notice, like more transparency, improved
    mobility, and also end to end security (if implemented)."

This is wrong, or misleading at best.

First of all, you're discussing security, and you;re kind of saying
"IPv6 security is bad... but well, the protocol is fast" -- in the
context of a discussion of security, who cares about the later? :-)

The statement that IPv6 offers increased efficiency is also misleading.
If you;re going to make that claim, please provide a reference. (Note:
measurements tend to argue the other way around).

"Improved mobility" probably refers to mobile-IP. But, what's the level
of mobile-ip deployment/usage?  Do folks still have any hopes on mobile ip?

"End to end security" might also be misleading. You can deliver "end to
end security" with IPv4 as well.


* Section 7.5, page 31:

"  However, this is turning also in the other way around, as with more
    IPv6 deployment there may be older IPv4 flaws not discovered or even
    not resolved anymore by vendors."

Are you really expecting that vendors will stop patching IPv4
vulnerabilities anytime soon?


* Section 7.5.1, page 31:

"Since it is used in many IPv6 related
    protocols, ICMPv6 packet with multicast address should be filtered
    carefully to avoid attacks."

Multicast packets don;t generally represent an issue, since in most
networks you won't have multicast routing, anyway.


* Section 7.5.2, page 33:

A reference to RFC8990 is probably warranted here.



* Section 7.5.2, page 33:

"   IPv6 Extension Headers imply some issues, in particular their
    flexibility also means an increased complexity, indeed security
    devices and software must process the full chain of headers while
    firewalls must be able to filter based on Extension Headers."

At the risk of sounding our own horn, a reference RFC9098 is probably
warranted here.



* Section 7.5.2, page 33:

"   Additionally, packets with IPv6 Extension Headers may be dropped in
    the public Internet."

Ditto for RFC7872.


* Section 7.5.2, page 33:

   "Some documents, e.g.
    [I-D.hinden-6man-hbh-processing], [I-D.bonica-6man-ext-hdr-update],
    [I-D.peng-v6ops-hbh] analyze and provide guidance regarding the
    processing procedures of IPv6 Extension Headers."

They don't really provide guidance, but rather aim at changing the
standard. Please also note that all of them seem to be individual
submissions, and not wg documents.


* Section 7.5.2, page 33:

"   There are some possible attacks through EHs, for example RH0 can be
    used for traffic amplification over a remote path and it is
    deprecated. "

One should not that probably most IPv6-related vulnerabilities have been
associted with implementation flaws in the processing of IPv6 extension
headers.


* Section 7.5.2, page 33:
   "There are some possible attacks through EHs, for example RH0 can be
    used for traffic amplification over a remote path and it is
    deprecated.  Other attacks based on Extension Headers are based on
    IPv6 Header Chains and Fragmentation that could be used to bypass
    filtering, but to mitigate this effect, Header chain should go only
    in the first fragment and the use of the IPv6 Fragmentation Header is
    forbidden in all Neighbor Discovery messages.

    Fragment Header is used by IPv6 source node to send a packet bigger
    than path MTU and the Destination host processes fragment headers.
    There are several threats related to fragmentation to pay attention
    to e.g. overlapping fragments (not allowed) resource consumption
    while waiting for last fragment (to discard), atomic fragments (to be
    isolated)."

A reference to RFC8200 is probably warranted here. Also one to RFC6980.




* Section 7.5.2, page 33:
  " A lot of additional functionality has been added to IPv6 primarily by
    adding Extension Headers and/or using overlay encapsulation."

But then Geoff Huston argues in
https://blog.apnic.net/2022/03/25/notes-from-the-iepg-meeting-at-ietf-113/
that:

"The high order takeaway from both of these measurements is that all
IPv6 extension headers are unusable in the public IPv6 Internet and
proposals to carry information in such headers are completely
unrealistic in this context. The conclusion is simple: If you want to
deploy a robust service on the IPv6 public Internet then you should
avoid any use of extension headers."



* Section 7.5.2, page 33:
    "All of
    the these expand the packet size and this could lead to oversized
    packets that would be dropped on some links.  It is important to
    investigate the potential problems with oversized packets in the
    first place. "

In many (most?) cases, it's the presence of IPv6 EHs or the length of
the EH chain that leads to drops, rather than the overall packet size
itself.

Thanks!

Cheers,
--
Fernando Gont
Director of Information Security
EdgeUno
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531




“This communication is the property of EdgeUno or one of its group companies and/or affiliates. This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and if you are not the intended recipient be aware that any non-explicitly authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, and will be considered a criminal offense. Please notify legal@edgeuno.com about the unintended receipt of this electronic message and delete it.”

v2.23.0 | Report a Bug | By Email