IETF Logo Mail Archive

Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt

"Templin, Fred L" <Fred.L.Templin@boeing.com> Tue, 10 October 2017 14:39 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72F4E134DED; Tue, 10 Oct 2017 07:39:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e_A20BKPQuaG; Tue, 10 Oct 2017 07:39:46 -0700 (PDT)
Received: from phx-mbsout-01.mbs.boeing.net (phx-mbsout-01.mbs.boeing.net [130.76.184.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 005B6134541; Tue, 10 Oct 2017 07:39:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id v9AEdHFZ064141; Tue, 10 Oct 2017 07:39:18 -0700
Received: from XCH15-06-12.nw.nos.boeing.com (xch15-06-12.nw.nos.boeing.com [137.136.239.221]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id v9AEd8Hb064014 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Tue, 10 Oct 2017 07:39:08 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-12.nw.nos.boeing.com (2002:8988:efdd::8988:efdd) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 10 Oct 2017 07:39:07 -0700
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1320.000; Tue, 10 Oct 2017 07:39:07 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Fred Baker <fredbaker.ietf@gmail.com>
CC: "Mudric, Dusan (Dusan)" <dmudric@avaya.com>, Lorenzo Colitti <lorenzo@google.com>, "v6ops@ietf.org" <v6ops@ietf.org>, "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Thread-Topic: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
Thread-Index: AQHTLJkv/GFPUda+3EaDW5zERE6omaKzTQFQgChbmAGAABUNgIABC8gAgACGg5A=
Date: Tue, 10 Oct 2017 14:39:07 +0000
Message-ID: <ba915919018946aab98cc406446ab67d@XCH15-06-08.nw.nos.boeing.com>
References: <150531144008.30405.8720524557391780522@ietfa.amsl.com> <466db83261804d179fc991f43df5dcf9@XCH15-06-08.nw.nos.boeing.com> <CAKD1Yr00obLxByQEgQkXKnD=W+Kvd0XKtYAdF=Na-dLfo1MHQA@mail.gmail.com> <9142206A0C5BF24CB22755C8EC422E4585AD4EAA@AZ-US1EXMB03.global.avaya.com> <53DBD9FB-CCAE-41EB-9E3D-B04538559A2C@gmail.com> <2349a9b3358541929da084da6232848d@XCH15-06-08.nw.nos.boeing.com> <BF10DEDD-5C78-45BB-9287-A912D0E62F77@gmail.com>
In-Reply-To: <BF10DEDD-5C78-45BB-9287-A912D0E62F77@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/8YDXwe1qdP8xBFkLSFqPe0pIrEc>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2017 14:39:49 -0000

Fred,

> -----Original Message-----
> From: Fred Baker [mailto:fredbaker.ietf@gmail.com]
> Sent: Monday, October 09, 2017 4:31 PM
> To: Templin, Fred L <Fred.L.Templin@boeing.com>
> Cc: Mudric, Dusan (Dusan) <dmudric@avaya.com>; Lorenzo Colitti <lorenzo@google.com>; v6ops@ietf.org; internet-drafts@ietf.org
> Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
> 
> 
> 
> > On Oct 9, 2017, at 7:34 AM, Templin, Fred L <Fred.L.Templin@boeing.com> wrote:
> >
> > Fred,
> >
> >> -----Original Message-----
> >> From: Fred Baker [mailto:fredbaker.ietf@gmail.com]
> >> Sent: Monday, October 09, 2017 6:17 AM
> >> To: Mudric, Dusan (Dusan) <dmudric@avaya.com>
> >> Cc: Lorenzo Colitti <lorenzo@google.com>; Templin, Fred L <Fred.L.Templin@boeing.com>; v6ops@ietf.org; internet-
> drafts@ietf.org
> >> Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
> >>
> >> Unless someone wants to tell me I'm wrong, I don't think that consensus exists. What the document says is that when someone is
> >> running a service such as described, traffic from the CPE router to which a prefix has been delegated should invariably travel
> through
> >
> > 'draft-ietf-v6ops-unique-ipv6-prefix-per-host' is not about prefix delegation.
> 
> No, it's about a service (presumably operated by an ISP) in which prefixes are delegated to hosts.

It is not a prefix delegation service. It is a service that advertises a unique prefix to
a host, where the host is unaware that the prefix is unique and the host does not
participate in explicit prefix delegation procedures in any way. The host therefore
has no way of knowing whether the prefix is on-link on the upstream interface,
and therefore has to do DAD when it assigns an address to the upstream interface.

Prefix delegation is when the host is aware that the prefix is being delegated for
its own exclusive use and can therefore assign the prefix to downstream networks
and perform unlimited multi-addressing without having to invoke DAD on the
upstream interface.

Please read the definitions for "shared", "individual", and "delegated" prefixes
in 'draft-templin-v6ops-pdhost'.

Thanks - Fred


> While the specification is clear that
> the ISP might *also* IPv4 service on the same network using the same equipment, what is specified is an IPv6, and potentially IPv6-
> only, service.
> 
> > 'draft-templin-v6ops-pdhost' is about prefix delegation.
> >
> > Thanks - Fred
> >
> >> the upstream router as opposed to directly to a router that might appear to be an immediate neighbor. It doesn't deprecate the
> use
> >> of SLAAC/DHCPv6 or the use of neighbor-to-neighbor routing in LAN networks.
> >>
> >>> On Oct 6, 2017, at 7:48 AM, Mudric, Dusan (Dusan) <dmudric@avaya.com> wrote:
> >>>
> >>> Hi Fred,
> >>>
> >>> Should it be mentioned that even though a ‘shared’ prefix with L=0 makes hosts send packets over the first hope router, the
> unique
> >> prefix per host is preferred mechanism in the environments where security is of a concern?
> >>>
> >>> Thanks,
> >>> Dusan.
> >>>
> >>> From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Lorenzo Colitti
> >>> Sent: Wednesday, September 13, 2017 6:04 PM
> >>> To: Templin, Fred L
> >>> Cc: v6ops@ietf.org; internet-drafts@ietf.org
> >>> Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
> >>>
> >>> I would instead say the opposite, i.e., call attention to what is in fact one of the the main benefits of this document. Suggested
> text:
> >>>
> >>> The practices described in this document make it very simple for networks to implement robust isolation between clients at layer
> 2.
> >> The network can simply ensure that devices cannot send packets to each other except through the first-hop router. This will
> >> automatically provide robust protection against attacks between devices that rely on link-local ICMPv6 packets, such as DAD reply
> >> spoofing, ND cache exhaustion, malicious redirects, and rogue RAs. This form of protection is much more scalable and robust than
> >> alternative mechanisms such as DAD proxying, forced forwarding, or ND snooping.
> >>>
> >>>
> >>>
> >>> On Wed, Sep 13, 2017 at 2:12 PM, Templin, Fred L <Fred.L.Templin@boeing.com> wrote:
> >>> Please add the following to Security Considerations:
> >>>
> >>>  "While the practices described herein encourage L3 operations that would
> >>>    forward all traffic through a provider managed First Hop Router, peer to peer
> >>>    communications are still possible unless L2 mechanisms are also employed
> >>>    in some fashion outside the scope of this document."
> >>>
> >>> Thanks - Fred
> >>>
> >>>> -----Original Message-----
> >>>> From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of internet-drafts@ietf.org
> >>>> Sent: Wednesday, September 13, 2017 7:04 AM
> >>>> To: i-d-announce@ietf.org
> >>>> Cc: v6ops@ietf.org
> >>>> Subject: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
> >>>>
> >>>>
> >>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> >>>> This draft is a work item of the IPv6 Operations WG of the IETF.
> >>>>
> >>>>        Title           : Unique IPv6 Prefix Per Host
> >>>>        Authors         : John Jason Brzozowski
> >>>>                          Gunter Van De Velde
> >>>>      Filename        : draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
> >>>>      Pages           : 9
> >>>>      Date            : 2017-09-13
> >>>>
> >>>> Abstract:
> >>>>   This document outlines an approach utilising existing IPv6 protocols
> >>>>   to allow hosts to be assigned a unique IPv6 prefix (instead of a
> >>>>   unique IPv6 address from a shared IPv6 prefix).  Benefits of unique
> >>>>   IPv6 prefix over a unique service provider IPv6 address include
> >>>>   improved host isolation and enhanced subscriber management on shared
> >>>>   network segments.
> >>>>
> >>>>
> >>>> The IETF datatracker status page for this draft is:
> >>>> https://datatracker.ietf.org/doc/draft-ietf-v6ops-unique-ipv6-prefix-per-host/
> >>>>
> >>>> There are also htmlized versions available at:
> >>>> https://tools.ietf.org/html/draft-ietf-v6ops-unique-ipv6-prefix-per-host-08
> >>>> https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-unique-ipv6-prefix-per-host-08
> >>>>
> >>>> A diff from the previous version is available at:
> >>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-v6ops-unique-ipv6-prefix-per-host-08
> >>>>
> >>>>
> >>>> Please note that it may take a couple of minutes from the time of submission
> >>>> until the htmlized version and diff are available at tools.ietf.org.
> >>>>
> >>>> Internet-Drafts are also available by anonymous FTP at:
> >>>> ftp://ftp.ietf.org/internet-drafts/
> >>>>
> >>>> _______________________________________________
> >>>> v6ops mailing list
> >>>> v6ops@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/v6ops
> >>>
> >>>
> >>> _______________________________________________
> >>> v6ops mailing list
> >>> v6ops@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/v6ops
> >>>
> >>> _______________________________________________
> >>> v6ops mailing list
> >>> v6ops@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/v6ops
> >

v2.23.0 | Report a Bug | By Email