IETF Logo Mail Archive

Re: [v6ops] draft-ietf-v6ops-ula-usage-recommendations - work or abandon?

Owen DeLong <owen@delong.com> Thu, 12 November 2015 18:23 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 410F11B2C9E for <v6ops@ietfa.amsl.com>; Thu, 12 Nov 2015 10:23:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.11
X-Spam-Level:
X-Spam-Status: No, score=-6.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wm3sejon4rMu for <v6ops@ietfa.amsl.com>; Thu, 12 Nov 2015 10:23:28 -0800 (PST)
Received: from owen.delong.com (owen.delong.com [192.159.10.2]) by ietfa.amsl.com (Postfix) with ESMTP id 657F01B2C9D for <v6ops@ietf.org>; Thu, 12 Nov 2015 10:23:28 -0800 (PST)
Received: from delong-dhcp229.delong.com (delong-dhcp29 [192.159.10.229]) (authenticated bits=0) by owen.delong.com (8.14.5/8.14.5) with ESMTP id tACILLBu019865 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 12 Nov 2015 10:21:21 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail=_DB4D084A-67BC-47F3-833F-FE89DC6CEF7D"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Owen DeLong <owen@delong.com>
In-Reply-To: <D267B9E3.5DB8C%evyncke@cisco.com>
Date: Thu, 12 Nov 2015 10:21:20 -0800
Message-Id: <A3B1A605-399D-491B-A188-FB6109A55EC7@delong.com>
References: <D25D5920.C914E%Lee.Howard@twcable.com> <5637FDD0.70300@jvknet.com> <D25E32F1.C9507%Lee.Howard@twcable.com> <CAKD1Yr1VvzkSmJo3hu6t_3CUguLN_UkNZjRUqvU_ygPBTyb+8g@mail.gmail.com> <8AE0F17B87264D4CAC7DE0AA6C406F45C2319739@nkgeml506-mbx.china.huawei.com> <CAKD1Yr3g-ZV+MkbtDrusbtYaZ_wmCxDG9XbT25Ldma4koGpV6A@mail.gmail.com> <D25E7DDF.C9709%Lee.Howard@twcable.com> <CAKD1Yr3Vsn7Ny_xSCr_=sVCHyU+=ZrRh2iQDUPx-5FWdHajv2w@mail.gmail.com> <D2614A6A.CA099%Lee.Howard@twcable.com> <563B9D1E.4030606@umn.edu> <D261FE8E.CA1FB%Lee.Howard@twcable.com> <CAKD1Yr3jip0NBkDxg=MvgZXg0LMS+PtREDw2jSRx0xJLqHwhGQ@mail.gmail.com> <563C7C01.6010703@foobar.org> <CAKD1Yr1rKjkDhhuD9L=R_MJ+ofOAZ2Nt+5mszZKQxCh-kH4vqw@mail.gmail.com> <563FA84C.7030601@si6networks.com> <CAKD1Yr0F888Aw0opSigtC8HV6esUrE1JECKQ4gT737s+43ayfw@mail.gmail.com> <CAG6TeAs8ie=c0F8RMioBpemCw949Bf9c7ZTNvqgaZP=10rmNcQ@mail.gmail.com> <CAKD1Yr1EqbiGJ8EZo8E909zujUt49skcz1SNe8stEWfHnbUsTw@mail.gmail.com> <CAG6TeAsHMTyhbRrOenb1kA9XEDdOC! BBbuN3ZGF3LJ=8ToyGtiQ@mail.gmail.com> <CAKD1Yr3RUc9FEw7VyJ=ENH_sJY85m1BESo77v_maShPvCkj6rA@mail.gmail.com> <CAG6TeAv9DPYUCsNG_vHCTOpwwJ8KdhjWeGE=-s6dEuMgaVHf1g@mail.gmail.com> <CAKD1Yr2VXVFareTk-J_+pcr_UW9Do-zf_uYcyjNW-MTPts6hRQ@mail.gmail.com> <CAG6TeAt2JJJmALy=pJFaojbnZrQRE0e0i-D=XtTce=rmbf08tQ@mail.gmail.com> <CAKD1Yr1H2HgxBNOZBrx-ttoB6z6caLAck3csF=ti6CDUzW57ng@mail.gmail.com> <D267B9E3.5DB8C%evyncke@cisco.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/96NuCHLdAtXUcyNCj4-0qxEvIus>
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-ula-usage-recommendations - work or abandon?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 18:23:30 -0000

> On Nov 10, 2015, at 06:13 , Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:
> 
>>> 
>>> What you refer to has to do with the diode-firewall thing (which is a side effect in nat, and that folks are replicating in ipv6 by deploying a diode firewall where you currently have a nat box). Obviously, if your policy is that you don't want incoming connections, and i have the same policy then, unfortunately, we have to talk to a third party.
>> Nope. It is much easier to establish a connection across a diode firewall than to establish one across a NAT. In the former case, all the endpoints need to do is send each other packets at about the same time. In the latter, they need to implement NAT traversal via relays.
> 
> 
> It is only 'slightly' easier... Because guessing the TCP sequence number of the other party... Well good luck :-)

With a diode firewall, you don’t have to guess. Most diode firewalls don’t look at TCP sequence numbers actively. They look only at the L3 and L4 identifiers to determine state.
Some look at SYN bits and toss SYN packets going in the wrong direction, but most just look for an ACK bit.

Nonetheless, it’s also much easier because a diode firewall can easily be given an exception to permit a particular flow or the initiation of a class of flows to a particular protected host or set of hosts.

In the case of a NAT, however (more specifically a NAPT), it is not possible to program multiple port 80 terminations to land on different hosts behind the NAT.

In short, without NAT, flows which are desired can be permitted. With NAT, this is much more difficult and in many cases, impossible.

I retain my perspective that one of the worst and most ultimate forms of layering violation is for a forwarding system not residing on either of the end-hosts in a session to impersonate an end-host and mutilate unexpected portions of the datagram in flight.

Owen

v2.23.0 | Report a Bug | By Email