IETF Logo Mail Archive

Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usage-recommendations-02.txt

Ray Hunter <v6ops@globis.net> Thu, 20 February 2014 21:54 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF7981A0330 for <v6ops@ietfa.amsl.com>; Thu, 20 Feb 2014 13:54:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n-a6YH6HMNP4 for <v6ops@ietfa.amsl.com>; Thu, 20 Feb 2014 13:53:59 -0800 (PST)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id EF9DC1A0326 for <v6ops@ietf.org>; Thu, 20 Feb 2014 13:53:56 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id D4F3D87006E; Thu, 20 Feb 2014 22:53:52 +0100 (CET)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HCnllFFBMS1h; Thu, 20 Feb 2014 22:53:52 +0100 (CET)
Received: from Rays-iMac.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id AE0EE87003E; Thu, 20 Feb 2014 22:53:52 +0100 (CET)
Message-ID: <5306796F.5030709@globis.net>
Date: Thu, 20 Feb 2014 22:53:51 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.9 (Macintosh/20140129)
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
References: <20140214091302.13219.20624.idtracker@ietfa.amsl.com> <m21tz6javn.wl%randy@psg.com> <1442fd6c81e.5859224653900445752.5189762259388794287@internetdraft.org> <52FEBE28.1010006@gmail.com> <8E2A8B56-6F05-4F09-BE7E-651B9CA42458@delong.com> <5300CE32.1050808@gmail.com> <BD473E46-E382-44E6-B474-A56D074318FA@delong.com> <530104B3.3070205@gmail.com> <53010E70.5000401@gmail.com> <20140217110013.GA31822@mushkin> <62FF9B8A-2F21-4FDD-B1D2-82B8C02A21B3@delong.com> <37638184-17C6-4C8B-86B1-C596A5A5504A@nominum.com> <530242C3.4070108@bogus.com> <E91E49CA-7BA6-4DA3-B4F3-46BB0F25F8F1@delong.com> <5303CD3E.1010907@gmail.com> <m2a9dnr4vk.wl%randy@psg.com> <5304BAAF.60608@gmail.com> <53052B43.2070904@gmail.com> <CAKD1Yr2fyZ9FezX5dh=P-PiruiOqKBKO9f5hroD-CHDJS+ZMQQ@mail.gmail.com> <53055FF3.2040605@gmail.com> <CAKD1Yr0SgVtTCTppiJkfgao91xR5jZ-1N+b+dE5m9_6ovky4gQ@mail.gmail.com> <5305B159.2050402@globis.net> <53065F7D.1010909@gmail.com>
In-Reply-To: <53065F7D.1010909@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/9Xk748UrSreTIAi5t2PZl0atIgM
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usage-recommendations-02.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2014 21:54:00 -0000

> Brian E Carpenter <mailto:brian.e.carpenter@gmail.com>
> 20 February 2014 21:03
> On 20/02/2014 20:40, Ray Hunter wrote:
> ...
>
> Ray, ULA prefixes *are* global unicast prefixes; their only special
> characteristic is that they are not routed outside a given administrative
> domain.
>
> Also, it is common for large enterprises to run multiple disjoint prefixes
> within the corporate network, and has been for many years.
>
So how do they set up firewall rules?

> I think the issues you're concerned about are all due to the fact that
> in IPv6, it is bog standard to run more than one prefix on the same
> phsyical subnet. The fact that one of them might be delegated from
> a ULA /48 seems to me to be a side issue.
>
> Brian

So you see no problems with a machine running multiple prefixes, where 
the IID for each may also be different (stable privacy addresses), and 
each session may source from a different prefix depending on where it's 
terminating (address selection + address rotation of privacy addresses)?

How will the firewall even know it's the same machine sending the 
packets, never mind the same user, so that the communication stream can 
be authorised or blocked?

Will users have to re-authenticate for every prefix + IID combination?

-- 
Regards,
RayH

v2.23.0 | Report a Bug | By Email