IETF Logo Mail Archive

Re: [v6ops] v6ops-host-addr-availability: A Little Pushback

Lorenzo Colitti <lorenzo@google.com> Wed, 23 September 2015 11:52 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20CDD1AD351 for <v6ops@ietfa.amsl.com>; Wed, 23 Sep 2015 04:52:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ocVOBDMt5K7 for <v6ops@ietfa.amsl.com>; Wed, 23 Sep 2015 04:52:10 -0700 (PDT)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63D121AD350 for <v6ops@ietf.org>; Wed, 23 Sep 2015 04:52:10 -0700 (PDT)
Received: by ykdg206 with SMTP id g206so38267354ykd.1 for <v6ops@ietf.org>; Wed, 23 Sep 2015 04:52:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Hk0F6ciWgvdFTuPX1NDX/hsIjuufzfiekfykRlblTjI=; b=o60hAqu/rTZs+uXXL02BO6zVcKQUeiFy47LtVhF+5KjytHipIrw+jzjzp5ZAYHuGx2 N8a+xHCO94f5nuMvw0Sq49AqFKhtX0D2aEIzwn1yCCedP8VKhH3ponBmR193XQ2smCwH LlAfGJ7AS4QebwCL4d6aw04oG/FUvlUcIiHb6F0x32vOakZGM/kwF0HsfK2DBYkwyI0b hUwVyUKeVSIYh0QFR/Ya0tFrl9m8TeNiEYG0NjnyqpaWYjxODwRPgYWZ4WUs1LcwMUIy XcJpSJTBLsoB2xUfxFgZ0Co1KzhvzAOmZRyPz7bi3UFCxpt5R+xhN6MEmyk0QXJ/YqeU pkeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Hk0F6ciWgvdFTuPX1NDX/hsIjuufzfiekfykRlblTjI=; b=YDv5dVC01FejulEEWpach+Aa5aIrqALnOoTpIq/ocS4+MD6/+SfYLdKfLa4rD9Eusa 6/Ux4+txRRJmGdRoCAkAz0xotEy8BzTccHf8b5nKYD87dOs/b51OB1kqCm2sFJm1eJ0w K0kpKU42koHp2U4yVmbs5vfYeD00kLvMLAh5FX4tIs8ded64a1KWLp6hFp5d3nRuMMvE J4AkXbse6DhhQX2UDhsSQAcow1guBeRshXG2AAnLvNmEPiHJU9o/YM7lUCQ2lq4ihldQ wfnoPqlloMZ+paYA17HAIvjY/2RC/xty9wKVBp8srx6NNKJVG1WDBoGaKZFq//xjQj4T jJyw==
X-Gm-Message-State: ALoCoQmRh1wAuBp+MujUMOecFe0kytTBsNzLWzjaQHlLYWY3R844HyAaGCgFNit1lheH0vjhvI0C
X-Received: by 10.13.240.71 with SMTP id z68mr26794455ywe.65.1443009129412; Wed, 23 Sep 2015 04:52:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.52.204 with HTTP; Wed, 23 Sep 2015 04:51:49 -0700 (PDT)
In-Reply-To: <2D09D61DDFA73D4C884805CC7865E6113AA102BC@GAALPA1MSGUSRBF.ITServices.sbc.com>
References: <2D09D61DDFA73D4C884805CC7865E6113AA102BC@GAALPA1MSGUSRBF.ITServices.sbc.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 23 Sep 2015 20:51:49 +0900
Message-ID: <CAKD1Yr0cGrY1bGHcbcPZZnZ97PDaT7cx17BqtJ45HKo6HoSj-Q@mail.gmail.com>
To: "STARK, BARBARA H" <bs7652@att.com>
Content-Type: multipart/alternative; boundary="94eb2c032818916925052068be96"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/A0fF0WpArRm0D4iZ9dTARfnIiwI>
Cc: v6ops list <v6ops@ietf.org>
Subject: Re: [v6ops] v6ops-host-addr-availability: A Little Pushback
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2015 11:52:12 -0000

On Wed, Sep 23, 2015 at 1:32 AM, STARK, BARBARA H <bs7652@att.com> wrote:

> 1. Privacy. Changing tracking requirements from needing to track a /128 to
> only needing to track a /64 does not provide for any sort of improved
> privacy against tracking. We need to stop perpetuating this myth.
> draft-ietf-dhc-dhcp-privacy already describes how to provide a single
> address that doesn't give away the MAC address. Other than not giving away
> the MAC, there is no privacy benefit I can see to more easily allowing
> tracking systems to track at the /64 instead of the /128.
>

Here's one privacy benefit that requires the ability to form multiple
addresses: change your privacy address as often as you want, instead of how
often the operator wants. Or, use different addresses to talk to different
sites (e.g., a web server and an advertising server). These are both useful
benefits if the network is trustworthy but the the attack is pervasive
monitoring outside the network (e.g., by a national security agency).

These aren't in the draft, but we could add them.

2. Several of the listed benefits involve potential use by multiple
> processors on a host, virtual machines on a host, future applications, and
> identifier-locator addressing (ILA). In listing these, there was nothing
> that said "this is incredibly useful, but hosts are prevented from doing it
> (or run into a lot of complexity) if the host is restricted to a single
> DHCPv6-assigned IPv6 address". I didn't read that hosts would have a hard
> time having multiple processors or future applications in the absence of
> multiple addresses, and I didn't get out of the discussion that virtual
> machines and ILAs that require their own address are incredibly compelling
> and hosts and users can't live without them.
>

As someone who has worked on the ePDG implementation on Android devices, I
can assure you that the architecture that's used to ensure that the
baseband processor and the application processor could share an IP address
is pretty contorted - you might even say nightmarish.

And VMs do require their own addresses - no host OS I'm aware of supports
sharing an IP address with another host. The sharing has to be done by
performing NAT on the upstream.

... which is really the point here. What we're trying to say here is not
that these use cases are hard or impossible without multiple addresses.
What we're trying to say is that they exist, and that they can either be
met using multiple addresses or (in most cases) by performing NAT66 in the
host. We're recommending that we do not go to an architecture where hosts
need to implement NAT66, and thus we recommend that the network should
assign enough addresses that NAT66 is not necessary.

Also, I'm not sure exactly what you're trying to say here. Are you saying
that:

   1. You disagree that if the network assigns a single /128, hosts will
   implement and use NAT66; that they will instead reduce or disable (possibly
   user-visible) functionality.
   2. You believe that it's fine if networks assign a single /128 to a
   device, even if it means that hosts will (possibly widely) implement NAT66.
   3. Something else?

Cheers,
Lorenzo

v2.23.0 | Report a Bug | By Email