IETF Logo Mail Archive

Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt

Lorenzo Colitti <lorenzo@google.com> Sat, 14 October 2017 05:22 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D8D5126D0C for <v6ops@ietfa.amsl.com>; Fri, 13 Oct 2017 22:22:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yj0DZtwFzkA7 for <v6ops@ietfa.amsl.com>; Fri, 13 Oct 2017 22:22:52 -0700 (PDT)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 742AD1320D9 for <v6ops@ietf.org>; Fri, 13 Oct 2017 22:22:52 -0700 (PDT)
Received: by mail-io0-x232.google.com with SMTP id p186so4854819ioe.12 for <v6ops@ietf.org>; Fri, 13 Oct 2017 22:22:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3Qj/F6ZY+BCqLH+Ml/+1KwFqy0LzszAzqgiwh8WgC5c=; b=hU3KFYJSQyNTEG/onU4NY5UbiQMcQ1bc45xBcsfovyUO61pk+6qwgVBHHLqmdtbJEC k+op5TDx++tFbdDxxt1DDkAZPDqCxpRo0PxM7VzljPmgp4a8Dm/JkOurK/FIBPkYCa4u VDmz8bEznKsWhghOSaY0D9V/Er4yPEuQhckFmSEsyLspKG7vA3ttcLqrxS74iLAGdlUp 16IdR0uhmewhqeoJo100kx0A6c3O6iIZsBsOvvUDSmyacxj8L1T4UpQJkDRVriizyOs6 HhyCJQhWRI8AmQYR3Vnd8mq9Uf9cd6gC7XISK7LYoe9Pj5IrZD14U0AoThb3qDPYTKSo oaZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3Qj/F6ZY+BCqLH+Ml/+1KwFqy0LzszAzqgiwh8WgC5c=; b=LRGZtPEkmecV5lfLf+PWoA3gh68uZ3kwQuY3E2T9xxxBkBhB3AzLAJUFLTrhg4Zk0D JekYTAuMEnCbMp4G2SvmAh9zIfVKTCFQs+iltKR0QlyQPanjOEjTzRAKe9CROGX9HfE6 9+16pl+KopvS/nttd5ZtLNfuBErV3hWoNAs5uLP089sBJQhHUcCI7tEtg1Ek1lyuvF37 74R3drn2Yjo3F7FtQLJJi14NixU9R46+y5mKSPblEU/tJekTsYj5QbOlbwYZKhLi8SFp UDs9PWrWKj8B6RDJ3zd8oEcFE8CKavTuCfKxTK+g/VotBhWM7iJClFFnz319w+N2Xk1X q+Yw==
X-Gm-Message-State: AMCzsaX34wsnIfwX2AKW6uS/QmNNTGvh2ASmppZ+9esaW+4ZRedzmT39 5mvmsAi872A1QoMKoaKIMTgs7n9T8uH8D9eePtRrYQ==
X-Google-Smtp-Source: ABhQp+R77RR3pm8gaX1zP25S/6j+0VOwe1dq00CFhSUQYfuVU9XZNAj7SHrv0mqvZBzSnzdlzioIAsVrR4XHreeueGc=
X-Received: by 10.107.183.129 with SMTP id h123mr4694594iof.23.1507958571288; Fri, 13 Oct 2017 22:22:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.82.19 with HTTP; Fri, 13 Oct 2017 22:22:30 -0700 (PDT)
In-Reply-To: <53DBD9FB-CCAE-41EB-9E3D-B04538559A2C@gmail.com>
References: <150531144008.30405.8720524557391780522@ietfa.amsl.com> <466db83261804d179fc991f43df5dcf9@XCH15-06-08.nw.nos.boeing.com> <CAKD1Yr00obLxByQEgQkXKnD=W+Kvd0XKtYAdF=Na-dLfo1MHQA@mail.gmail.com> <9142206A0C5BF24CB22755C8EC422E4585AD4EAA@AZ-US1EXMB03.global.avaya.com> <53DBD9FB-CCAE-41EB-9E3D-B04538559A2C@gmail.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Sat, 14 Oct 2017 14:22:30 +0900
Message-ID: <CAKD1Yr2jhVRt1K_9g7C7fSOng8CvQw1UoTwQW62J4dCZZ2=7yw@mail.gmail.com>
To: Fred Baker <fredbaker.ietf@gmail.com>
Cc: "Mudric, Dusan (Dusan)" <dmudric@avaya.com>, Fred Templin <Fred.L.Templin@boeing.com>, "v6ops@ietf.org" <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0c032cfab16e055b7af631"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/A3w5ltT3SW2r07QWVM7GuZlBzrg>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Oct 2017 05:22:55 -0000

In reality I suspect that that is, in fact, the current IETF best practice.
That the ways I see to implement that sort of security are to 1) have
different hosts share one prefix, but keep track of which IP addresses
belong to which hosts or 2) have different hosts on different prefixes. In
the presence of hostile actors, #1 is very expensive to build while meeting
the recommendations in RFC 7934.

On Mon, Oct 9, 2017 at 10:16 PM, Fred Baker <fredbaker.ietf@gmail.com>
wrote:

> Unless someone wants to tell me I'm wrong, I don't think that consensus
> exists. What the document says is that when someone is running a service
> such as described, traffic from the CPE router to which a prefix has been
> delegated should invariably travel through the upstream router as opposed
> to directly to a router that might appear to be an immediate neighbor. It
> doesn't deprecate the use of SLAAC/DHCPv6 or the use of
> neighbor-to-neighbor routing in LAN networks.
>
> > On Oct 6, 2017, at 7:48 AM, Mudric, Dusan (Dusan) <dmudric@avaya.com>
> wrote:
> >
> > Hi Fred,
> >
> > Should it be mentioned that even though a ‘shared’ prefix with L=0 makes
> hosts send packets over the first hope router, the unique prefix per host
> is preferred mechanism in the environments where security is of a concern?
> >
> > Thanks,
> > Dusan.
> >
> > From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Lorenzo Colitti
> > Sent: Wednesday, September 13, 2017 6:04 PM
> > To: Templin, Fred L
> > Cc: v6ops@ietf.org; internet-drafts@ietf.org
> > Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-
> prefix-per-host-08.txt
> >
> > I would instead say the opposite, i.e., call attention to what is in
> fact one of the the main benefits of this document. Suggested text:
> >
> > The practices described in this document make it very simple for
> networks to implement robust isolation between clients at layer 2. The
> network can simply ensure that devices cannot send packets to each other
> except through the first-hop router. This will automatically provide robust
> protection against attacks between devices that rely on link-local ICMPv6
> packets, such as DAD reply spoofing, ND cache exhaustion, malicious
> redirects, and rogue RAs. This form of protection is much more scalable and
> robust than alternative mechanisms such as DAD proxying, forced forwarding,
> or ND snooping.
> >
> >
> >
> > On Wed, Sep 13, 2017 at 2:12 PM, Templin, Fred L <
> Fred.L.Templin@boeing.com> wrote:
> > Please add the following to Security Considerations:
> >
> >   "While the practices described herein encourage L3 operations that
> would
> >     forward all traffic through a provider managed First Hop Router,
> peer to peer
> >     communications are still possible unless L2 mechanisms are also
> employed
> >     in some fashion outside the scope of this document."
> >
> > Thanks - Fred
> >
> > > -----Original Message-----
> > > From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of
> internet-drafts@ietf.org
> > > Sent: Wednesday, September 13, 2017 7:04 AM
> > > To: i-d-announce@ietf.org
> > > Cc: v6ops@ietf.org
> > > Subject: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-
> prefix-per-host-08.txt
> > >
> > >
> > > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> > > This draft is a work item of the IPv6 Operations WG of the IETF.
> > >
> > >         Title           : Unique IPv6 Prefix Per Host
> > >         Authors         : John Jason Brzozowski
> > >                           Gunter Van De Velde
> > >       Filename        : draft-ietf-v6ops-unique-ipv6-
> prefix-per-host-08.txt
> > >       Pages           : 9
> > >       Date            : 2017-09-13
> > >
> > > Abstract:
> > >    This document outlines an approach utilising existing IPv6 protocols
> > >    to allow hosts to be assigned a unique IPv6 prefix (instead of a
> > >    unique IPv6 address from a shared IPv6 prefix).  Benefits of unique
> > >    IPv6 prefix over a unique service provider IPv6 address include
> > >    improved host isolation and enhanced subscriber management on shared
> > >    network segments.
> > >
> > >
> > > The IETF datatracker status page for this draft is:
> > > https://datatracker.ietf.org/doc/draft-ietf-v6ops-unique-
> ipv6-prefix-per-host/
> > >
> > > There are also htmlized versions available at:
> > > https://tools.ietf.org/html/draft-ietf-v6ops-unique-ipv6-
> prefix-per-host-08
> > > https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-
> unique-ipv6-prefix-per-host-08
> > >
> > > A diff from the previous version is available at:
> > > https://www.ietf.org/rfcdiff?url2=draft-ietf-v6ops-unique-
> ipv6-prefix-per-host-08
> > >
> > >
> > > Please note that it may take a couple of minutes from the time of
> submission
> > > until the htmlized version and diff are available at tools.ietf.org.
> > >
> > > Internet-Drafts are also available by anonymous FTP at:
> > > ftp://ftp.ietf.org/internet-drafts/
> > >
> > > _______________________________________________
> > > v6ops mailing list
> > > v6ops@ietf.org
> > > https://www.ietf.org/mailman/listinfo/v6ops
> >
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
>
>

v2.23.0 | Report a Bug | By Email