IETF Logo Mail Archive

Re: [v6ops] Fwd: New Version Notification for draft-collink-v6ops-ent64pd-01.txt

Martin Huněk <martin.hunek@tul.cz> Wed, 21 December 2022 16:13 UTC

Return-Path: <martin.hunek@tul.cz>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9CE9C14F720 for <v6ops@ietfa.amsl.com>; Wed, 21 Dec 2022 08:13:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tul.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSdPqPV_6GbE for <v6ops@ietfa.amsl.com>; Wed, 21 Dec 2022 08:13:12 -0800 (PST)
Received: from bubo.tul.cz (bubo.tul.cz [IPv6:2001:718:1c01:16::aa]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10DB2C14F6E7 for <v6ops@ietf.org>; Wed, 21 Dec 2022 08:13:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at tul.cz
Received: from [IPV6:2001:718:1c01:72:2e27:d7ff:fe2e:c477] (unknown [IPv6:2001:718:1c01:72:2e27:d7ff:fe2e:c477]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bubo.tul.cz (Postfix) with ESMTPSA id 462021804CCC2; Wed, 21 Dec 2022 17:13:06 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 bubo.tul.cz 462021804CCC2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tul.cz; s=tul2021; t=1671639186; bh=AwgEVfp5CVUI/XQEri1p61ysEMXTpcMVxB+n6dLGpXA=; h=Date:Subject:To:References:From:In-Reply-To:From; b=XLJaEw7DE2P/PEoHjg9yedWVCTvYBqsLaVaj08aWwTMeRMVFUuld3NexJE54DBGaV LrEHmrwdpjSXZuJrPJb+hGz4c0mRlygosZUf+DCWLZqg4P0R54HEhl5oev18jGV5f5 WhlHMGC/HdJ6r4d/h3sCjjfG45stp5h8RPemEeRwiZaYE+CtIeggCp7rag06nNaZ1Q 0tk9PRh3lZeocAJXdyn0NqWDQ4l2fvB3KD8K3EHV5IHpMCUqhjBGL4SnO3f36N1JCI aT0g95M1oPWYKlMZkvMZui5vGSwqKpAy/Lj9xbFeGJCLejMAll5iDOpuipeztvCxGV OL9cC4akL3QRg==
Message-ID: <ac2b11e3-1860-abf9-1f7f-f2f0cae22db3@tul.cz>
Date: Wed, 21 Dec 2022 17:13:05 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
Content-Language: cs-CZ, en-US
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, v6ops@ietf.org
References: <167107554671.48477.568330207202509840@ietfa.amsl.com> <2859685.e9J7NaK4W3@asclepius.adm.tul.cz> <3cac1c98-8cdb-8b5b-4d03-7b03c24f8124@gmail.com> <2148317.C4sosBPzcN@asclepius.adm.tul.cz> <b0799fdf-49af-d5ac-803f-2a838c1537fb@gmail.com>
From: Martin Huněk <martin.hunek@tul.cz>
In-Reply-To: <b0799fdf-49af-d5ac-803f-2a838c1537fb@gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms070701020703000806040403"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ARPlHTB7PPRxlUc74zXi7Vs98DQ>
Subject: Re: [v6ops] Fwd: New Version Notification for draft-collink-v6ops-ent64pd-01.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2022 16:13:18 -0000

On 21. 12. 22 5:02, Brian E Carpenter wrote:
> On 21-Dec-22 13:19, Martin Huněk wrote:
>> Hi Brian,
>>
>> Dne pondělí 19. prosince 2022 21:59:12 CET, Brian E Carpenter napsal(a):
>>> On 19-Dec-22 23:30, Martin Huněk wrote:
>>>
>>>> Furthermore, this address has to be predictable for an ISP/netadmin, so it is possible to make an AAAA record for it
>>>
>>> Er, no, the creation of such an AAAA record should be automated (subject to some kind of authorization).
>>
>> I would certainly not want arbitrary (BYOD) connected devices to be allowed to manipulate DNS records in my domain by the DDNS. There are security reasons for that. If I know the DUID of the device providing some service to the Internet users and the IID where the device listens is known, I can make static prefix delegation, and then I can make an AAAA record for it. Without it, I can run only IPv4 services there.
> 
> Completely understood. But the bad old days of using the MAC address to create the IID are gone, and numbering hosts from 1 upwards would be extremely helpful for some kinds of attack.

Again, I do not suggest that it should, by default, number hosts/services from 1 upwards. I'm saying that when (and only when) the device is providing service to the Internet, the IID on which the service is listening should be predictable. However, even if it would be ::1, an attacker would still need to guess the prefix part which is still a lot for /96. Walking the DNS zone would be easier.

The draft lists as one of its benefits: "DHCP-PD logs and first-hop routers routing tables provide complete information on IPv6 to MAC mapping", but for the use case when the device is providing a service, and there is a need for AAAA record, it is not better than SLAAC right now.

Martin
> 
>> Is there some existing solution for it other than that? Open, not vendor specific.
> 
> I doubt it, this is too new, but I'm no expert. It would be a use case for the ANIMA autonomic work.
> 
>      Brian
> 
>>>
>>> An IID cannot be zero, since that value is reserved (https://www.iana.org/assignments/ipv6-interface-ids/ipv6-interface-ids.xhtml). There are reasonable arguments why it should be pseudo-random, even for a server.
>>
>> Sorry, I've missed that zero is not allowed.
>>
>> Anyway, network administrator predictable IID would be a huge help in providing IPv6 services from it (without resolving it by static configuration). I see no such arguments if the prefix doesn't leave a single device and when this predictable IID is used only when it is configured with a service that needs to be reachable from outside.
>>
>> By the way, in this case, the admin predictable IID source is even the DUID, and that is not predictable for the rest of the Internet.
>>>
>>>      Brian
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>
>>

v2.23.0 | Report a Bug | By Email