IETF Logo Mail Archive

Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios

Lee Howard <lee@asgard.org> Sat, 23 February 2019 14:34 UTC

Return-Path: <lee@asgard.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CFB312426A for <v6ops@ietfa.amsl.com>; Sat, 23 Feb 2019 06:34:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSEF1Tq2mkL3 for <v6ops@ietfa.amsl.com>; Sat, 23 Feb 2019 06:34:20 -0800 (PST)
Received: from atl4mhob23.registeredsite.com (atl4mhob23.registeredsite.com [209.17.115.117]) by ietfa.amsl.com (Postfix) with ESMTP id 202081200D7 for <v6ops@ietf.org>; Sat, 23 Feb 2019 06:34:20 -0800 (PST)
Received: from mailpod.hostingplatform.com (atl4qobmail02pod6.registeredsite.com [10.30.71.210]) by atl4mhob23.registeredsite.com (8.14.4/8.14.4) with ESMTP id x1NEYHbo060046 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <v6ops@ietf.org>; Sat, 23 Feb 2019 09:34:17 -0500
Received: (qmail 1746 invoked by uid 0); 23 Feb 2019 14:34:17 -0000
X-TCPREMOTEIP: 108.48.167.207
X-Authenticated-UID: lee@asgard.org
Received: from unknown (HELO ?192.168.1.163?) (lee@asgard.org@108.48.167.207) by 0 with ESMTPA; 23 Feb 2019 14:34:17 -0000
In-Reply-To: <b97248ec-9ffe-d0dd-e58d-12dff79bdec3@gont.com.ar>
References: <6D78F4B2-A30D-4562-AC21-E4D3DE019D90@consulintel.es> <B6E2EC33-EEAF-40D0-AFCC-BDAFA9134ACD@consulintel.es> <20190220113603.GK71606@Space.Net> <28fbc2c305c640c9afb3704050f6e8d7@boeing.com> <20190220213107.GS71606@Space.Net> <019c552eb1624d348641d6930829fd1f@boeing.com> <CAKD1Yr0HBG+rhyFWg9zh0t3mW486Mjx9umjn+CRqAZg4z9r0dg@mail.gmail.com> <c86c9322-743c-477b-ad8a-373ce47ace6e@si6networks.com> <2EEFFB58-C665-48BF-B09E-5AF5A7CA91E6@conjury.org> <b97248ec-9ffe-d0dd-e58d-12dff79bdec3@gont.com.ar>
X-Referenced-Uid: 6266
Thread-Topic: Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios
X-Blue-Identity: !l=133&o=96583&fo=98109&pl=23&po=0&qs=PREFIX&f=HTML&n=Lee%20Howard&e=lee%40asgard.org&m=!%3ANDFkNDZjODMtNDhmZi00ZGM0LTljODUtMTdlMzQ0MjFmOTdk%3ASU5CT1g%3D%3ANjI2Ng%3D%3D%3AANSWERED&p=0&q=SHOW
X-Is-Generated-Message-Id: true
User-Agent: Android
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
From: Lee Howard <lee@asgard.org>
Date: Sat, 23 Feb 2019 09:34:16 -0500
To: Fernando Gont <fernando@gont.com.ar>
CC: j h woodyatt <jhw@conjury.org>, "6man@ietf.org" <6man@ietf.org>, IPv6 Operations <v6ops@ietf.org>
Message-ID: <43a72334-9b20-4d6d-be6e-a3872147c8b8@asgard.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/IN05NxeVhcNDk4QziH1a2OC4PFI>
Subject: Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Feb 2019 14:34:22 -0000


⁣Sent from BlueMail ​

On Feb 20, 2019, 9:42 PM, at 9:42 PM, Fernando Gont <fernando@gont.com.ar> wrote:
>On 20/2/19 23:28, j h woodyatt wrote:
>> On Feb 20, 2019, at 17:13, Fernando Gont <fgont@si6networks.com
>> <mailto:fgont@si6networks.com>> wrote:
>>>
>>> Given that RFC6092 recommends "only allow outgoing connections”...
>> 
>> I certainly don’t remember writing that, and I just double-checked
>the
>> text, and I’m pretty sure that recommendation is not in RFC 6092. 
>
>I quickly grep'ed RFC6092. Found this:
>
>   If an inbound SYN packet is filtered, either because a corresponding
>   state record does not exist or because of the filter's normal
>   behavior, a filter has two basic choices: to discard the packet
>   silently, or to signal an error to the sender.  Signaling an error
>   through ICMPv6 messages allows the sender to detect that the SYN did
>   not reach the intended destination.  Discarding the packet, on the
>   other hand, allows applications to perform simultaneous-open more
>   reliably.  A more detailed discussion of this issue can be found in
>   [RFC5382], but the basic outcome of it is that filters need to wait
>   on signaling errors until simultaneous-open will not be impaired.
>
>   REC-34: By DEFAULT, a gateway MUST respond with an ICMPv6
>   "Destination Unreachable" error code 1 (Communication with
>   destination administratively prohibited) to any unsolicited inbound
>   SYN packet after waiting at least 6 seconds without first forwarding
>   the associated outbound SYN or SYN/ACK from the interior peer.
>
>FWIW, I do agree with the advice.
>
>
>
>
>> As far as I know, IETF has not yet actually written a Standards Track
>> RFC that says Internet gateways SHOULD (note well: requirements
>> language) block inbound flows to passive listeners. I’d be interested
>to
>> know if I’ve missed that news. In any case, my recollection is that
>it
>> wasn’t the case when RFC 6092 was published.
>> 
>> Shorter james: don’t blame me for this. I didn’t do it.
>
>Actually, I'm in favor of such advice ;-)  I do think that CPEs should
>support UPnP for IPv6, such that apps can punch holes in the fw, as
>they
>do for the IPv4 case.
>
>
>-- 
>Fernando Gont
>e-mail: fernando@gont.com.ar || fgont@si6networks.com
>PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>_______________________________________________
>v6ops mailing list
>v6ops@ietf.org
>https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email