Re: [v6ops] Thoughts about wider operational input

[Mark Smith <markzzzsmith@gmail.com>]

On Sat, 2 Apr 2022, 08:38 Joe Maimon, <jmaimon@jmaimon.com> wrote:

>
>
> Simon wrote:
>
> > Identifying endpoints in a consistent fashion is trivially easy - you
> use its IP address*.
>
> Which you know because you have successful communications with it.
>
> What you dont know is what IP address YOU have from the point of view of
> the other endpoint. And the assumption that you do requires that the
> network not change it in any way.
>
> Which if you consider it carefully, there never was any such guarantee.
> It was just the path of least resistance.
>


That's not correct at all.

The IPv4 header checksum covers the SA and DA. They're not meant to be
changed in flight because they're protected by a checksum, used to detect
when they're changed, accidentally (which of course also means it can
detect them being changed intentionally too.)

IPv6 removed the header checksum for performance reasons, however still
preserved SA and DA protection in the transport layer pseudo-header
checksums.

Additionally, IPsec AH strongly protects the IPv4 and IPv6 SAs and DAs
against both accidental and malicious modification. IPsec originally was
mandatory for IPv6, indicating strong protection of SAs and DAs is
required. It was only loosened to suit low powered devices.



>
> >   It is only if the network starts mangling the address that it becomes
> non-trivial. “The internet” has never been "free to translate packets
> addressing between them for whatever reasons they want” for the simple
> reason that doing so breaks stuff.
>
> But you are free to break stuff. So the network was always free to do so
> and building on the assumption that it never would turns out have been
> not the flawless design otherwise thought.
>

No it was not. Read RFC2993. If there were not architectural or other
implications of NAT we wouldn't have many RFCs identifying the issues with
NAT, protocols to work around their implications (STUN and TURN), nor a
statement from the IAB about not having NAT in IPv6 - see RFC5902.


> > As far as I can see, you're taking a starting point that it’s OK for
> “the network” to mangle packets (specifically addresses), and then using
> that to justify everything else. You’ve cited an RFC to support your
> viewpoint, but my reading of that RFC says “don’t mangle packets because it
> breaks things”.
>
> Did the network every come with an explicit guarantee that the source
> address of a packet would not get changed once it left the host?
>
> Or was that just an implicit assumption? Citation please.
>

RFC791.

RFC8200.

RFC2993.

RFC5902.

And from a network operator's perspective,

"The Trouble with NAT"
https://blog.apnic.net/2016/10/26/trouble-nat-part-2/

>
> >
> > * Yes, the IP address you use needs to remain stable for the duration of
> the session.
> >
> >
> > So, serious question. How do you read the RFC you cited and come to the
> conclusion that “the internet” has always been free to mangle addresses in
> any way it likes” ?
> >
> > Simon
> >
> >
>
> I read the RFC and I see that it says if you are going to use endpoints
> identifiers you need to ensure they are consistent. And if they belong
> to other protocol layers and traverse a network you do not control, more
> than an assumption is required for that sort of reliable behavior.
>
> Joe
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>