IETF Logo Mail Archive

Re: [v6ops] Implementation Status of PREF64

Owen DeLong <owen@delong.com> Tue, 28 September 2021 18:14 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABDCF3A0877; Tue, 28 Sep 2021 11:14:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=delong.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DtyIcHEqHRWj; Tue, 28 Sep 2021 11:14:34 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8D73A0874; Tue, 28 Sep 2021 11:14:26 -0700 (PDT)
Received: from smtpclient.apple ([IPv6:2620:0:930:0:7dcf:b62:e611:87db]) (authenticated bits=0) by owen.delong.com (8.16.1/8.15.2) with ESMTPSA id 18SIEODl1643872 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 28 Sep 2021 11:14:25 -0700
DKIM-Filter: OpenDKIM Filter v2.11.0 owen.delong.com 18SIEODl1643872
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delong.com; s=mail; t=1632852865; bh=TxGk9fVf4DSYEtpwHpIID1GkpltldiS2HbETQyzQXlU=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=bhiJqTGSuCsOojEbWDgHBOKOhxPkp1usF5nUmATWIGhtCvtGjTbH6L/tUj+ZZcC5Q SQPc6fsBXYoxDBafwgCbRXeFVxDBjrtNChjfVC/KhqXpinEcDwp5jPXwRipDsVKyuU cVaRkNvSLlYJY4V8r9rxoIYQEctVnJmwM3zmdQrU=
From: Owen DeLong <owen@delong.com>
Message-Id: <F9E669E9-04E4-4153-812B-04B63F492878@delong.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_53ED5374-8D7C-4978-9502-B75859CAFC0B"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Tue, 28 Sep 2021 11:14:24 -0700
In-Reply-To: <EFC78F4B-873B-42EE-8DC5-04C29758B0D0@consulintel.es>
Cc: V6 Ops List <v6ops@ietf.org>
To: JORDI PALET MARTINEZ <jordi.palet=40consulintel.es@dmarc.ietf.org>
References: <CAN-Dau2in52xSUkqKEXu=2AAiR4O_jLhna7hY-hshYDORfGtcQ@mail.gmail.com> <CAMGpriWFp4JPtqDK5tEj1RkS-SzEfvscfUUnxgK+o6qP2pusRA@mail.gmail.com> <6E95834D-12B3-447B-8326-8EDE9DC6FFB1@delong.com> <CAO42Z2zA-4cK489nxKsWUN8vvU0eAiz-jS0e-_eWPg+OmP8wLw@mail.gmail.com> <DDA36020-90CC-471B-83AD-3D98950F1164@delong.com> <CAO42Z2wdoSdJDOB2Zo0=ZK0ecOARRsdg2nbHZGSDOhryPbLfDw@mail.gmail.com> <F2BD0A42-E9AD-45DD-999A-638E73BE1177@delong.com> <CAKD1Yr2K3Gd3JD=NJFOoH6GYgs-8ACxRQB9-sKJ7cbF4_hxsow@mail.gmail.com> <0B533C71-5DB0-410D-A5A3-7E8FD559F214@delong.com> <CAKD1Yr3NoYfNT7+OVJoCCdgdif6AHHw29tNCPttS=-NuRZKv3w@mail.gmail.com> <DM6PR02MB692426B0EEDDC2C4D78D8EC0C3A89@DM6PR02MB6924.namprd02.prod.outlook.com> <EFC78F4B-873B-42EE-8DC5-04C29758B0D0@consulintel.es>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (owen.delong.com [IPv6:2620:0:930:0:0:0:200:2]); Tue, 28 Sep 2021 11:14:25 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/IqsjtKC6m6nM8_zFhYtfmVj5Hgw>
Subject: Re: [v6ops] Implementation Status of PREF64
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2021 18:14:40 -0000

> There are ways to use SLAAC (I don’t recommend using DHCPv6 because the lack of Android and derivatives support), and ensure proper security, such as 802.1x.

Funny… I don’t recommend Android for exactly that reason. lol

> In fact, depending on IP (v4 or v6) addresses for providing security I believe is wrong and prone to be faked by attackers.

It’s not about using the address for security, it’s about securing the address for auditing.

Owen

>  
> Regards,
> Jordi
> 
> @jordipalet
> 
>  
> 
>  
>  
> El 28/9/21 18:02, "v6ops en nombre de STARK, BARBARA H" <v6ops-bounces@ietf.org <mailto:v6ops-bounces@ietf.org> en nombre de bs7652@att.com <mailto:bs7652@att.com>> escribió:
>  
> Just to provide a few more facts inline with <bhs>...
> Barbara
>  
> From: v6ops <v6ops-bounces@ietf.org <mailto:v6ops-bounces@ietf.org>> On Behalf Of Lorenzo Colitti
> Sent: Tuesday, September 28, 2021 12:21 AM
> To: Owen DeLong <owen=40delong.com@dmarc.ietf.org <mailto:owen=40delong.com@dmarc.ietf.org>>
> Cc: V6 Ops List <v6ops@ietf.org <mailto:v6ops@ietf.org>>; Jen Linkova <furry@google.com <mailto:furry@google.com>>
> Subject: Re: [v6ops] Implementation Status of PREF64
>  
> On Tue, Sep 28, 2021 at 1:54 PM Owen DeLong <owen=40delong.com@dmarc.ietf.org <mailto:40delong.com@dmarc.ietf.org>> wrote:
>> No… That’s not what it amounts to.
>>  
>> It amounts to a machine can only use the network _IF_ it completes 802.1x Authentication _AND_ the IP address(es) it is using match the DHCP server’s expectation of the address it issued to the MAC address in question.
>  
> Why would you want to do this? IPv6 addresses are plentiful and ephemeral. What does it matter to some server on the Internet (or, in general, off-link) if a given host uses 2001:db8:1:2:3::f00 or 2001:db8:1:2:3::b00 or both? Why take the privacy implications of using a fixed IID (because DHCPv6 can't seamlessly change IIDs) to talk to all off-link destinations all the time?
>  
> <bhs> Just as a note, MAC address or DUID are not the only “identities” that can be used with 802.1x. Some managed or factory-configured devices are given a specific identity and credentials to prove the identity for use with 802.1x. A very common “telco wireline” network architecture is for the CE router to do 802.1x authentication which then lets the RADIUS server tell the DHCP server configuration info specific to that device – such as the stable (effectively static) IPv4/v6 addresses and IPv6 prefix to assign to that device. 3GPP networks don’t need 802.1x because they have IMEI/IMSI. Fixed wireless broadband services use 3GPP-defined networks to supply broadband access and have been very limited from an IPv6-prefix-assignment perspective by the lack of prefix assignment other than PREF64 in 3GPP network equipment. Naturally, it’s impossible to deploy DHCPv6 if the vendor whose equipment is used doesn’t support DHCPv6. I’ve seen some people suggest that operators should completely replace their entire networks to use a vendor that does support DHCPv6 – which is a very humorous and unrealistic suggestion. PREF64 is all those fixed wireless subscribers get. Many large enterprises use RADIUS with DHCP in a manner similar to wireline networks. I’m not aware of widely-deployed equipment that supports good RADIUS/RA integration for similar device configuration via RA.
>  
>>> This is better than the DHCP version above because it allows the client to use multiple IP addresses and does not need to be re-done when the IP address changes.
>> Sometimes the network administrator doesn’t want the host using multiple IP addresses for a variety of reasons.
>  
> Ok, but that's also harmful for a variety of reasons, and for general purpose devices, it's not recommended by the IETF. That's exactly what RFC 7934 is about - explaining why it's harmful.
>  
> <bhs> Enterprise networks are not general-purpose networks. They do not want devices (which may in other contexts be used as “general-purpose” devices) to behave like general-purpose devices. They want to control and restrict what those devices do. And until the equipment available to enterprises allows them assert this level of control, IETF can create Best Practices and fume about lack of enterprise IPv6 deployment until it’s blue in the face. It’s not “harmful” for enterprise operators to restrict what devices can do inside their enterprise network. It’s a good and necessary security practice.
>  
>> I repeat… Your anti-DHCP religion is NOT HELPING.
>  
> Not helping with what? The transition to IPv6? But if so - why bother using IPv6 if it's just just 128-bit IPv4, with one address per host, no dynamic address changes (because DHCPv6 can't really support that) and NAT (because if you can't tell the host that its network configuration has changed, you need to ensure that the configuration *doesn't* change)? Why use IPv6 to do that, which requires hosts to implement all the associated complexities such as NAT traversal, NAT keepalives, etc.? That model works perfectly well today using IPv4, and I'm pretty sure that OS support for IPv4 isn't going anywhere any time soon.
>  
> <bhs> I mostly agree. Unfortunately, some governments are putting pressure on enterprises and government networks (which are just a type of enterprise network) to support IPv6. This is largely due to messaging coming from the IETF. Maybe IETF should produce a Best Practice recommendation that enterprise and government networks not support IPv6 until all tools they need to properly secure an IPv6-enabled network are widely available as software updates to legacy equipment. 
> Barbara
> _______________________________________________ v6ops mailing list v6ops@ietf.org <mailto:v6ops@ietf.org> https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com <http://www.theipv6company.com/>
> The IPv6 Company
> 
> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org <mailto:v6ops@ietf.org>
> https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>

v2.23.0 | Report a Bug | By Email