IETF Logo Mail Archive

Re: [v6ops] Fwd: New Version Notification for draft-hilliard-v6ops-host-addr-update-00.txt

Scott Morizot <tmorizot@gmail.com> Tue, 18 July 2017 17:38 UTC

Return-Path: <tmorizot@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFDD5131B57 for <v6ops@ietfa.amsl.com>; Tue, 18 Jul 2017 10:38:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0-s4mUJ9fLA for <v6ops@ietfa.amsl.com>; Tue, 18 Jul 2017 10:38:10 -0700 (PDT)
Received: from mail-ua0-x22b.google.com (mail-ua0-x22b.google.com [IPv6:2607:f8b0:400c:c08::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53B0012EC3A for <v6ops@ietf.org>; Tue, 18 Jul 2017 10:38:10 -0700 (PDT)
Received: by mail-ua0-x22b.google.com with SMTP id 35so32215390uax.3 for <v6ops@ietf.org>; Tue, 18 Jul 2017 10:38:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lCa/pb1Of8m9/s2C5hXGOsPfyjES073MCml3qVAJ6nU=; b=MoMMT/QSMQZtKHUHew9bMqIgCLt0x3uN4j28Y2FWvwbwRnTHxzFuAXuIRp2ZCau0Ze nQ5M6WSUuhdo47bFjYWO/YLJWRy65RHArnSMIGiTvbUMtHJ68801Q/NlRbA2rEzFvjRT GHJqhEwG7qfVgUrpIxu03kh6FOWIS8QChwjJI3JRIlWV+f92LRj+y+6EPIYCH0Y5Wx2K p+f6gNYlmCsPg4WbIVjsDmCJX8+2dJxHzs872XchNIkw9dYhC84BRgHnQg6AR5EfOuFB rJKsqSWRYdq/c+dNhuGcU0PoVg9xc1T5K9i9KNnw1tRldcHK/sGm9Z0XfEomd4/tnG6n jT/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lCa/pb1Of8m9/s2C5hXGOsPfyjES073MCml3qVAJ6nU=; b=PNaAVO2f3OmuWTGhaHmUJ9Gc4KCswgV9C10HCIRm6mzgPYpecVvOJBvWTpChNAOIHr Q4pLiyzgUwBkKmxrHkRv3A08C8t7Uv8LL4RUBjVnNEB6B25xJ6/x29MKPpdUX9TA03AN SfXsJO29QHRHlxJ1mtWjS+YuCoAbkCLFgWEMfp8Zz68rMHb/dUX5wmUWN/NW1LWMzpmP 3SgN10NXvPDHL4DsYshSBZNEyQ2iMEFbbff+/NoyRf7CdmucqKGhrGzWhCUEnR/YBEjE MZQtAMrH++zmft4EWlUYpu74+AXoBHwdm+t8ITp1jy9J8KhCDyGIuVP86LK98CNa21EJ X17g==
X-Gm-Message-State: AIVw111S5DW24ce0+CBspdFe6OLsyzcacW/GfKp3OT8NlilB8jod06Na N1CuMmluWIXFNXuvcklkXiQxeM+Psw==
X-Received: by 10.31.70.6 with SMTP id t6mr1331229vka.21.1500399489372; Tue, 18 Jul 2017 10:38:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.164.72 with HTTP; Tue, 18 Jul 2017 10:38:08 -0700 (PDT)
In-Reply-To: <CAO42Z2wFSXWru_Tgwpuf2xgOCr2iX0BwrTHvnS2TcR6EQBi1Fw@mail.gmail.com>
References: <596CF817.8040900@foobar.org> <CAO42Z2wFSXWru_Tgwpuf2xgOCr2iX0BwrTHvnS2TcR6EQBi1Fw@mail.gmail.com>
From: Scott Morizot <tmorizot@gmail.com>
Date: Tue, 18 Jul 2017 12:38:08 -0500
Message-ID: <CAFy81rmZefKx6jTsS+8J9fJANXwm1cOKdE6L17Yu4xri4xgY7g@mail.gmail.com>
To: Mark Smith <markzzzsmith@gmail.com>
Cc: Nick Hilliard <nick@foobar.org>, IPv6 Operations <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="001a11484e3895d74405549afa98"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Iuw790Xh23tSG1v9YCrizJHT7k8>
Subject: Re: [v6ops] Fwd: New Version Notification for draft-hilliard-v6ops-host-addr-update-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 17:38:13 -0000

Perhaps the actual problem is a limited active participation in the IETF
process by certain groups, such as the large enterprise networks (outside
enterprise networks of large technology companies) sphere? That has always
been my day to day environment and focus whether as an application
developer, network engineer, or from any of the other hats that are dropped
in my lap, including interacting with groups of organizations outside my
own. I confess I read mailing list discussions intermittently and actively
say anything much less frequently than I read. But comments like the below
leave me bemused.

Those sorts of networks are highly constrained. Hosts and developers have
to coordinate even to be allowed on the network. Things that are purchased
and deployed generally have to meet our requirements and lots of things are
eliminated from consideration because they don't. If something has special
requirements, there's a lengthy process designing, testing, and documenting
the changes in the security boundary. Innovation is certainly restricted
and coordinated, even with in house developed applications.

There are lots of processes and tools integrated with DHCP assignment
information. But that's hardly the only data collected, the only layer of
protection, or the only avenue pursued when doing forensic analysis of an
attack. Connection security in one form or another is used. ARP/Neighbor
table information (as well as configuration in general) is collected and
tracked. Log data at every level is collected. There's IDS/IPS and packet
collectors at different key points. There are firewalls at all sorts of
different points from the host up. But no large enterprise is merely
looking for purely malicious traffic. They are also auditing and analyzing
all activity by authorized users. It's a highly inspected, highly
constrained networking environment and always will be.

A lot of those automated processes are tied into DHCP data. It's not that
that's the only source of forensic data, the sole audit point, or the
single point of protection. But a lot of automated tools/processes are
built around that data and that is not going to change quickly. Perhaps
when IPv4 is removed from much of the enterprise, it can be considered,
though there would have to be a compelling reason for enterprises to make
such a change. No such compelling reason currently exists. It will not
happen before then except in very special circumstances on different
networks from most hosts, not on general purpose data networks.

Host developers who want to sell to such enterprises will support DHCPv6
IA_NA address assignment on networks that provide no other alternative.
They already do for the most part because those networks exist today. And
they will continue to exist for a good number of years to come, whatever
the IETF decides to recommend or not recommend. If a host/node developer
has a special use case (as a limited IOT device such as door key card
access devices and alarm sensors very well might) and a large enterprise of
the sort I've described has a need for it, that might be engineered in a
special network of its own. So it's not an absolute that any given
host/node that wants to sell to large enterprises of the sort I've noted
above has to support DHCPv6 IA_NA address assignment. But as a general rule
of thumb? That should probably be the default expectation. It should be
considered, at least.

So I support the idea behind the changes to RFC 7934 proposed in the draft,
however they might be wordsmithed, as it more accurately reflects reality.
The current description may reflect a "best common practice" for general
use data on some networks and in some environments. It is not even vaguely
the common practice elsewhere. And it's unlikely to be anytime soon. If the
purpose of the document is to express what the IETF wished were the common
practice on most networks, that's fine. If its purpose is to express the
actual common practice, the current document falls short.

I have a hard time feeling too strongly about it, though. Host/node
developers often do want to sell to large enterprises, and as such they
typically will meet their specified requirements. I don't expect that to
change whatever the IETF chooses to publish. That's one situation in which
money does usually talk.

Scott

On Mon, Jul 17, 2017 at 7:59 PM, Mark Smith <markzzzsmith@gmail.com> wrote:

> Fundamentally, we don't want hosts and application developers to have
> to ask for permission from the network to innovate, nor have the
> network impose artificial constraints on innovation. Artificial
> address scarcity is following the traditional telephone network
> scarcity model. (See David Isenberg's "Rise of the Stupid Network")
>
>

v2.23.0 | Report a Bug | By Email