IETF Logo Mail Archive

Re: [v6ops] Default IPv6 Local Only Addressing for Non-Internet Devices (Fwd: New Version Notification for draft-smith-v6ops-local-only-addressing-00.txt)

Jen Linkova <furry13@gmail.com> Wed, 16 October 2019 23:14 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CF4E12093E for <v6ops@ietfa.amsl.com>; Wed, 16 Oct 2019 16:14:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nxd7ozP-v7HH for <v6ops@ietfa.amsl.com>; Wed, 16 Oct 2019 16:14:23 -0700 (PDT)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F0B4120934 for <v6ops@ietf.org>; Wed, 16 Oct 2019 16:14:23 -0700 (PDT)
Received: by mail-qk1-x732.google.com with SMTP id y189so150428qkc.3 for <v6ops@ietf.org>; Wed, 16 Oct 2019 16:14:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Z4Hr+vSjBLKXVUahopmcOgU2MstRQK24Neldx/s3ctE=; b=Kk+A0gF48CpadxlZZQ8Wf/srEAeBLuxLlCzLPp9IYnrx2l+DMwUeV79OYdESuqUS3X SW2SE0FpE6F1sKFCHxATHoF5h0n+f0WBS4lnelDBcR2MUpBSCiBlrS5uhv+4PJBN+RYO +WoplHmwaXIrNMgyKbGItxw3J1vquHKV3cqZjyhx7xbWWxPEqG4WPUnmdi6JOrDhBzqP +sqjl/wduja7t+08LIzAqG2AeiosyzlE5oRdtP7pX1qSFNEejmIZHTJM1/Y7c9lM/Ci/ Gwq0MlVUFq9pqrxEsjqeD1Qr5wtFrR1v1w4/00heTTROmMDRyxsM4a3Fx+3Gk+mDb1jw iodQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Z4Hr+vSjBLKXVUahopmcOgU2MstRQK24Neldx/s3ctE=; b=ElXIfN/l8gNrnkptP7D/ZWUeAtSNVUCl/tUUAB2cLqXuO7Yw3QUBKsSEY/qgLhSQQG t+4HRZ3PC0RUu44POQsw0gW/TfeGaXniGwPLpyxarHfD2ZUUtq0p6O7T8svmlSTpDDob CT7txxBK8pCu8XkKBqS3m13zmcRRuwTvusFEfw5aPkxHVlRFWrnNew97gtxloyWmqUwH GLpVy5A6t5piaN7Qf3oJ1o5NDbfcrSO//qTEOF5DJ3ZCZQmahJgYq7QmsUXQJ23INmL4 O28VQsToFP8HmRHcqoa58zfLAC2YP3Q2kx83zoiRlzT1QSOVAO4TbZMY1R//M5J3dLUz +pOQ==
X-Gm-Message-State: APjAAAV5uCETKHJJPAA9lQu7ychV5zLXT8Isap5ePcsZ5XKjbCGp1H2Y tGlg9gswSE7GR9DwgGJHWuypYb6KtOiItXpiHnI=
X-Google-Smtp-Source: APXvYqw1Y7Gk8RpuUh5FynqAzFBhcTNFDf4IUzre+gsMEtK9Rva/mzXeLWunS4pjWchui2HZ2WUdDeQrQDI6eDHCsuQ=
X-Received: by 2002:a37:a487:: with SMTP id n129mr445344qke.277.1571267661843; Wed, 16 Oct 2019 16:14:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAFU7BAQfXPzcpDVHu51JpjQUbB1aK+c3iCQEts=7PG842mryDg@mail.gmail.com> <D12E11D5-D4AA-4591-9ABA-9AEC124B6B89@isc.org>
In-Reply-To: <D12E11D5-D4AA-4591-9ABA-9AEC124B6B89@isc.org>
From: Jen Linkova <furry13@gmail.com>
Date: Thu, 17 Oct 2019 10:14:10 +1100
Message-ID: <CAFU7BAR03ZXqh8UeHp+bopwb+ouW=FC6aet0MkcrOag-iSpzjA@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Fred Baker <fredbaker.ietf@gmail.com>, v6ops list <v6ops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/JlxAJoVBizzcaRouz0BxoW3iy4g>
Subject: Re: [v6ops] Default IPv6 Local Only Addressing for Non-Internet Devices (Fwd: New Version Notification for draft-smith-v6ops-local-only-addressing-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 23:14:33 -0000

On Thu, Oct 17, 2019 at 2:12 AM Mark Andrews <marka@isc.org> wrote:
>
> Jena , how does the attacker route the traffic to the ULA address of the device?  GUA to ULA works within the site.

What is the 'site'?

>Getting it to work from outside the site is another matter.

Scenario 1: we have devices which are technically able to talk to each
other. You can either use this functionality or if you don't -
implement security policies to block such traffic.
Scenario 2: we start creating devices which looks like a normal
Ipv6-enabled ones but they can only work in a very limited set of
scenarios and if I want them to work in an arbitrary network, it would
be, as you've correctly noticed, 'another matter'. I see this as an
attempt of solving one particular and very specific use case on the
expense of everyone else.

If someone needs to prevent accidental access to subset of their
devices from the Internet w/o putting any effort into implementing
security policies why would not they just install devices w/o IPv6
support whatsoever? Use Ipv4 link-local addresses (or any other IPv4
addresses) and disable IPv4 NAT...
Could be a great selling point 'built-in protection from unauthorised
access: no IPv6 support'.

> First you have to find a border router with ULA filtering disabled.
>Home border routers have ULA filtering on by default if they want to be certified by cablelabs etc.

Let's keep in mind that there are other scenarios besides 'a home
router connected to an ISP network'.
Last time I had a Cisco router as my home DSL device it was definitely
able to route packets to/from ULAs.

> Printers could also default to only accepting connections from the containing /48 of advertised RA prefixes. This works fine for ULA and reasonably well for GUA in restricting traffic to “intra site”

This creates a serious artificial limitation by introducing an entity
called 'a site' on the host network stack level and enforcing very
specific IPv6 address plan.

> It would work better if ISPs would hand our /48s.
...and now it affects ISPs...

What I'm trying to say is that the use case for the proposed approach
is way to narrow to justify all consequences (and inconvenience
caused).

Like we haven't had enough issues with IPv6 support on
non-phones/laptops - let's make our life even more entertaining ;)
On the other hand indeed it could be a selling point for device
vendors: 'you can print on that printer from another office building'
and 'you can actually connect to our IoT sensors from your DC/Cloud,
not just from a workstation sitting next to it'.

> > On 16 Oct 2019, at 20:19, Jen Linkova <furry13@gmail.com> wrote:
> >
> > On Wed, Oct 16, 2019 at 4:54 PM Fred Baker <fredbaker.ietf@gmail.com> wrote:
> >>>> On Oct 15, 2019, at 1:11 AM, Jen Linkova <furry13@gmail.com> wrote:
> >>>
> >>> The draft says '...when it is clear to a device manufacturer that a
> >>> device should be isolated from the Internet by default..'
> >>> I'm not sure it's possible to know that.
> >>
> >> It *is* possible for the device to prevent its packets from going elsewhere,
> >
> > Sorry I should have clarified: I'm questioning the statement that it's
> > possible (or should be done) to know at the time of manufacturing that
> > this particular
> > device should be isolated from the Internet.
> > Let's say I'm buying a printer. Or an IoT device (a sensor). How can
> > the manufacturer know if I'm going to install it at my mom's home
> > network with just one subnet (the link-local address would be
> > sufficient), at my place (with subnets, so GUAs are needed or at least
> > ULAs - but I would mean I have to configure my routers) or at my
> > office (so GUA are required for the device to work)?
> >
> > Will I need to look for 'work with multiple network segments' sticker
> > on a box before I buy a device (and shall I test it in the lab because
> > vendors tend to be overly optimistic about their products feature
> > set)?
> >
> >> assuming routers and proxies behave according to the rules and people aren't translating. That is a defined function of ULAs and Link-Local addresses.
> >
> > Not sure about ULAs. The ULA has global scope. If a device has a
> > default gateway and ULAs only nothing would prevent it from sending
> > packets with ULA source to any destinations. The network is expected
> > to have a *policy* configured at its edge to block ULAs - so we are
> > back to 'it's a policy decision if this device should or should not
> > have  global connectivity'. Let the administrator decide.
> >
> > --
> > SY, Jen Linkova aka Furry
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
>


-- 
SY, Jen Linkova aka Furry

v2.23.0 | Report a Bug | By Email