IETF Logo Mail Archive

Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt

"Templin, Fred L" <Fred.L.Templin@boeing.com> Mon, 09 October 2017 14:34 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D97B133347; Mon, 9 Oct 2017 07:34:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mW2uQhSGLRH6; Mon, 9 Oct 2017 07:34:22 -0700 (PDT)
Received: from phx-mbsout-01.mbs.boeing.net (phx-mbsout-01.mbs.boeing.net [130.76.184.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D763213300C; Mon, 9 Oct 2017 07:34:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id v99EYMgc037826; Mon, 9 Oct 2017 07:34:22 -0700
Received: from XCH15-06-09.nw.nos.boeing.com (xch15-06-09.nw.nos.boeing.com [137.136.239.172]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id v99EYBK4037662 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Mon, 9 Oct 2017 07:34:11 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-09.nw.nos.boeing.com (2002:8988:efac::8988:efac) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 9 Oct 2017 07:34:11 -0700
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1320.000; Mon, 9 Oct 2017 07:34:11 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Fred Baker <fredbaker.ietf@gmail.com>, "Mudric, Dusan (Dusan)" <dmudric@avaya.com>
CC: Lorenzo Colitti <lorenzo@google.com>, "v6ops@ietf.org" <v6ops@ietf.org>, "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Thread-Topic: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
Thread-Index: AQHTLJkv/GFPUda+3EaDW5zERE6omaKzTQFQgChbmAGAABUNgA==
Date: Mon, 09 Oct 2017 14:34:11 +0000
Message-ID: <2349a9b3358541929da084da6232848d@XCH15-06-08.nw.nos.boeing.com>
References: <150531144008.30405.8720524557391780522@ietfa.amsl.com> <466db83261804d179fc991f43df5dcf9@XCH15-06-08.nw.nos.boeing.com> <CAKD1Yr00obLxByQEgQkXKnD=W+Kvd0XKtYAdF=Na-dLfo1MHQA@mail.gmail.com> <9142206A0C5BF24CB22755C8EC422E4585AD4EAA@AZ-US1EXMB03.global.avaya.com> <53DBD9FB-CCAE-41EB-9E3D-B04538559A2C@gmail.com>
In-Reply-To: <53DBD9FB-CCAE-41EB-9E3D-B04538559A2C@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/KJEQlRascQKQ1FL1wB7r8bqLbJg>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 14:34:26 -0000

Fred,

> -----Original Message-----
> From: Fred Baker [mailto:fredbaker.ietf@gmail.com]
> Sent: Monday, October 09, 2017 6:17 AM
> To: Mudric, Dusan (Dusan) <dmudric@avaya.com>
> Cc: Lorenzo Colitti <lorenzo@google.com>; Templin, Fred L <Fred.L.Templin@boeing.com>; v6ops@ietf.org; internet-drafts@ietf.org
> Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
> 
> Unless someone wants to tell me I'm wrong, I don't think that consensus exists. What the document says is that when someone is
> running a service such as described, traffic from the CPE router to which a prefix has been delegated should invariably travel through

'draft-ietf-v6ops-unique-ipv6-prefix-per-host' is not about prefix delegation.
'draft-templin-v6ops-pdhost' is about prefix delegation.

Thanks - Fred

> the upstream router as opposed to directly to a router that might appear to be an immediate neighbor. It doesn't deprecate the use
> of SLAAC/DHCPv6 or the use of neighbor-to-neighbor routing in LAN networks.
> 
> > On Oct 6, 2017, at 7:48 AM, Mudric, Dusan (Dusan) <dmudric@avaya.com> wrote:
> >
> > Hi Fred,
> >
> > Should it be mentioned that even though a ‘shared’ prefix with L=0 makes hosts send packets over the first hope router, the unique
> prefix per host is preferred mechanism in the environments where security is of a concern?
> >
> > Thanks,
> > Dusan.
> >
> > From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Lorenzo Colitti
> > Sent: Wednesday, September 13, 2017 6:04 PM
> > To: Templin, Fred L
> > Cc: v6ops@ietf.org; internet-drafts@ietf.org
> > Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
> >
> > I would instead say the opposite, i.e., call attention to what is in fact one of the the main benefits of this document. Suggested text:
> >
> > The practices described in this document make it very simple for networks to implement robust isolation between clients at layer 2.
> The network can simply ensure that devices cannot send packets to each other except through the first-hop router. This will
> automatically provide robust protection against attacks between devices that rely on link-local ICMPv6 packets, such as DAD reply
> spoofing, ND cache exhaustion, malicious redirects, and rogue RAs. This form of protection is much more scalable and robust than
> alternative mechanisms such as DAD proxying, forced forwarding, or ND snooping.
> >
> >
> >
> > On Wed, Sep 13, 2017 at 2:12 PM, Templin, Fred L <Fred.L.Templin@boeing.com> wrote:
> > Please add the following to Security Considerations:
> >
> >   "While the practices described herein encourage L3 operations that would
> >     forward all traffic through a provider managed First Hop Router, peer to peer
> >     communications are still possible unless L2 mechanisms are also employed
> >     in some fashion outside the scope of this document."
> >
> > Thanks - Fred
> >
> > > -----Original Message-----
> > > From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of internet-drafts@ietf.org
> > > Sent: Wednesday, September 13, 2017 7:04 AM
> > > To: i-d-announce@ietf.org
> > > Cc: v6ops@ietf.org
> > > Subject: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
> > >
> > >
> > > A New Internet-Draft is available from the on-line Internet-Drafts directories.
> > > This draft is a work item of the IPv6 Operations WG of the IETF.
> > >
> > >         Title           : Unique IPv6 Prefix Per Host
> > >         Authors         : John Jason Brzozowski
> > >                           Gunter Van De Velde
> > >       Filename        : draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
> > >       Pages           : 9
> > >       Date            : 2017-09-13
> > >
> > > Abstract:
> > >    This document outlines an approach utilising existing IPv6 protocols
> > >    to allow hosts to be assigned a unique IPv6 prefix (instead of a
> > >    unique IPv6 address from a shared IPv6 prefix).  Benefits of unique
> > >    IPv6 prefix over a unique service provider IPv6 address include
> > >    improved host isolation and enhanced subscriber management on shared
> > >    network segments.
> > >
> > >
> > > The IETF datatracker status page for this draft is:
> > > https://datatracker.ietf.org/doc/draft-ietf-v6ops-unique-ipv6-prefix-per-host/
> > >
> > > There are also htmlized versions available at:
> > > https://tools.ietf.org/html/draft-ietf-v6ops-unique-ipv6-prefix-per-host-08
> > > https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-unique-ipv6-prefix-per-host-08
> > >
> > > A diff from the previous version is available at:
> > > https://www.ietf.org/rfcdiff?url2=draft-ietf-v6ops-unique-ipv6-prefix-per-host-08
> > >
> > >
> > > Please note that it may take a couple of minutes from the time of submission
> > > until the htmlized version and diff are available at tools.ietf.org.
> > >
> > > Internet-Drafts are also available by anonymous FTP at:
> > > ftp://ftp.ietf.org/internet-drafts/
> > >
> > > _______________________________________________
> > > v6ops mailing list
> > > v6ops@ietf.org
> > > https://www.ietf.org/mailman/listinfo/v6ops
> >
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email