IETF Logo Mail Archive

Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt

"Mudric, Dusan (Dusan)" <dmudric@avaya.com> Fri, 06 October 2017 14:48 UTC

Return-Path: <dmudric@avaya.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B31061342F7; Fri, 6 Oct 2017 07:48:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.91
X-Spam-Level:
X-Spam-Status: No, score=-4.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vMo9j96OSLfd; Fri, 6 Oct 2017 07:48:14 -0700 (PDT)
Received: from p-us1-iereast-outbound.us1.avaya.com (p-us1-iereast-outbound.us1.avaya.com [135.11.29.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E2EB1342E6; Fri, 6 Oct 2017 07:48:13 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2FdAADCltdZ/wUHmMZbGQEBAQEBAQEBAQEBBwEBAQEBgm8iTGRuJweDc4ofj2eBdpNVCIJSgU8/AQMKGAEJhRkCGoQGPxgBAgEBAQEBAQEDaCiCZS8IAwwhCAMBAQEBAQEBAQEBAQEBAQEdAQEBAQEBAQEBAQEBARwCDy8SAQEYAQEBAQMBARARCkELDAQCAQgNBAQBAQsWAQYDAgICJAELFAkIAgQOBAEIGokqZAEPmk+KaoInIgKLBAEBAQEBAQEBAQEBAQEBAQEBAQEBAR2DLYICgVKFEoMygVQFBygIglUvgjIFh0SRFIhbAodchz+HXFuFFINxhxaRdINlgTkfOYEOeBUfKoRhgjx2AQGIKwGBDwEBAQ
X-IPAS-Result: A2FdAADCltdZ/wUHmMZbGQEBAQEBAQEBAQEBBwEBAQEBgm8iTGRuJweDc4ofj2eBdpNVCIJSgU8/AQMKGAEJhRkCGoQGPxgBAgEBAQEBAQEDaCiCZS8IAwwhCAMBAQEBAQEBAQEBAQEBAQEdAQEBAQEBAQEBAQEBARwCDy8SAQEYAQEBAQMBARARCkELDAQCAQgNBAQBAQsWAQYDAgICJAELFAkIAgQOBAEIGokqZAEPmk+KaoInIgKLBAEBAQEBAQEBAQEBAQEBAQEBAQEBAR2DLYICgVKFEoMygVQFBygIglUvgjIFh0SRFIhbAodchz+HXFuFFINxhxaRdINlgTkfOYEOeBUfKoRhgjx2AQGIKwGBDwEBAQ
X-IronPort-AV: E=Sophos;i="5.42,483,1500955200"; d="scan'208,217";a="255319410"
Received: from unknown (HELO co300216-co-erhwest.avaya.com) ([198.152.7.5]) by p-us1-iereast-outbound.us1.avaya.com with ESMTP; 06 Oct 2017 10:43:25 -0400
X-OutboundMail_SMTP: 1
Received: from unknown (HELO AZ-US1EXHC04.global.avaya.com) ([135.11.85.15]) by co300216-co-erhwest-out.avaya.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Oct 2017 10:48:11 -0400
Received: from AZ-US1EXMB03.global.avaya.com ([fe80::a5d3:ad50:5be9:1922]) by AZ-US1EXHC04.global.avaya.com ([135.11.85.15]) with mapi id 14.03.0352.000; Fri, 6 Oct 2017 10:48:10 -0400
From: "Mudric, Dusan (Dusan)" <dmudric@avaya.com>
To: Lorenzo Colitti <lorenzo@google.com>, "Templin, Fred L" <Fred.L.Templin@boeing.com>
CC: "v6ops@ietf.org" <v6ops@ietf.org>, "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Thread-Topic: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
Thread-Index: AQHTLJkvHyV/vgiRe0WkRYLcTMM3MKKzTQFQgABVIwCAI2c7kA==
Date: Fri, 06 Oct 2017 14:48:09 +0000
Message-ID: <9142206A0C5BF24CB22755C8EC422E4585AD4EAA@AZ-US1EXMB03.global.avaya.com>
References: <150531144008.30405.8720524557391780522@ietfa.amsl.com> <466db83261804d179fc991f43df5dcf9@XCH15-06-08.nw.nos.boeing.com> <CAKD1Yr00obLxByQEgQkXKnD=W+Kvd0XKtYAdF=Na-dLfo1MHQA@mail.gmail.com>
In-Reply-To: <CAKD1Yr00obLxByQEgQkXKnD=W+Kvd0XKtYAdF=Na-dLfo1MHQA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.11.85.49]
Content-Type: multipart/alternative; boundary="_000_9142206A0C5BF24CB22755C8EC422E4585AD4EAAAZUS1EXMB03glob_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/KusyDUCzlkaLggU6Y2DLuATgv5c>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Oct 2017 14:48:23 -0000

Hi Fred,

Should it be mentioned that even though a ‘shared’ prefix with L=0 makes hosts send packets over the first hope router, the unique prefix per host is preferred mechanism in the environments where security is of a concern?

Thanks,
Dusan.

From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Lorenzo Colitti
Sent: Wednesday, September 13, 2017 6:04 PM
To: Templin, Fred L
Cc: v6ops@ietf.org; internet-drafts@ietf.org
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt

I would instead say the opposite, i.e., call attention to what is in fact one of the the main benefits of this document. Suggested text:

The practices described in this document make it very simple for networks to implement robust isolation between clients at layer 2. The network can simply ensure that devices cannot send packets to each other except through the first-hop router. This will automatically provide robust protection against attacks between devices that rely on link-local ICMPv6 packets, such as DAD reply spoofing, ND cache exhaustion, malicious redirects, and rogue RAs. This form of protection is much more scalable and robust than alternative mechanisms such as DAD proxying, forced forwarding, or ND snooping.



On Wed, Sep 13, 2017 at 2:12 PM, Templin, Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote:
Please add the following to Security Considerations:

  "While the practices described herein encourage L3 operations that would
    forward all traffic through a provider managed First Hop Router, peer to peer
    communications are still possible unless L2 mechanisms are also employed
    in some fashion outside the scope of this document."

Thanks - Fred

> -----Original Message-----
> From: v6ops [mailto:v6ops-bounces@ietf.org<mailto:v6ops-bounces@ietf.org>] On Behalf Of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
> Sent: Wednesday, September 13, 2017 7:04 AM
> To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>
> Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>
> Subject: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the IPv6 Operations WG of the IETF.
>
>         Title           : Unique IPv6 Prefix Per Host
>         Authors         : John Jason Brzozowski
>                           Gunter Van De Velde
>       Filename        : draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
>       Pages           : 9
>       Date            : 2017-09-13
>
> Abstract:
>    This document outlines an approach utilising existing IPv6 protocols
>    to allow hosts to be assigned a unique IPv6 prefix (instead of a
>    unique IPv6 address from a shared IPv6 prefix).  Benefits of unique
>    IPv6 prefix over a unique service provider IPv6 address include
>    improved host isolation and enhanced subscriber management on shared
>    network segments.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-v6ops-unique-ipv6-prefix-per-host/<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dv6ops-2Dunique-2Dipv6-2Dprefix-2Dper-2Dhost_&d=DwMFaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=UT3Bk9cbLeaJxhf3iCrhIoUWB8YLZU23029sMQGQ2kY&m=PlXnFjk4NtNYXkaHFxRI86HSymtz8QLmdZMdwJQhLUY&s=Z0NT1ldV3az-PlcrolYWmpzjzXI-e9gIFUUG7GqakVA&e=>
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-v6ops-unique-ipv6-prefix-per-host-08<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dv6ops-2Dunique-2Dipv6-2Dprefix-2Dper-2Dhost-2D08&d=DwMFaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=UT3Bk9cbLeaJxhf3iCrhIoUWB8YLZU23029sMQGQ2kY&m=PlXnFjk4NtNYXkaHFxRI86HSymtz8QLmdZMdwJQhLUY&s=iwcdOKuejV0qgA7XtQEwy-NPAasakqiys1hP46IrLVs&e=>
> https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-unique-ipv6-prefix-per-host-08<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_html_draft-2Dietf-2Dv6ops-2Dunique-2Dipv6-2Dprefix-2Dper-2Dhost-2D08&d=DwMFaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=UT3Bk9cbLeaJxhf3iCrhIoUWB8YLZU23029sMQGQ2kY&m=PlXnFjk4NtNYXkaHFxRI86HSymtz8QLmdZMdwJQhLUY&s=JGWGoSnzdqBvDMseLJY0jyuaFE1nd-c6bZD9ehddnQo&e=>
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-v6ops-unique-ipv6-prefix-per-host-08<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_rfcdiff-3Furl2-3Ddraft-2Dietf-2Dv6ops-2Dunique-2Dipv6-2Dprefix-2Dper-2Dhost-2D08&d=DwMFaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=UT3Bk9cbLeaJxhf3iCrhIoUWB8YLZU23029sMQGQ2kY&m=PlXnFjk4NtNYXkaHFxRI86HSymtz8QLmdZMdwJQhLUY&s=KKbJOoGAffY7kkEZ1sT7fHIl09DX2kdlChL3_Ox38mY&e=>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__tools.ietf.org&d=DwMFaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=UT3Bk9cbLeaJxhf3iCrhIoUWB8YLZU23029sMQGQ2kY&m=PlXnFjk4NtNYXkaHFxRI86HSymtz8QLmdZMdwJQhLUY&s=7APWKVKyyoeqrSUx4M-UUhMlzxXL3hkgcCmZSRUxoPI&e=>.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/<https://urldefense.proofpoint.com/v2/url?u=ftp-3A__ftp.ietf.org_internet-2Ddrafts_&d=DwMFaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=UT3Bk9cbLeaJxhf3iCrhIoUWB8YLZU23029sMQGQ2kY&m=PlXnFjk4NtNYXkaHFxRI86HSymtz8QLmdZMdwJQhLUY&s=AxI18cu2PadGwT3HHZOGQbNC7idjhV_I_q466Ssm15E&e=>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org<mailto:v6ops@ietf.org>
> https://www.ietf.org/mailman/listinfo/v6ops<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_v6ops&d=DwMFaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=UT3Bk9cbLeaJxhf3iCrhIoUWB8YLZU23029sMQGQ2kY&m=PlXnFjk4NtNYXkaHFxRI86HSymtz8QLmdZMdwJQhLUY&s=gfIYhPTUIDst9iCDPwjpqx-FJKKNJ9ney-huyDVfwy4&e=>


_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_v6ops&d=DwMFaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=UT3Bk9cbLeaJxhf3iCrhIoUWB8YLZU23029sMQGQ2kY&m=PlXnFjk4NtNYXkaHFxRI86HSymtz8QLmdZMdwJQhLUY&s=gfIYhPTUIDst9iCDPwjpqx-FJKKNJ9ney-huyDVfwy4&e=>

v2.23.0 | Report a Bug | By Email