Re: [v6ops] Feedback on draft-collink-v6ops-ent64pd-01
Jen Linkova <furry13@gmail.com> Tue, 28 February 2023 00:29 UTC
Return-Path: <furry13@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16731C152EFA; Mon, 27 Feb 2023 16:29:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.848
X-Spam-Level:
X-Spam-Status: No, score=-6.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izVWyNvMkpSv; Mon, 27 Feb 2023 16:29:45 -0800 (PST)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94206C152EF7; Mon, 27 Feb 2023 16:29:42 -0800 (PST)
Received: by mail-lf1-x12e.google.com with SMTP id s22so10962580lfi.9; Mon, 27 Feb 2023 16:29:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=5JnqI6r4kmAZKONILhygL5iAQNjPxXsLYHGTwmA6Bi4=; b=dCORkfXjL10QpIdXfjboTWtZXBFNE6UjC0IM4jkb9dTBXnamvjJbjX5SV2UCnIJWa6 oDVatyw3ztCO4CoOx+z/at3qEDH8NtS9RReZF/sNCJNnRvwPlNT7wMD2uGKIqY4039Mz p/AOpeNDuSR/hgCGNXks4wUO7tjcY/WtQ8vQq3cB43Ra9fixuECysu2tERG3JuZzHtPa xrASi6LvMf5d73WoO64hPNs/jbjO6H6kVD3dWTJJ15dAQlFdxD5cCSDMDX6/H8kM9C5A lwA3ixSrivw7z31mLWFP86QZWdtpNtwjrDvv9r7ltxyLCNFtoJo1mCAoS62cwQs8ZWCm grhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5JnqI6r4kmAZKONILhygL5iAQNjPxXsLYHGTwmA6Bi4=; b=c1TtDIvS0WBpAaL0BVh/E4PMbz12wELkNl8pGut7kQlSAWJzhQIrQVopUcSbI5woz+ U+QLsGzLa80KsAJB4GLiTSvq+NwCeVVYrxXFcosp2zg6zB727JSn8S7/kWmfXTw763Fk 1s/A4qhqhCRGTcY1OEQjK0eOwAt4+ah31sqcdBdVW0QuzXLiTd9g7x89d3KceSCj/uNl DBH8ZF4Uo9uDtMgan9giooX3aCdzx7CLkU158uHgcvXMWC4ogsNLix/mhd5ZeJGPeoUH /LDgyYZaI80f+M7T1z+8uaktVx215AFshi5TePVVgYHkU1Q3V/gS8TDdGzERNmC/Kc6H ZL4A==
X-Gm-Message-State: AO0yUKUjkcYsf587L5mYXq0eKukB3G8VXmUnTwy3ADnj6HwWZ3/nbMZs TwbaRqDZXToiDkN2vZbVZADqjR9xtR0qVAoP5qm4SESC97c=
X-Google-Smtp-Source: AK7set/sj4LPuANmSdyqrbmPuLf15n82BO/pjmpRxp4rClGv+sZhkshvCZ+fBKj++wMAXpTVS9+et2gequuUs+oUgx0=
X-Received: by 2002:a05:6512:340f:b0:4d5:ca32:6ed6 with SMTP id i15-20020a056512340f00b004d5ca326ed6mr639779lfr.4.1677544180415; Mon, 27 Feb 2023 16:29:40 -0800 (PST)
MIME-Version: 1.0
References: <ed25b84f-fc7e-f26a-bda6-46186e68ce67@si6networks.com>
In-Reply-To: <ed25b84f-fc7e-f26a-bda6-46186e68ce67@si6networks.com>
From: Jen Linkova <furry13@gmail.com>
Date: Tue, 28 Feb 2023 11:29:28 +1100
Message-ID: <CAFU7BAT0OW0MAp+mR2Q2DNaQzW+z_s5JbL6b90=F-mgZcMqc2g@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: IPv6 Operations <v6ops@ietf.org>, draft-collink-v6ops-ent64pd@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/L8b5GH3kDXOUPz8ewJScT5FHLps>
Subject: Re: [v6ops] Feedback on draft-collink-v6ops-ent64pd-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2023 00:29:46 -0000
First of all, thanks a lot for reading the draft and for your comments. On Thu, Jan 12, 2023 at 9:09 PM Fernando Gont <fgont@si6networks.com> wrote: > > At the very least, a host can be expected to have one > > link-local address, one stable global address and one privacy > > address. > > This is no longer the case. As per RFC8981, host can also do temporary only. In -02 it will be rephrased as "At the very least, a host can be expected to have one link-local address, one temporary address and, in most cases, one stable global address." > Note: I'd also use the terminology in RFC7721 (or similarly in RFC8981), > and not use the term "privacy addresses" but rather "temporary addresses". Thanks, will update the text. > Intro: > > Devices > > running containers/namespaces would need even more addresses per > > physical host. > > This seems to imply that containers get exposed on different addresses > each, which is not what typically happens with e.g. Kubernetes. It happens in many cases, if the traffic is bridged. Would it be better if we s/would/might/? > Section 3: > > * The allocated /64 is installed into the first-hop router routing > > table as a route pointing to the client's link-local address. For > > the router and all other infrastructure devices that prefix is > > considered off-link, so no traffic to that prefix does not trigger > > any ND packets. > > It's Friday night, but, of the top of my head, this would lead to a > bunch of ICMPv6 Redirects (one for each address in use). To be honest, the topologies where the proposed design is most useful, tend to block peer2peer anyway (and in many cases redirects are disabled on the router). Anyway a single ICMPv6 is better than keeping a neighbor cache entry state. I'll add some text to section 5 re: redirects. >So one might > wonder why not, e.g., have routers send RIOs to allow for more direct > communication where possible? I guess the router may do this. However it would be useful only if each interface has its own DHCPv6-PD pool (I, for example, might want to have 5 different VLANs with the same pool shared between them. Sending RIOs for each /64 wouldn't scale - unless the router is capable of aggregating multiple /64s into a shorter supernet - but then there will be issues with setting a lifetime.. I guess we can say smth like "if each interface has its own pool, and intra-segment traffic is allowed, the administration might want to configure the routers to include the pool supernet as a Route Information Option (RFC4191) in RAs". > Section 3: > > * The host uses /64 to allocate addresses to its interfaces, > > containers etc. > > Did you mean "the leased /64"? --- one way or another, please clarify > this. Will updated the text in -02. >Additionally, the plural might be confusing... it would seem to > me that the leased /64 would be employed to assign addresses on *this* > network interface (the one receiving the lease), rather than on any > interfaces.... Actually, no. The whole idea is that the device can use /64 to address *other* interfaces as well. For example, the device can include that /64 into Router Advertisements sent to virtual systems or to any other devices connected to its downstream interface. I'll update the text to clarify it. > Section 8: > > * When the network supports both /64 per host and SLAAC as address > > assignment methods, it's highly desirable for the host NOT to use > > SLAAC and only use the prefix delegated via DHCPv6-PD. > > Strictly speaking, even that of configuring link-local addresses (e.g. > with RFC7217) is considered "SLAAC" -- so you probably want to rephrase > the text a bit. Done. > Section 9: > > * If all devices support this mode of operation, it is possible to > > remove the global /64 prefix from the interface completely, > > reducing the attack surface for Neighbor Discovery attacks > > described in [RFC6583]. > > Could you please elaborate on this one? How about this: If all devices connected to the given network segment support this mode of operation and can generate addresses from the delegated /64, there is no reason to advertize a common /64 assigned to that segment in PIO with 'A' flag set. Therefore it is possible to remove the global /64 prefix from that network segment and the router interface completely, so no global addresses are on-link for the segment. This would lead to reducing the attack surface for Neighbor Discovery attacks described in RFC6583. Better? -- SY, Jen Linkova aka Furry
- [v6ops] Feedback on draft-collink-v6ops-ent64pd-01 Fernando Gont
- Re: [v6ops] Feedback on draft-collink-v6ops-ent64… Jen Linkova
- Re: [v6ops] Feedback on draft-collink-v6ops-ent64… Lorenzo Colitti