Re: [v6ops] RFC7217 and flash renumbering and IID change

Fernando Gont <fgont@si6networks.com> Mon, 14 December 2020 05:33 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C323A03F2 for <v6ops@ietfa.amsl.com>; Sun, 13 Dec 2020 21:33:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ICGqgdAnmyz8 for <v6ops@ietfa.amsl.com>; Sun, 13 Dec 2020 21:33:10 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E8523A03EF for <v6ops@ietf.org>; Sun, 13 Dec 2020 21:33:07 -0800 (PST)
Received: from [IPv6:2800:810:464:8164:e9e5:9ed3:2e64:7aa8] (unknown [IPv6:2800:810:464:8164:e9e5:9ed3:2e64:7aa8]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 33A4C284692; Mon, 14 Dec 2020 05:33:02 +0000 (UTC)
To: Simon Hobson <linux@thehobsons.co.uk>, IPv6 Operations <v6ops@ietf.org>
References: <alpine.DEB.2.20.2012111147020.10335@uplift.swm.pp.se> <28ec97ca-355b-e4d8-200d-1c14160b51c0@si6networks.com> <4AC2A13C-9FE6-4D2C-B14C-D1DCC3169700@thehobsons.co.uk>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <dd31aa5f-bec7-d8b7-4297-ff89cbe21cd0@si6networks.com>
Date: Mon, 14 Dec 2020 01:32:43 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <4AC2A13C-9FE6-4D2C-B14C-D1DCC3169700@thehobsons.co.uk>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/LHua8zsmsIb8ou_J4GPxecMPLzs>
Subject: Re: [v6ops] RFC7217 and flash renumbering and IID change
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 05:33:13 -0000

Hi, Simon,

On 13/12/20 16:53, Simon Hobson wrote:
> Fernando Gont <fgont@si6networks.com> wrote:
> 
>> So it should be the host talking to the firewall and telling what to do with which address.  -- with e.g. something like UPnP.
> 
> So we're back to each host deciding on the security policy for the network - not a network admin (as a proxy for the owners of the site/network).

For the home scenarios case, we're not "back", because we never went 
away from there.

The number of people manually configuring home firewalls is not 
statistically significant.


OTOH, if you want to manually configure rules based on addresses that 
are not guaranteed to remain stable... you know what you are going to 
get. In such scenarios, you probably should use RADIUS or something else.



> I make a point of disabling upnp as one of the first steps when setting up a network. Who wants ${random device which may or may not be "friendly"} to be able to determine what traffic is allowed into the network - it's not like there is anyone out there in the wild west of the internet who'd have any hostile intent :-/

Who wants a network with a random device?  :-)

If the device is evil enough to use UPnP to open wholes in the FW, it 
could also be evil to act as a proxy and tunnel everything into the 
internal network.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492