Re: [v6ops] RFC7217 and flash renumbering and IID change
Fernando Gont <fgont@si6networks.com> Mon, 14 December 2020 05:33 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C323A03F2 for <v6ops@ietfa.amsl.com>; Sun, 13 Dec 2020 21:33:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ICGqgdAnmyz8 for <v6ops@ietfa.amsl.com>; Sun, 13 Dec 2020 21:33:10 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E8523A03EF for <v6ops@ietf.org>; Sun, 13 Dec 2020 21:33:07 -0800 (PST)
Received: from [IPv6:2800:810:464:8164:e9e5:9ed3:2e64:7aa8] (unknown [IPv6:2800:810:464:8164:e9e5:9ed3:2e64:7aa8]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 33A4C284692; Mon, 14 Dec 2020 05:33:02 +0000 (UTC)
To: Simon Hobson <linux@thehobsons.co.uk>, IPv6 Operations <v6ops@ietf.org>
References: <alpine.DEB.2.20.2012111147020.10335@uplift.swm.pp.se> <28ec97ca-355b-e4d8-200d-1c14160b51c0@si6networks.com> <4AC2A13C-9FE6-4D2C-B14C-D1DCC3169700@thehobsons.co.uk>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <dd31aa5f-bec7-d8b7-4297-ff89cbe21cd0@si6networks.com>
Date: Mon, 14 Dec 2020 01:32:43 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <4AC2A13C-9FE6-4D2C-B14C-D1DCC3169700@thehobsons.co.uk>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/LHua8zsmsIb8ou_J4GPxecMPLzs>
Subject: Re: [v6ops] RFC7217 and flash renumbering and IID change
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 05:33:13 -0000
Hi, Simon, On 13/12/20 16:53, Simon Hobson wrote: > Fernando Gont <fgont@si6networks.com> wrote: > >> So it should be the host talking to the firewall and telling what to do with which address. -- with e.g. something like UPnP. > > So we're back to each host deciding on the security policy for the network - not a network admin (as a proxy for the owners of the site/network). For the home scenarios case, we're not "back", because we never went away from there. The number of people manually configuring home firewalls is not statistically significant. OTOH, if you want to manually configure rules based on addresses that are not guaranteed to remain stable... you know what you are going to get. In such scenarios, you probably should use RADIUS or something else. > I make a point of disabling upnp as one of the first steps when setting up a network. Who wants ${random device which may or may not be "friendly"} to be able to determine what traffic is allowed into the network - it's not like there is anyone out there in the wild west of the internet who'd have any hostile intent :-/ Who wants a network with a random device? :-) If the device is evil enough to use UPnP to open wholes in the FW, it could also be evil to act as a proxy and tunnel everything into the internal network. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [v6ops] RFC7217 and flash renumbering and IID cha… Mikael Abrahamsson
- Re: [v6ops] RFC7217 and flash renumbering and IID… Fernando Gont
- Re: [v6ops] RFC7217 and flash renumbering and IID… Ted Lemon
- Re: [v6ops] RFC7217 and flash renumbering and IID… Simon Hobson
- Re: [v6ops] RFC7217 and flash renumbering and IID… Fernando Gont