Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
Mark Andrews <marka@isc.org> Fri, 17 June 2016 22:13 UTC
Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFE5812DBC5; Fri, 17 Jun 2016 15:13:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.327
X-Spam-Level:
X-Spam-Status: No, score=-8.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id haPAOX8pgazh; Fri, 17 Jun 2016 15:13:34 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C77712DBC3; Fri, 17 Jun 2016 15:13:34 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 43AF01FCAB8; Fri, 17 Jun 2016 22:13:26 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 1F798160055; Fri, 17 Jun 2016 22:13:25 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0D36C160076; Fri, 17 Jun 2016 22:13:25 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id o-Cz0GieMFGn; Fri, 17 Jun 2016 22:13:24 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 80558160055; Fri, 17 Jun 2016 22:13:24 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 8EF854BB29DF; Sat, 18 Jun 2016 08:13:22 +1000 (EST)
To: Marco Ermini <Marco.Ermini@ResMed.com>
From: Mark Andrews <marka@isc.org>
References: <D386FF93.75916%evyncke@cisco.com> <CAAedzxqBr=ApvGTUrjNUnRmpcamkt4OH1CchcDEWgDcXRgo8Fw@mail.gmail.com> <173d2c6b-4cbf-88da-cf20-710a90e04c7e@gmail.com> <38465846B6383D4A8688C0A13971900C48DBF82F@ge2eml2k1004> <CAO42Z2z_pgBrn3bNRagx4W2FYn4aJ=NYNGwzDk+Q2o373qux+A@mail.gmail.com> <38465846B6383D4A8688C0A13971900C48DBFD81@ge2eml2k1004> <CAO42Z2yqb34E3j3ZFqJLZr3P72-yjsurMgmvKovLy2p=sxFKDQ@mail.gmail.com> <CAO42Z2ywK_KR+e4nqu-Jbr3xj5KQG7=aKrgpceN5tooQCQSvDg@mail.gmail.com> <38465846B6383D4A8688C0A13971900C48DC15F5@ge2eml2k1004> <CAO42Z2yBOAsQ1KEms7PLAK9rbBUJ1PV3Oak+HTDTtENuzv9tNQ@mail.gmail.com> <38465846B6383D4A8688C0A13971900C48DC4AFA@ge2eml2k1004>
In-reply-to: Your message of "Fri, 17 Jun 2016 13:12:09 +0000." <38465846B6383D4A8688C0A13971900C48DC4AFA@ge2eml2k1004>
Date: Sat, 18 Jun 2016 08:13:22 +1000
Message-Id: <20160617221322.8EF854BB29DF@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/LVs8CGVlTTbEmgBEMe-Lyfw91rY>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "linkedin@xn--debrn-nva.de" <linkedin@xn--debrn-nva.de>, "fgont@si6networks.com" <fgont@si6networks.com>
Subject: Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2016 22:13:36 -0000
In message <38465846B6383D4A8688C0A13971900C48DC4AFA@ge2eml2k1004>, Marco Ermini writes: > On residential routers, the myth that IPv6 will come and solve all of the > NAT problems is, and allow ubiquitous and secure access to all the > devices is, in fact, a myth. IPv6 breaks protocols as much (if not more) > than IPv4 NAT. The most used residential routers in Germany (and proudly > German engineered product) requires advanced view enabled just to enable > it; it provides ULAs via DHCPv6, and performs translation to routable > IPv6 addresses. While IPv4 NAT needs to perform stateful translation of > IPs and ports, residential routers on IPv6 only translate IPs but that > is not improving a lot. This sounds like the ISP or CPE vendor has not listened to +15 years of advice on how to deploy IPv6. You should be getting a prefix delegation from the ISP which is then redistributed to the inside network. The PD should be at least a /56 and preferably a /48. The prefix delegation can be delivered via 6RD if there isn't native IPv6. ULA is a additional prefix that provides stable internal addressing. NAT66 is not recommended and has even published several RFC that states exactly that opinion. RFC6296 For reasons discussed in [RFC2993] and Section 5, the IETF does not recommend the use of Network Address Translation technology for IPv6. Where translation is implemented, however, this specification provides a mechanism that has fewer architectural problems than merely implementing a traditional stateful Network Address Translator in an IPv6 environment. It also provides a useful alternative to the complexities and costs imposed by multihoming using provider- independent addressing and the routing and network management issues of overlaid ISP address space. Some problems remain, however. The reader should consider the alternatives suggested in [RFC4864] and the considerations of [RFC5902] for improved approaches. If someone thinks NAT66 provides any effective security they need their head read. Internal addresses leak all over the place and once you have one all the internal machines are addressable. The only thing NAT66 provides is the ability to have a single IPv6 address per machine vs multiple IPv6 address internally which comes at a cost of requiring external equipement to be able to determine the effective GUA the machine has and more complicated software at the application level to work around the NAT. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] Asking for a review of draft-ietf-ops… Erik Kline
- Re: [v6ops] Asking for a review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Markus deBruen
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Fred Baker (fred)
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Andrews
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] Asking for a review of draft-ietf-ops… Lorenzo Colitti
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] Asking for a review of draft-ietf-ops… Brian E Carpenter
- Re: [v6ops] Asking for a review of draft-ietf-ops… Erik Kline
- Re: [v6ops] Asking for a review of draft-ietf-ops… Sleigh, Robert
- [v6ops] Asking for a review of draft-ietf-opsec-v… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Fred Baker (fred)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Howard, Lee
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] Asking for a review of draft-ietf-ops… Mark Smith