IETF Logo Mail Archive

Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08

Mark Andrews <marka@isc.org> Fri, 17 June 2016 22:13 UTC

Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFE5812DBC5; Fri, 17 Jun 2016 15:13:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.327
X-Spam-Level:
X-Spam-Status: No, score=-8.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id haPAOX8pgazh; Fri, 17 Jun 2016 15:13:34 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C77712DBC3; Fri, 17 Jun 2016 15:13:34 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 43AF01FCAB8; Fri, 17 Jun 2016 22:13:26 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 1F798160055; Fri, 17 Jun 2016 22:13:25 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0D36C160076; Fri, 17 Jun 2016 22:13:25 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id o-Cz0GieMFGn; Fri, 17 Jun 2016 22:13:24 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 80558160055; Fri, 17 Jun 2016 22:13:24 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 8EF854BB29DF; Sat, 18 Jun 2016 08:13:22 +1000 (EST)
To: Marco Ermini <Marco.Ermini@ResMed.com>
From: Mark Andrews <marka@isc.org>
References: <D386FF93.75916%evyncke@cisco.com> <CAAedzxqBr=ApvGTUrjNUnRmpcamkt4OH1CchcDEWgDcXRgo8Fw@mail.gmail.com> <173d2c6b-4cbf-88da-cf20-710a90e04c7e@gmail.com> <38465846B6383D4A8688C0A13971900C48DBF82F@ge2eml2k1004> <CAO42Z2z_pgBrn3bNRagx4W2FYn4aJ=NYNGwzDk+Q2o373qux+A@mail.gmail.com> <38465846B6383D4A8688C0A13971900C48DBFD81@ge2eml2k1004> <CAO42Z2yqb34E3j3ZFqJLZr3P72-yjsurMgmvKovLy2p=sxFKDQ@mail.gmail.com> <CAO42Z2ywK_KR+e4nqu-Jbr3xj5KQG7=aKrgpceN5tooQCQSvDg@mail.gmail.com> <38465846B6383D4A8688C0A13971900C48DC15F5@ge2eml2k1004> <CAO42Z2yBOAsQ1KEms7PLAK9rbBUJ1PV3Oak+HTDTtENuzv9tNQ@mail.gmail.com> <38465846B6383D4A8688C0A13971900C48DC4AFA@ge2eml2k1004>
In-reply-to: Your message of "Fri, 17 Jun 2016 13:12:09 +0000." <38465846B6383D4A8688C0A13971900C48DC4AFA@ge2eml2k1004>
Date: Sat, 18 Jun 2016 08:13:22 +1000
Message-Id: <20160617221322.8EF854BB29DF@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/LVs8CGVlTTbEmgBEMe-Lyfw91rY>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "linkedin@xn--debrn-nva.de" <linkedin@xn--debrn-nva.de>, "fgont@si6networks.com" <fgont@si6networks.com>
Subject: Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2016 22:13:36 -0000

In message <38465846B6383D4A8688C0A13971900C48DC4AFA@ge2eml2k1004>, Marco Ermini writes:

> On residential routers, the myth that IPv6 will come and solve all of the
> NAT problems is, and allow ubiquitous and secure access to all the
> devices is, in fact, a myth.  IPv6 breaks protocols as much (if not more)
> than IPv4 NAT.  The most used residential routers in Germany (and proudly
> German engineered product) requires advanced view enabled just to enable
> it; it provides ULAs via DHCPv6, and performs translation to routable
> IPv6 addresses.  While IPv4 NAT needs to perform stateful translation of
> IPs and ports, residential routers on IPv6 only translate IPs  but that
> is not improving a lot.

This sounds like the ISP or CPE vendor has not listened to +15 years
of advice on how to deploy IPv6.  You should be getting a prefix
delegation from the ISP which is then redistributed to the inside
network.  The PD should be at least a /56 and preferably a /48.

The prefix delegation can be delivered via 6RD if there isn't native
IPv6.

ULA is a additional prefix that provides stable internal addressing.

NAT66 is not recommended and has even published several RFC that
states exactly that opinion.

RFC6296

   For reasons discussed in [RFC2993] and Section 5, the IETF does not
   recommend the use of Network Address Translation technology for IPv6.
   Where translation is implemented, however, this specification
   provides a mechanism that has fewer architectural problems than
   merely implementing a traditional stateful Network Address Translator
   in an IPv6 environment.  It also provides a useful alternative to the
   complexities and costs imposed by multihoming using provider-
   independent addressing and the routing and network management issues
   of overlaid ISP address space.  Some problems remain, however.  The
   reader should consider the alternatives suggested in [RFC4864] and
   the considerations of [RFC5902] for improved approaches.

If someone thinks NAT66 provides any effective security they need
their head read.  Internal addresses leak all over the place and
once you have one all the internal machines are addressable.

The only thing NAT66 provides is the ability to have a single IPv6
address per machine vs multiple IPv6 address internally which comes
at a cost of requiring external equipement to be able to determine
the effective GUA the machine has and more complicated software at
the application level to work around the NAT.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email