IETF Logo Mail Archive

[v6ops] A good example of why we need to careful about ULAs

Lorenzo Colitti <lorenzo@google.com> Thu, 30 May 2013 06:41 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD7FF21F8629 for <v6ops@ietfa.amsl.com>; Wed, 29 May 2013 23:41:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u5YEFs8dd7bC for <v6ops@ietfa.amsl.com>; Wed, 29 May 2013 23:41:23 -0700 (PDT)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 1DFC721F8521 for <v6ops@ietf.org>; Wed, 29 May 2013 23:41:23 -0700 (PDT)
Received: by mail-ob0-f174.google.com with SMTP id wd20so5834734obb.19 for <v6ops@ietf.org>; Wed, 29 May 2013 23:41:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=G9x6HlhCyHQpeR6VfixhaEKGcXps0KxObZ9BFhGKtlc=; b=e5nfHwESSabTWMNxc2f9EitNQa11mwjGJFCeikN0CiZI8s4q/DU2tT8fsw0K7Syr5V C8Ukc1pWtamYmGkv9Mg0xtE9NBNU+8RY2hpSsMGmigoj5pUuS3D5PwWoZIB3yWJOWcig DZrysxfd6AeFnJ/iZwXoB+dZk5sU4MLFzHWiq0YDgBe5QImI6VGzGx7C07/tqVAWqzFM jqZKo8H9i8d7pVbLrmoId5elPH4+vOHAUM2+L+MsvBcYEj7TUobsTFi1c79kheN/3MW0 W8NJ3QLs96uCLQ3IafMsppQVCeV7oSqsqcaMOpeWfzyQRpnpFa71NQAayiGLpQMRUgml 70qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type :x-gm-message-state; bh=G9x6HlhCyHQpeR6VfixhaEKGcXps0KxObZ9BFhGKtlc=; b=A8wa/0gmhokjybm/mWioKo2OhklfH8xH/wULCMGMX2sQWN3RWpXTE2Sa250Npwo5NE AURUUQJWAIlyr73W5f5AZnXCu8YwrcHQ+f9/F3G/4UGljdrTIJpu4jDQykeripChQuEj YGkDtxVndv9G/xL3np+/TqpNBXvsVZzd2skRdhR96YAZ5UTgy2bESNoAuYuDHcSd5mMG QqSzwZ9EiSLCFQoRACcxT+NJ9RErshT5Xq7sgYkQbG3ox0b6o77B4gIztxNeWnFJ6u6Q u1tSo/6VkgU/P8bXhpquOLK0J2c6pH7Zi+acPcePzYtiWslAksJEg2ZnF+brNOZ7i7yd TRwQ==
X-Received: by 10.182.108.132 with SMTP id hk4mr3640448obb.14.1369896082581; Wed, 29 May 2013 23:41:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.146.47 with HTTP; Wed, 29 May 2013 23:41:02 -0700 (PDT)
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 30 May 2013 15:41:02 +0900
Message-ID: <CAKD1Yr29kf1Me=6JR66Gq0dFYgQx2wq=pjW8WZyHByPA0POsMQ@mail.gmail.com>
To: "v6ops@ietf.org WG" <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="089e0149d22061d2c804dde9c9b7"
X-Gm-Message-State: ALoCoQkJ3U3VtMBMgPcmDbuA/Gk9UUN8KgnbxR9iDcFIt2i5muoTg0lmklGc4cto/cplxsc1nZ0dkNCKE6NEfl1W+Z8MisMeUlRwnidVPu4lGi9R4nD7uv280lyJI34P78tjinIm+5vSWuPrtr0XHJKwtu1WRZ3uvDXjKlQ6dXK9tBd9gPf+vXH49Y5EM5exAvvfS+06twS4
Cc: "draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org" <draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org>
Subject: [v6ops] A good example of why we need to careful about ULAs
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 06:41:23 -0000

News at 11:

1. ULAs leak.
2. People assign ULAs by hand.

Yes, both of these a violation of IETF guidance. I don't think that matters
much, though - while we can always claim that the implementer/operator is
"holding it wrong", we should be careful that what we design/standardize is
hard to misconfigure and possibly robust in the face of misconfiguration.
Subtle nuances like "these addresses are global scope, but not globally
routable" tend to get lost very easily.

Of course, in the case of ULAs, there's not much that can be done about the
design at this point, but we should make an effort to make it clear that
the potential for misconfiguration exists and provide clear guidance on how
not to misconfigure them.

Personally, I think that providing said guidance is much more useful and
important than enumerating scenarios that aren't widely, if at all,
implemented, and I hope that the authors
of draft-ietf-v6ops-ula-usage-recommendations will agree.

Cheers,
Lorenzo

---------- Forwarded message ----------
From: Jeroen Massar <jeroen@massar.ch>
Date: Thu, May 30, 2013 at 4:59 AM
Subject: Usage of fd00::/8 on the Interwebz - something with filters and
uRPF
To: ipv6-ops@lists.cluenet.de


...
 4  2001:7f8:1::a500:3303:1 (2001:7f8:1::a500:3303:1)  20.755 ms  20.763 ms
 20.784 ms
 5  fd00:3303::1 (fd00:3303::1)  22.010 ms  21.984 ms  21.986 ms
 6  2a02:120c:1051:d010::1 (2a02:120c:1051:d010::1)  17.806 ms  17.889 ms
 17.842 ms
 7  2a02:120c:1051:d010::1 (2a02:120c:1051:d010::1)  18.720 ms  18.593 ms
 18.617 ms
...

Hmmmm fd00::/8, that really should never ever be visible on the Internet,
being Unique *LOCAL* Addresses.
And it does not look like they applied the randomness bit for picking a
prefix either.
You would also almost think that a /28 is more than enough address space to
put a few router loopbacks in.

It is apparently time for people to start checking their filters again
because it seems that these packets leak into other ASNs too...

More generally, do recheck your network for BCP38 compliance, please do
apply it and require your peers to do the same!

Greets,
 Jeroen

v2.23.0 | Report a Bug | By Email