IETF Logo Mail Archive

Re: [v6ops] Why should IP networks be different? [DHCP Option 108 Issue with Mac and iOS devices]

Mark Smith <markzzzsmith@gmail.com> Tue, 02 January 2024 21:51 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40178C18DB9E for <v6ops@ietfa.amsl.com>; Tue, 2 Jan 2024 13:51:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.602
X-Spam-Level:
X-Spam-Status: No, score=-6.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EhvoIVuJGGxq for <v6ops@ietfa.amsl.com>; Tue, 2 Jan 2024 13:51:46 -0800 (PST)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14AE8C18DB92 for <v6ops@ietf.org>; Tue, 2 Jan 2024 13:51:30 -0800 (PST)
Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-2cd0f4797aaso10942071fa.0 for <v6ops@ietf.org>; Tue, 02 Jan 2024 13:51:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704232287; x=1704837087; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SsUWXoDCW/MOMiPTUBqJS6ONh3B6+GP02MDQdYPGE7s=; b=hqAD+i0ZeXsGttFxmp05nkNnncAAgregFspxtHv2yQ0WANXP/mo/jzyc8/lcOsXf3Z WAm3zaChQL3Hl11JxDEVJkHaXkMmcoufjhZoYJ70JC9hhM9CzqvJisRCeKNG+zfi0cXj lVa0yafWygwAZ1WOw2Zco6If9WRVSGOKgjNarQiVxw69WUstVmY/aTucjyhQp8H1xiBi MvYjCDVLkPDosY++hk1erengXAyZD84mnqm/8VMrPlc/WlcxAi+V6kWYk1liOZed4Tk0 MiG0dlSLVUHPUZnpIejxIxiwcH4V98c7jP1zJnRFlbRAqC5PsZvLlpYa8B0F2cMaxCyh wudw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704232287; x=1704837087; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SsUWXoDCW/MOMiPTUBqJS6ONh3B6+GP02MDQdYPGE7s=; b=ezNnTFh3AcI+2HBy++3mbgiXA0Yndw66JuD53yFrwye2c1vnldxz9ca4a272RmRNZ/ 73xBq0Lx0dKLK3I2fyPsCHHW3cGYOmAb46+mjIKg7ND3sX6oev6jyHFlDVyJ9GkYc+ve N3tDMY9tAKsso+aSgHJDGRzrmiobcRbqeZzRxMcbWXvm/ufxObeQaQ/krBzk1aUujy/o J4DzPuttN2A1CHe6ACQpZLJJmrpEg9qXxpVllpP/mjM5QYdls17BCaWcKaOgevZ/9/9b vkFhMM1qsSrpViNyFHs2KHixg2lCowF82tVCVPiRq3OpiI/rZV8YqInYkdgxpzESTI4w ts6Q==
X-Gm-Message-State: AOJu0YxWyYk7wBp0P0o7W2qKaIcsKDdwYFTn02aXot88kV8Cxum7egFV EpviExX/tiDz1GZeLmw7+jYEelzVguJtt5RMYvrdatqY
X-Google-Smtp-Source: AGHT+IHjcYzrEW9Ghd4cuJ9+NC592bX8+qXoUsEYxl6tddOq6aPu4OyK+dJ/SjHRGz2WlwXlikscgtvsWKW//PGWp+A=
X-Received: by 2002:a05:651c:515:b0:2cc:8549:6a33 with SMTP id o21-20020a05651c051500b002cc85496a33mr7638983ljp.46.1704232287189; Tue, 02 Jan 2024 13:51:27 -0800 (PST)
MIME-Version: 1.0
References: <CACyFTPHbCc00z36PRSUCsP=8Av=z4Ms0KHwk1Rxd=19TXzdyhg@mail.gmail.com> <CAPt1N1=82h05qZRqhtDirXwS1Fvz8OPt0iFRWasFHMXkEp4Fuw@mail.gmail.com> <CACyFTPFJ=CjiYbZjdF8T63a14SgeNAKaAQeTVSbAxde4J9ZfRQ@mail.gmail.com> <CAO42Z2zfzwx2NuCYZh_-ncTvmQ0T1+AsOi540RQ2BjQC0w6Kkg@mail.gmail.com> <ZYSv6CZllItMyNSQ@Space.Net> <CAO42Z2y-zKtWWJXX837RfD9XuxKaXkhg75TiEGHF=hFdnnsydQ@mail.gmail.com> <CACyFTPHDhrANP+tssS3x14Dm19TiyAYpeEF=sZdLJsrwUpAWjw@mail.gmail.com> <CAPt1N1nFk1QYmcJe4vmnj_vKp2EZ8iLipcrW3QixPKayER50LA@mail.gmail.com> <8d990f81-d4ae-b602-1f58-a0aa0fc9de28@gmail.com> <CAO42Z2wBZ3EQVtH0-EBsDhkR8owCpxTAJZJE59pVC5-jSMjUzA@mail.gmail.com> <ZYayNL9kuwH37EqP@Space.Net> <CACyFTPEn2ag2ZtgFag1N+0MqJbagw6HzYkVw0rC=0VV+DDCm+g@mail.gmail.com> <8fb2c7c5-938c-3728-17c9-85e7004883e6@gmail.com> <CACyFTPHWCCLsiUT0GEuvpq5fhnaDdD-w910x3R0wMprUGnZ9nA@mail.gmail.com> <CAO42Z2z9bFemih_0_wDa8TA1ez4zSnACF6gU5yU74rknHKCwgw@mail.gmail.com> <CACyFTPGXNyhBHV_w0Uj3QQdz3OCQ-hqtAmPNNNgUKCFGoEbxow@mail.gmail.com> <CAPt1N1kQB9PYrt70vRTQT=cgvVOaRms=+OsH117_-H9Uj9kS1A@mail.gmail.com> <53322B92-1354-4CF9-98C8-A56EE5EA8EBD@jisc.ac.uk> <CAPt1N1=k9NO_ci_zJus8LM0_eH9QBvdtoZc3FR8h8TU0_+50_g@mail.gmail.com> <5E6C7984-EED0-46DD-82BB-86F554E20795@employees.org> <CAPt1N1mHvpfbqaocnc6nBwDZ2RocMfi3ydtiSxqRq7dZwF1EQg@mail.gmail.com> <2D0D28C9-F1EE-4AB7-987E-CD9D6A28A4F1@employees.org> <CAPt1N1m5Jdt7+AzB7_r0EmsV-yP0DUh5uFxy_3WyooMrCbJ7qQ@mail.gmail.com> <705971AB-BCE4-46D1-B043-396C59BC552C@employees.org> <CAPt1N1kM0g3nbEsodaUMGsNx93FG5o=PWyr+VFfp24_sv6PL5A@mail.gmail.com> <CACyFTPG91wc3LAZ1QRBm6t-cDL1OtyVh2P6zrh_zGiAeBnVeBg@mail.gmail.com>
In-Reply-To: <CACyFTPG91wc3LAZ1QRBm6t-cDL1OtyVh2P6zrh_zGiAeBnVeBg@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Wed, 03 Jan 2024 08:51:00 +1100
Message-ID: <CAO42Z2zMmezZVRCnkYSse-u93pNQk0WB5qi_R=Zm+JzmC=SmDw@mail.gmail.com>
To: Daryll Swer <contact=40daryllswer.com@dmarc.ietf.org>
Cc: Ted Lemon <mellon@fugue.com>, v6ops list <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000017befa060dfd8022"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/M0qz_pL08VR5qEppZFjQX26_kuA>
Subject: Re: [v6ops] Why should IP networks be different? [DHCP Option 108 Issue with Mac and iOS devices]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2024 21:51:50 -0000

On Wed, 3 Jan 2024 at 03:41, Daryll Swer <contact=
40daryllswer.com@dmarc.ietf.org> wrote:

> I've given much thought to this DHCPv6/SLAAC debate over the week, and my
> final opinion is.
>
> 1. The “address notification” mechanism likely just adds more complexity
> (and the time required for devices to support it) vs just fixing ia_na
> specific issues
> 2. The “state sync” problem is fixed in ISC Kea, which means there's no
> technical reason for the IETF to not adopt the open source protocol into a
> standard
>

If you wish Kea's state sync mechanism to be documented and possibly
standardised in an RFC, it is up to you to write or get written the
Internet Drafts and submitted to the appropriate IETF working group, as the
start of the process to gain consensus, which then may or may not result in
an RFC (which are also fundamentally voluntary to comply with).

Don't expect the IETF to do that work just because you ask for it. That's
not how the IETF works. You have to invest your own time and resources in
the work if you want that work to occur. Other IETF participants may help
you if they're interested in what you're proposing.


> 3. I will recommend enterprises do “Do IPv6 for everything but Android”
> (already the reality as is)
> 4. ia_na does help with traceroutes/troubleshooting vs link-local for
> PD-only
>
> I'm not sure if the time/energy required for “address notification” top to
> bottom, is significantly less than what would be required to patch ia_na
> specific issues.
>
> *--*
> Best Regards
> Daryll Swer
> Website: daryllswer.com
> <https://mailtrack.io/link/b8fbb9af84a504e9046468dc0a0438e543cb4486?url=https%3A%2F%2Fwww.daryllswer.com&userId=2153471&signature=dd709ee618d93ac2>
>
>
> On Tue, 2 Jan 2024 at 21:28, Ted Lemon <mellon@fugue.com> wrote:
>
>> It's rather unkind of you to respond to a thoughtful answer that I took
>> some time to compose with an accusation that it came from ChatGPT. I have a
>> lot going on today, and participating in this conversation isn't free for
>> me. I would encourage the chairs to weigh in on whether they think this is
>> appropriate.
>>
>> That said, I agree with (what I think is) your point: if the DHCP address
>> registration is not enforced with e.g. 802.1x, it's actually harmful. But
>> the same criticism is also valid for the DHCPv6 IA_NA use case, so I don't
>> think you've said anything new. This is precisely why there isn't consensus
>> to require these mechanisms: by default they don't do what people want them
>> to do. But it's easy to pretend that they do, and that leads to bad
>> outcomes for end users. As the service provider, unless you can be held
>> liable for false accusations (and they can be proven) you can freely accuse
>> your users of bad behavior and back it up with your DHCPv6 logs, and it's
>> likely that you won't be held accountable for any accidental false
>> accusations that you make in good faith.
>>
>> In case it's not obvious, I'm not actually advocating for this. I think
>> it's a bad idea. It's not an accident that I used the term "surveillance"
>> in my previous message.
>>
>> On Tue, Jan 2, 2024 at 10:44 AM Ole Troan <otroan@employees.org> wrote:
>>
>>> Ted,
>>>
>>> ChatGPT?
>>>
>>> For an idea of what the network does already:
>>>
>>> https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/IPv6_Security.pdf
>>>
>>>
>>> Again, I can’t quite see how the DHCPv6 registration mechanism would
>>> help the network in tracking endpoints.
>>> Given that the network cannot trust the hosts that support the mechanism
>>> to provide a truthful answer, then you have the other set of endpoints that
>>> do not support the mechanism at all, which the network also has to handle.
>>>
>>> I may have missed it, but I have not seen this question answered in the
>>> draft, nor in your reply.
>>>
>>> O.
>>>
>>>
>>> > On 2 Jan 2024, at 16:31, Ted Lemon <mellon@fugue.com> wrote:
>>> >
>>> > If the problem is attributing flows to particular users, then you need
>>> a way to associate a particular flow with a particular user. The easiest
>>> way to do this is with the IP address of the non-server endpoint of the
>>> flow (that is, the IP address the surveilled device is using to
>>> communicate). So you have two things you need to do to be able to
>>> successfully do this attribution:
>>> >
>>> > 1. Establish an association between a device/user and every IP address
>>> that device will use to communicate with other devices where surveillance
>>> is required.
>>> > 2. Make sure only the owner of the device is able to successfully use
>>> each such IP address to communicate.
>>> > 3. Maintain a record of what IP addresses were in use by what devices
>>> during what time periods.
>>> >
>>> > So, DHCPv6 IA_NA and DHCPv6 address registration provide a way for a
>>> host to communicate the IP addresses it is using to a DHCPv6 server. The
>>> DHCPv6 server can log these addresses. It can also reach out and enable
>>> those addresses on the per-port filter for ethernet, or per 802.1x identity
>>> for WiFi. This is all stuff we've talked about many times before.
>>> >
>>> > One slight issue we'd need to be sure of is that the DHCPv6 address
>>> registration packet comes from a link-local address, so that it's not
>>> filtered. I think that's contrary to what the document currently says.
>>> >
>>> >
>>> > On Tue, Jan 2, 2024 at 9:54 AM Ole Troan <otroan@employees.org> wrote:
>>> > Since the network has to do enforcement anyway, then it can do so with
>>> existing mechanisms.
>>> > Are you suggesting that network enforcement of devices somehow become
>>> easier with the proposed mechanism?
>>> > If so, how exactly?
>>> >
>>> > O.
>>> >
>>> > > On 2 Jan 2024, at 15:49, Ted Lemon <mellon@fugue.com> wrote:
>>> > >
>>> > > Presumably if the user disables tracking on their host, the network
>>> won't allow them transit, so problem solved. Without that enforcement
>>> mechanism, there's no point in implementing DHCPv6-based tracking: the
>>> notion that you can just assume based on the source address that the packet
>>> originated from a particular host is actively harmful, because it creates
>>> an opportunity for malware to spoof a host and engage in bad actions, which
>>> will then be blamed on the legitimate owner of that host.
>>> > >
>>> > > Indeed, in order to be able to reliably attribute traffic from a
>>> particular IP address to a particular host or user, the filtering would
>>> need to be done in a way that can't be spoofed—at Tim says, using 802.1x
>>> might prevent this since the packets are all signed with a per-host key (if
>>> I understand it correctly—not claiming to be an expert).
>>> > >
>>> > > On Tue, Jan 2, 2024 at 9:33 AM Ole Troan <otroan@employees.org>
>>> wrote:
>>> > > > In order to disable it, you have to be on a network that allows
>>> arbitrary devices to be DHCPv6 servers. So I think it's still useful, since
>>> blocking DHCP from unauthorized servers isn't that hard. Even if you aren't
>>> actively blocking it, finding a DHCPv6 server that's poisoning the well
>>> isn't that hard.
>>> > >
>>> > > The user of a host that doesn’t want tracking can disable it for
>>> that host.
>>> > > Rendering the mechanism less than useful for the problem of tracking
>>> hosts on a network.
>>> > >
>>> > > O.
>>> >
>>> >
>>>
>>>
>>> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email