Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
Gert Doering <gert@space.net> Mon, 25 October 2021 21:47 UTC
Return-Path: <gert@space.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE5BF3A08DC for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 14:47:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=space.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2B8z3x2aRaLG for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 14:47:09 -0700 (PDT)
Received: from gatekeeper1-relay.space.net (gatekeeper1-relay.space.net [IPv6:2001:608:3:85::38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 310823A0881 for <v6ops@ietf.org>; Mon, 25 Oct 2021 14:47:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=space.net; i=@space.net; q=dns/txt; s=esa; t=1635198430; x=1666734430; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=GeRDp7e6w6/HJ6rr23MAxuncgz5RIOBHUCFSgRwtY5Q=; b=UEtfDJyGg/uiy5U+QHbHlXxaaLx9sseEXMU705bImgzqOCopXS6tiW+u JNldjENgsNCQGSdEf1Jpf8c0GOOiOQXtKxqANIV/xjXqLHNfbYEiTDcte v6hw+Y29Pt5bw+0r1cJntGc3m21JheOqAE4kqCgS+XM6xSYcEjzBEjEmI Ztppe2pyZ1OAod6yWcae+fT+Oy2sSVZSoGaub5hIZUzqxciw8mnGLFP0R tjEquSSx7ofJiA84PkmduSSemvYpmxuLQHly1iuIXbMtThD3DsfId3bp2 BkUxsWfsCB3SQ53glepkMKRSU7fsWtBo7Cw0LRdcdIMJqcjq0pzC+FoUG A==;
X-SpaceNet-SBRS: None
Received: from mobil.space.net ([195.30.115.67]) by gatekeeper1-relay.space.net with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Oct 2021 23:47:07 +0200
X-Original-To: v6ops@ietf.org
Received: from mobil.space.net (localhost [IPv6:::1]) by mobil.space.net (Postfix) with ESMTP id F209E43880 for <v6ops@ietf.org>; Mon, 25 Oct 2021 23:47:06 +0200 (CEST)
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
Received: from moebius4.space.net (moebius4.space.net [IPv6:2001:608:2:2::251]) by mobil.space.net (Postfix) with ESMTP id 8F455436BF; Mon, 25 Oct 2021 23:47:06 +0200 (CEST)
Received: by moebius4.space.net (Postfix, from userid 1007) id 88EF614AB; Mon, 25 Oct 2021 23:47:06 +0200 (CEST)
Date: Mon, 25 Oct 2021 23:47:06 +0200
From: Gert Doering <gert@space.net>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Gert Doering <gert@space.net>, Warren Kumari <warren@kumari.net>, "v6ops@ietf.org" <v6ops@ietf.org>
Message-ID: <YXcl2iQMvZe8ggLs@Space.Net>
References: <CB45220A-ECE6-492A-8A37-D189A71CDA2B@liquidtelecom.com> <CAHw9_iJy_OjSwRDRx5cbB6yhau7XzNUKTi49sHhi0CnmRARQUA@mail.gmail.com> <1F31CC6F-8471-4B50-AE3F-9E5FC76BB447@employees.org> <CAHw9_iKU5--mFq3swhSbGJHV9Y5H52cKcgeF=nBf1rqZeBMRJQ@mail.gmail.com> <YXciHYMNa6KJUohp@Space.Net> <ff55bdc4-9274-adc5-ef09-0d398b52342a@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="PJnd6X0ff7B2oQ8B"
Content-Disposition: inline
In-Reply-To: <ff55bdc4-9274-adc5-ef09-0d398b52342a@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/MV6mzmI_MrLPJmWjEbjsrvY9448>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 21:47:14 -0000
Hi,
On Tue, Oct 26, 2021 at 10:44:32AM +1300, Brian E Carpenter wrote:
> On 26-Oct-21 10:31, Gert Doering wrote:
> > On Mon, Oct 25, 2021 at 05:20:51PM -0400, Warren Kumari wrote:
> >> I somewhat like the idea of having a well known prefix for "limited
> >> domains"
>
> fc00::/7 works well. RFC8994 is a worked example.
So how would that work for an ISP network trying to run SR6, protecting
its network from rogue hosts inside? Without having GUAs on the SR6
routers that would happily decapsulate incoming SR6 packets, and
without violating lots of rules about "do not leak ULAs outside
your network" (traceroute and other ICMP errors)?
I lack imagination today...
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
- [v6ops] Security issues in RFC8754 and related/su… Andrew Alston
- Re: [v6ops] Security issues in RFC8754 and relate… Vasilenko Eduard
- Re: [v6ops] Security issues in RFC8754 and relate… Andrew Alston
- Re: [v6ops] Security issues in RFC8754 and relate… Vasilenko Eduard
- Re: [v6ops] Security issues in RFC8754 and relate… Ron Bonica
- Re: [v6ops] Security issues in RFC8754 and relate… Alexandre Petrescu
- Re: [v6ops] Security issues in RFC8754 and relate… Andrew Alston
- Re: [v6ops] Security issues in RFC8754 and relate… Gert Doering
- Re: [v6ops] Security issues in RFC8754 and relate… Andrew Alston
- Re: [v6ops] Security issues in RFC8754 and relate… Gert Doering
- Re: [v6ops] Security issues in RFC8754 and relate… Warren Kumari
- Re: [v6ops] Security issues in RFC8754 and relate… Eric Vyncke (evyncke)
- Re: [v6ops] Security issues in RFC8754 and relate… Gert Doering
- Re: [v6ops] Security issues in RFC8754 and relate… Andrew Alston
- Re: [v6ops] Security issues in RFC8754 and relate… otroan
- Re: [v6ops] Security issues in RFC8754 and relate… Andrew Alston
- Re: [v6ops] Security issues in RFC8754 and relate… Brian Carpenter
- Re: [v6ops] Security issues in RFC8754 and relate… Andrew Alston
- Re: [v6ops] Security issues in RFC8754 and relate… Eric Vyncke (evyncke)
- Re: [v6ops] Security issues in RFC8754 and relate… Warren Kumari
- Re: [v6ops] Security issues in RFC8754 and relate… Gert Doering
- Re: [v6ops] Security issues in RFC8754 and relate… Brian E Carpenter
- Re: [v6ops] Security issues in RFC8754 and relate… Brian E Carpenter
- Re: [v6ops] Security issues in RFC8754 and relate… Gert Doering
- Re: [v6ops] Security issues in RFC8754 and relate… Andrew Alston
- Re: [v6ops] Security issues in RFC8754 and relate… Brian E Carpenter
- Re: [v6ops] Security issues in RFC8754 and relate… Andrew Alston
- Re: [v6ops] Security issues in RFC8754 and relate… Warren Kumari
- Re: [v6ops] Security issues in RFC8754 and relate… Andrew Alston
- Re: [v6ops] Security issues in RFC8754 and relate… Warren Kumari
- Re: [v6ops] Security issues in RFC8754 and relate… Warren Kumari
- Re: [v6ops] Security issues in RFC8754 and relate… Andrew Alston
- Re: [v6ops] Security issues in RFC8754 and relate… Mark Smith
- Re: [v6ops] Security issues in RFC8754 and relate… Gert Doering
- Re: [v6ops] Security issues in RFC8754 and relate… otroan