IETF Logo Mail Archive

Re: [v6ops] Implementation Status of PREF64

Fernando Gont <fernando.gont@edgeuno.com> Tue, 28 September 2021 15:40 UTC

Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25D2A3A31FA for <v6ops@ietfa.amsl.com>; Tue, 28 Sep 2021 08:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tNcOkRFAnOeY for <v6ops@ietfa.amsl.com>; Tue, 28 Sep 2021 08:40:26 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2131.outbound.protection.outlook.com [40.107.220.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10DEA3A31FE for <v6ops@ietf.org>; Tue, 28 Sep 2021 08:40:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KZxuaSxXabtc/cHAcW4xOSbsaIdecb4qTihOhUibees91bNvKVGfdVM6O9pgY849KKpvBUjYf83LougCc1BpVfLtNHHKMqvaGrcXegX5RDeF7LfF0RZv2/3XKmZjxk/lUotVfyX53PgTsgGBvAp3txhnbxfmQPOU8MR+pFzE3c7fcFjd5798nG15mbL4IM2yJb/gJU4k4OUDiBtUyIWKpabiicPz3ha+7J4pbzk6dYu1KTHOYsSujFkSR9y+9QEcUvUwRsSENwx0z/k1ScmU9pyY9gJ3e7Xujz0c89ythgmY6jaW/YbI4xBnjRKIaJQSCBOTPGRQj/vrpx1507BbcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nK0UPyA4u/YAsPq8audcoi8ydJ0sZlSiqxJk4TLwAGc=; b=hnAP2c5K7jh9OWyw4ghVKsCE0vhVSuyZ37qZ060Cr4QWaU+BuSBwT6LMmk74XrHpUdRJ4ev08q7z8DHk3M9Ctog7UYSfD23z9Hlnjndp1my7kOBwxSbIhOeM4guezfhR/+cjHub3Q+2whg/6oNckzvTAMYzuCmL3by3YTEcg77RwA17EPn47PSHgY2cLARsz3//DUciapI+rmQfRLTXlmjxCu7/k3LgtX0Vq/hNtUey7WIdD26FzErDQtkBJghMWuxueuH0t4p2IR2xGUubQ5HOPdGxqy3b/kP7j3kYHZU28qhg8cYizM8SLzeK24Jhy7yYP1RsUBIeLreoEPKbDMA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=edgeuno.com; dmarc=pass action=none header.from=edgeuno.com; dkim=pass header.d=edgeuno.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nK0UPyA4u/YAsPq8audcoi8ydJ0sZlSiqxJk4TLwAGc=; b=TTKLZ+sst6dRFLBcU1B3fSB8gBfhK4G90ASbTDyZ7J7snEJ9ESps+PKvm3aS6FNVgJfxINtI7IErFCcKLmXOmfz6zh2snAwJP1YwzgrH6+JsaTk77i4NYwwLBCJOVNjOEvlCSZKW1cEuOphi+tcgndmcoaPc3PtnS4vdRXc18OE=
Authentication-Results: edgeuno.com; dkim=none (message not signed) header.d=none;edgeuno.com; dmarc=none action=none header.from=edgeuno.com;
Received: from BY3PR05MB8578.namprd05.prod.outlook.com (2603:10b6:a03:3cd::10) by BYAPR05MB5654.namprd05.prod.outlook.com (2603:10b6:a03:18::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.7; Tue, 28 Sep 2021 15:40:21 +0000
Received: from BY3PR05MB8578.namprd05.prod.outlook.com ([fe80::5d1a:6f5:58a5:87e1]) by BY3PR05MB8578.namprd05.prod.outlook.com ([fe80::5d1a:6f5:58a5:87e1%9]) with mapi id 15.20.4544.006; Tue, 28 Sep 2021 15:40:20 +0000
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>, Owen DeLong <owen=40delong.com@dmarc.ietf.org>
Cc: V6 Ops List <v6ops@ietf.org>, Jen Linkova <furry@google.com>
References: <CAN-Dau2in52xSUkqKEXu=2AAiR4O_jLhna7hY-hshYDORfGtcQ@mail.gmail.com> <CAMGpriWFp4JPtqDK5tEj1RkS-SzEfvscfUUnxgK+o6qP2pusRA@mail.gmail.com> <6E95834D-12B3-447B-8326-8EDE9DC6FFB1@delong.com> <CAO42Z2zA-4cK489nxKsWUN8vvU0eAiz-jS0e-_eWPg+OmP8wLw@mail.gmail.com> <DDA36020-90CC-471B-83AD-3D98950F1164@delong.com> <CAO42Z2wdoSdJDOB2Zo0=ZK0ecOARRsdg2nbHZGSDOhryPbLfDw@mail.gmail.com> <F2BD0A42-E9AD-45DD-999A-638E73BE1177@delong.com> <CAKD1Yr2K3Gd3JD=NJFOoH6GYgs-8ACxRQB9-sKJ7cbF4_hxsow@mail.gmail.com> <0B533C71-5DB0-410D-A5A3-7E8FD559F214@delong.com> <CAKD1Yr3NoYfNT7+OVJoCCdgdif6AHHw29tNCPttS=-NuRZKv3w@mail.gmail.com>
From: Fernando Gont <fernando.gont@edgeuno.com>
Message-ID: <385d7417-a260-ad95-874b-2e576b8c4a6a@edgeuno.com>
Date: Tue, 28 Sep 2021 12:40:13 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
In-Reply-To: <CAKD1Yr3NoYfNT7+OVJoCCdgdif6AHHw29tNCPttS=-NuRZKv3w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: BN9PR03CA0472.namprd03.prod.outlook.com (2603:10b6:408:139::27) To BY3PR05MB8578.namprd05.prod.outlook.com (2603:10b6:a03:3cd::10)
MIME-Version: 1.0
Received: from [IPv6:2800:810:464:91e:f84d:3e5c:f04b:a81d] (2800:810:464:91e:f84d:3e5c:f04b:a81d) by BN9PR03CA0472.namprd03.prod.outlook.com (2603:10b6:408:139::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.15 via Frontend Transport; Tue, 28 Sep 2021 15:40:19 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: ae29a9f8-b0f1-4326-a4ef-08d98296477d
X-MS-TrafficTypeDiagnostic: BYAPR05MB5654:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <BYAPR05MB56543BB0D7F022BF1586BEABE5A89@BYAPR05MB5654.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: rcIBdmLnZb1Jpob6yMyQKxVcQZ4ZBZQwk7TpSRJ+rDHQMn9T2YbKR7T40IPMUAr72V9tN6q6foQFxwwcgwulIUclnQnBPjQgq9gyFLu/kP1Z5YYqG60O5HEWWCIn0HbdTnp81vkKU8T0Hvq9oJlgpYtq/rssx1o5Vi2zhf/emYGrC24wDp4aYtSpRA1m2yXG2d5TbUL8+nbJVBQmmwE5fahke2T7moGtmOdDtLha6hljpU9DZRjzhrrWRu1Ne5BkuKThLDV5Pu2PH76lQt1CDUEW4Li5EqfzTv9ZH7Frp+89jYl/Zl5gEcQujkyekeiLKoYd5AbJAJ4WZ/KlPL6LwHxdAfKUpNSV2tSb4p/Vu86psrVYH+cab/C9Tn6KPZXQBlFgWQX5a/6SD075JieHzjgYjphrHdvy0MelCNNWNUAZ2afcrD475Z6GfQuI8sK07yFF3N1k7Azjc5iBPttcBdowdX0B/phmnKOASAz6plUBFKSTtvT3FF1XjUJbDZQPWlpQugbWmVSsqXVfm+1IKnfhkH8r41/0D43GoVmfUWNFmk/T+AMma5vPy5Y3qKQXxYJDGOQBaIPCWPAKRV+RsbE8MAX2HdUvPJd+C4LNYQGsIi3Rwih81gzlfwcjn3JjNmVo1+muxV/pfLJsjcTx8WvfVhUUmPZ6vh2sGFrB7kw9mUcM9X8RN+J3wWTucbzG0RmsP5HXC4KYol4NtS61xV4bC+vQgpKU6K0YuafjKVFfVd/Xp35jnpVj77GcvzbN
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY3PR05MB8578.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(44832011)(186003)(6486002)(66946007)(31686004)(66476007)(66556008)(66574015)(31696002)(86362001)(8936002)(83380400001)(110136005)(4326008)(54906003)(6666004)(2616005)(38100700002)(316002)(36756003)(8676002)(508600001)(52116002)(53546011)(2906002)(5660300002)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: XsHFa+PnaqG86RjqgupIBijJ8azcUwdMl8LPUY/G1zZxVpFM7Lu17P0xaQ8zfA1AGJnJt2lgXEaGwwxD+gmgoKkLf+eFQN3gbaHDZHd0dLW7MUq8TeoLw5dVnGY/1EAyIfWZGor+5HSEbd7BLG1aNU1Qp5kwaVwH5lZjIYQQLdRJLBTKDmk0WXLlPNEHlWkQyU+E6cBiyl3ME16hfomQf4BLqWFuYOkpuE5zXwrTk08utFUX1G4PvDUmTuOImBmf838eLyFAt9Xvbx/5jiiqmkPu6TuqTLQp1uirNjjbSB7EZXLnrMSb20oyu/Hh9R/AJC1FJff4+2WhmqGetDOk2h9PkvWf9yTN5MFQajfnC/JmY5/Mb1Yxmu4F0L9Ox/t/UIV/Gfcxh0ElKuRpcRCGc8j7949VWJprxj19+oBjaB9jGctC/WY9z3lAN+Fo1t6uBet8/dhuioRt5BbU5Qd8lqpzW0VLVntKmdpp1+CisBIudtKAlm95Ez4YEK2+7vOkNDBWmDeRjAq4JF3pknkQsJHu5GNNsalGa5gzoHcY8Y0V9Rf8AVFbRh2CS4Lj2o4fiORUFaL8KY/HPFCVSNl06dKMnx95+HpnMW/PIJ8ABKl5pZPzWr1mEMKFFsdxmuotf55KEs2gFqyABHOsj3TNhYbJMq30KEQKRB2exioPVIPK1C0W+uP2Z1rTlM4KKNAU1iSV1u62gZBQbNnAymT3MuQbA9HGDK4it2eq3l2YGxb/CRVgyvoQy/ZXKRfkXLGq83qN7MBXCYzGzkCs7MRCnnlnyxPNq/+mvxisEuz1lrKCzweaXRA9oSgkQHgNZl2OeMtNA5+VHNnjuLFHe1P1fVYO+CB+hFG+F4VyFQBVFRdADVtDUQvmmZbfd2mTMV+dbSe4mHL5GjG3EDGamei22fzPoCdZnZBfCAxdETuN1AJPcy00cejGKhsVGPieN5gVL3hxpAsqnsK2+UHhsnpp4/7iBX0pJe9MvB5ABm4k0OeKTvRQjx1QAJtzH6aPafTYSaKGWiYwY3c763dSjCccWUdeniRpK64z0NVMjr9WhDyEz/5AIJQXhJJnNQrlFRmywqpF5qRKfA1qx8zyUb9E5JalJyd/tqM+/npRJzcGTItOkqg0jVrb5zRBcFExnb5nIBre9ZyssR39PB3+wNG7xo6r602Wzs3ZXI/QK3BoARObxpiJ7+ocIO/zCM16BRA2i/9NM7fj6WPHaVWmuwboOsiBCXsKECEquSkVrKfnYAVAvOK8Qmo90I/abqpsduLYG3bjDEhdolXq2pEhRQby2EzkipR7t96FcghYYUzV/BfXy7ESVQtQvSvb6RHSNypPIbkysjh7gXmtq0w978/kIkxHWFZK3a05ySy7rcBZmH/DE2Vba/4jQ9dbMOX7Qg6T
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ae29a9f8-b0f1-4326-a4ef-08d98296477d
X-MS-Exchange-CrossTenant-AuthSource: BY3PR05MB8578.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Sep 2021 15:40:20.8326 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: qi7mm9+vehGd4oOVkHlVwJBe1KIBF+SLrEjSBvgFTBIN4l0QiehZilQmPNrFWUwjCIhbig1EAbIsvnINSg3FzmPceFnmmIXd+VqSWSgaCJQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5654
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/N6esP_3YKKUXrgP-fE0YqFPEp_c>
Subject: Re: [v6ops] Implementation Status of PREF64
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2021 15:40:30 -0000

On 28/9/21 02:21, Lorenzo Colitti wrote:
> On Tue, Sep 28, 2021 at 1:54 PM Owen DeLong
> <owen=40delong.com@dmarc.ietf.org <mailto:40delong.com@dmarc.ietf.org>>
> wrote:
>
>     No… That’s not what it amounts to.
>
>     It amounts to a machine can only use the network _IF_ it completes
>     802.1x Authentication _AND_ the IP address(es) it is using match the
>     DHCP server’s expectation of the address it issued to the MAC
>     address in question.
>
>
> Why would you want to do this? IPv6 addresses are plentiful and
> ephemeral. What does it matter to some server on the Internet (or, in
> general, off-link) if a given host uses 2001:db8:1:2:3::f00 or
> 2001:db8:1:2:3::b00 or both? Why take the privacy implications of using
> a fixed IID (because DHCPv6 can't seamlessly change IIDs) to talk to all
> off-link destinations all the time?

Could you please elaborate why "DHCPv6 can;t seamlessly change IIDs"?

In any case: Let's not over-hype what RFC8981 provides: it helps privacy
in scenarios where there is a large number of systems on the same link,
and also limits the window of time during which an address can be used.

However, for many (e.g. automated) attacks, you don't need an address to
be stable for longer than a few dozen minutes.....





>>     This is better than the DHCP version above because it allows the
>>     client to use multiple IP addresses and does not need to be
>>     re-done when the IP address changes.
>     Sometimes the network administrator doesn’t want the host using
>     multiple IP addresses for a variety of reasons.
>
>
> Ok, but that's also harmful for a variety of reasons, and for general
> purpose devices, it's not recommended by the IETF. That's exactly what
> RFC 7934 is about - explaining why it's harmful.

Please define harmful. Some could argue that the impact of multiple
addresses on network devices is harmful, too.


>
>     I repeat… Your anti-DHCP religion is NOT HELPING.
>
>
> Not helping with what? The transition to IPv6? But if so - why bother
> using IPv6 if it's just just 128-bit IPv4, with one address per host, no
> dynamic address changes (because DHCPv6 can't really support that) and
> NAT (because if you can't tell the host that its network configuration
> has changed, you need to ensure that the configuration *doesn't*
> change)?

Well: RFC8978 -- I experience that every other day, and I use SLAAC on
my home network.

As per "multiple addresses": the general case of multi-address,
multi-router scenario is currently simply broken.

P.S.: I'm just the messenger here....
--
Fernando Gont
Director of Information Security
EdgeUno
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531




“This communication is the property of EdgeUno or one of its group companies and/or affiliates. This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and if you are not the intended recipient be aware that any non-explicitly authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, and will be considered a criminal offense. Please notify legal@edgeuno.com about the unintended receipt of this electronic message and delete it.”

v2.23.0 | Report a Bug | By Email