IETF Logo Mail Archive

Re: [v6ops] Fwd: New Version Notification for draft-hilliard-v6ops-host-addr-update-00.txt

Ted Lemon <mellon@fugue.com> Tue, 18 July 2017 17:55 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB92A131B19 for <v6ops@ietfa.amsl.com>; Tue, 18 Jul 2017 10:55:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pg61pcAGd_g7 for <v6ops@ietfa.amsl.com>; Tue, 18 Jul 2017 10:55:00 -0700 (PDT)
Received: from mail-pg0-x22a.google.com (mail-pg0-x22a.google.com [IPv6:2607:f8b0:400e:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E831131B66 for <v6ops@ietf.org>; Tue, 18 Jul 2017 10:54:59 -0700 (PDT)
Received: by mail-pg0-x22a.google.com with SMTP id u5so16539459pgq.3 for <v6ops@ietf.org>; Tue, 18 Jul 2017 10:54:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nQCv2agBwlEL2PS5mSxFTNHvaHdh790aVeOEyL2V4KU=; b=sYoLEBB+6vsPUmxHF7Bif4qMaURG+sRQdXZjP3S2RjHgCyt01ZH27PiViU7dJSPA4V 95D0ppN9JqocrWEfePeBMIbnM7stoWzTw0Nl5+ngUXOSYuvpmpW4ojpVQTpqGKKf2LiG FdCk/GLcCXi6+PSDsNgQb89s7M0HmugjHCu538z2g24sUWlRWMDCao0EhZhPg2EIMdrt dNyZKFw/MymB42Vfbq4Brft2MQRj3ilVVE7BnNQjhN8Z503Kk/5mlCokWScgcQYtdCj9 ciuVgYDLQ+BWGiVtIJCBeERBX+Dr1DvntuzGU6jHBevacFx+ld1zWXE/+GWbpLL4luTL VAnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nQCv2agBwlEL2PS5mSxFTNHvaHdh790aVeOEyL2V4KU=; b=ckgmpiEMMuMQIkLNwsvDKZT5ZBDJ+9fT54zvUXko95dd8HcTkoSn4iFAzjvzYe8BVM HJMlArugrn7BhyQWGkVVS7iuewr89rCpnDc6Wvb7echuDj7ggfEyrAgysbt45O6TsCrC zF4VLmvdzuNvQ27+BF+S+G5tBOO2KmCm7n7Cn9MVcaBfSpA+oCCOCDpeOLSiX7TMi0rU 3XQqlzW5nc7PINIbqSV6aZMJhtTpZE67Dgli0+0HXKaw1KNwRMtK81+DJCtmwhUcwNre rF7LMep+Ut6iT0uK5CQuUrk3+kGvNMq5pLs2KiR4dU0c16LBTEShyKOcjB3JqpUi5Yzx hJiw==
X-Gm-Message-State: AIVw110ECYAg5110awJ+HTLofcvMeIPvEU+CGdZmenQ4yYEI/x3DsZg4 dRrB62IqMphMxSg46Np5YGuU0fUOxp9A
X-Received: by 10.99.62.65 with SMTP id l62mr2924506pga.220.1500400498863; Tue, 18 Jul 2017 10:54:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.181.42 with HTTP; Tue, 18 Jul 2017 10:54:18 -0700 (PDT)
In-Reply-To: <CAFy81rmZefKx6jTsS+8J9fJANXwm1cOKdE6L17Yu4xri4xgY7g@mail.gmail.com>
References: <596CF817.8040900@foobar.org> <CAO42Z2wFSXWru_Tgwpuf2xgOCr2iX0BwrTHvnS2TcR6EQBi1Fw@mail.gmail.com> <CAFy81rmZefKx6jTsS+8J9fJANXwm1cOKdE6L17Yu4xri4xgY7g@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Tue, 18 Jul 2017 19:54:18 +0200
Message-ID: <CAPt1N1max8-arTFZ7kymK36ny4DqWF2bkmfh1qf_ioQwCSfHAg@mail.gmail.com>
To: Scott Morizot <tmorizot@gmail.com>
Cc: Mark Smith <markzzzsmith@gmail.com>, IPv6 Operations <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c18ff6ac1852505549b363d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/NLFfYEWniPfe16mrnqzSg12-lUM>
Subject: Re: [v6ops] Fwd: New Version Notification for draft-hilliard-v6ops-host-addr-update-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 17:55:05 -0000

The current document recommends generally against the particular use of
DHCP that you are using, but does not forbid it.   This is the correct
recommendation for most devices on the Internet.   The set of devices that
you use do not fall into that category, so the suggestion is really not at
all applicable to your use case.   This is why the document says what it
says.   It doesn't even say "SHOULD NOT."   It just says "won't have good
privacy characteristics, and therefore is not preferred."

Asking that IETF recommendations, which, again, remember, are aimed at *all
devices on the internet*, instead be tailored to just your use case, is not
reasonable.   The reason that the language reads the way it does is so as
to not exclude your use case.   I don't see how you could possibly justify
language that was any more accommodating of your use case.   As you say,
vendors of the sorts of devices that you use are not going to read that
document and think "oh, I guess I should disable IA_NA support now."

So what exactly would an update accomplish?   Please don't send another
long wall of text.   Just explain how we can balance these two competing
needs better than we currently are doing?

On Tue, Jul 18, 2017 at 7:38 PM, Scott Morizot <tmorizot@gmail.com> wrote:

> Perhaps the actual problem is a limited active participation in the IETF
> process by certain groups, such as the large enterprise networks (outside
> enterprise networks of large technology companies) sphere? That has always
> been my day to day environment and focus whether as an application
> developer, network engineer, or from any of the other hats that are dropped
> in my lap, including interacting with groups of organizations outside my
> own. I confess I read mailing list discussions intermittently and actively
> say anything much less frequently than I read. But comments like the below
> leave me bemused.
>
> Those sorts of networks are highly constrained. Hosts and developers have
> to coordinate even to be allowed on the network. Things that are purchased
> and deployed generally have to meet our requirements and lots of things are
> eliminated from consideration because they don't. If something has special
> requirements, there's a lengthy process designing, testing, and documenting
> the changes in the security boundary. Innovation is certainly restricted
> and coordinated, even with in house developed applications.
>
> There are lots of processes and tools integrated with DHCP assignment
> information. But that's hardly the only data collected, the only layer of
> protection, or the only avenue pursued when doing forensic analysis of an
> attack. Connection security in one form or another is used. ARP/Neighbor
> table information (as well as configuration in general) is collected and
> tracked. Log data at every level is collected. There's IDS/IPS and packet
> collectors at different key points. There are firewalls at all sorts of
> different points from the host up. But no large enterprise is merely
> looking for purely malicious traffic. They are also auditing and analyzing
> all activity by authorized users. It's a highly inspected, highly
> constrained networking environment and always will be.
>
> A lot of those automated processes are tied into DHCP data. It's not that
> that's the only source of forensic data, the sole audit point, or the
> single point of protection. But a lot of automated tools/processes are
> built around that data and that is not going to change quickly. Perhaps
> when IPv4 is removed from much of the enterprise, it can be considered,
> though there would have to be a compelling reason for enterprises to make
> such a change. No such compelling reason currently exists. It will not
> happen before then except in very special circumstances on different
> networks from most hosts, not on general purpose data networks.
>
> Host developers who want to sell to such enterprises will support DHCPv6
> IA_NA address assignment on networks that provide no other alternative.
> They already do for the most part because those networks exist today. And
> they will continue to exist for a good number of years to come, whatever
> the IETF decides to recommend or not recommend. If a host/node developer
> has a special use case (as a limited IOT device such as door key card
> access devices and alarm sensors very well might) and a large enterprise of
> the sort I've described has a need for it, that might be engineered in a
> special network of its own. So it's not an absolute that any given
> host/node that wants to sell to large enterprises of the sort I've noted
> above has to support DHCPv6 IA_NA address assignment. But as a general rule
> of thumb? That should probably be the default expectation. It should be
> considered, at least.
>
> So I support the idea behind the changes to RFC 7934 proposed in the
> draft, however they might be wordsmithed, as it more accurately reflects
> reality. The current description may reflect a "best common practice" for
> general use data on some networks and in some environments. It is not even
> vaguely the common practice elsewhere. And it's unlikely to be anytime
> soon. If the purpose of the document is to express what the IETF wished
> were the common practice on most networks, that's fine. If its purpose is
> to express the actual common practice, the current document falls short.
>
> I have a hard time feeling too strongly about it, though. Host/node
> developers often do want to sell to large enterprises, and as such they
> typically will meet their specified requirements. I don't expect that to
> change whatever the IETF chooses to publish. That's one situation in which
> money does usually talk.
>
> Scott
>
> On Mon, Jul 17, 2017 at 7:59 PM, Mark Smith <markzzzsmith@gmail.com>
> wrote:
>
>> Fundamentally, we don't want hosts and application developers to have
>> to ask for permission from the network to innovate, nor have the
>> network impose artificial constraints on innovation. Artificial
>> address scarcity is following the traditional telephone network
>> scarcity model. (See David Isenberg's "Rise of the Stupid Network")
>>
>>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>
>

v2.23.0 | Report a Bug | By Email