IETF Logo Mail Archive

Re: [v6ops] DHCP Option 108 Issue with Mac and iOS devices

Daryll Swer <contact@daryllswer.com> Thu, 21 December 2023 23:28 UTC

Return-Path: <contact@daryllswer.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D925C14F691 for <v6ops@ietfa.amsl.com>; Thu, 21 Dec 2023 15:28:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=daryllswer.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9H4u5V7bWZ-h for <v6ops@ietfa.amsl.com>; Thu, 21 Dec 2023 15:28:00 -0800 (PST)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7766DC14EB19 for <v6ops@ietf.org>; Thu, 21 Dec 2023 15:27:47 -0800 (PST)
Received: by mail-ot1-x32f.google.com with SMTP id 46e09a7af769-6db963bd3acso907931a34.0 for <v6ops@ietf.org>; Thu, 21 Dec 2023 15:27:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daryllswer.com; s=google; t=1703201266; x=1703806066; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=cYXobAnfn+cTS9QH9VnWJtZMmdAXakxnN5DwbvCqtLA=; b=LRxpSB9BH6VkeCszwEhbEtGJVksyDM2PgX4gMZ1Bc1U6A4QzVK90lxMy5izUAopGMB 0MNtuLyS/WgMJzULxRYcsFexDzHOmWQk6c8VnB8r9dfeWWLc2gbQvZTdunGWw9rlPc5S lL5xZ0htZCj3R8zX3D9lofsNb+t5QA6TDxky1cTxer2u2AtSPClLWJdvzQKCyKqxAZbh 9RHm21yv/XPLiavqLtdFN+On3wr+d7CtDSvjmSAgA85nO0BKBWdkdDwlCBSWDjHdhZLN stFhvphFmBMpNqVYL+mPU8fXJBxwzSTAcmgDtXGj1eyo7f1h3t45Ks9ElSK3O4XAcsiM iU8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703201266; x=1703806066; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cYXobAnfn+cTS9QH9VnWJtZMmdAXakxnN5DwbvCqtLA=; b=KAdj+NaqZyChSsIQEMte9WJfKtf2/HXuBB6Bd3lNaVBFGw5KpZNknxNEA7yHseZRgQ i3mbfYHoksAUEkpttzuZZSKKOAe2V7HoqmHgdBKKdyF5qnlkK+dmc5/AMBRZ+TqEphRx YZMHi+5HAeBngLukAA6+H+HaZaRENzgCJrDAxzR5r67OiI4AFGgn+nxKhcLxBf+I2GLZ V4WdRIZBmsmrEKkMf3Ms842mGd4SQ8ZcTNXVdcExQTX0gDOW0ZpN4qd5c5bDec5H0g32 wy/PCJOx8D8/ZBQk8+MUbU6rYiUvkKLw/IgWLT3ehPbPCMaHHeBDsT4U/6NoldohIFNs 3FKw==
X-Gm-Message-State: AOJu0YxmjeOvbQ2d5Q90o0n3OYSGxlolEY9V/Fr7NH0Qf2qN8QD5m66T WMRMSoNexbvnQ4vqAV9/jDo29ZcCEQ/6Vy/aW4GMJQ+3o0TQXQ==
X-Google-Smtp-Source: AGHT+IEFzvrjR1rE1mphMrnAuwSZxnW7Ds1ni0sjH5BdiaQ8LHOPIvv91zvYAdyks5LJImG7DY2pyg==
X-Received: by 2002:a9d:7984:0:b0:6db:adb6:a857 with SMTP id h4-20020a9d7984000000b006dbadb6a857mr421628otm.27.1703201266300; Thu, 21 Dec 2023 15:27:46 -0800 (PST)
Received: from mail-oo1-f44.google.com (mail-oo1-f44.google.com. [209.85.161.44]) by smtp.gmail.com with ESMTPSA id f8-20020a4ab008000000b00593ec3398f3sm531028oon.17.2023.12.21.15.27.45 for <v6ops@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 21 Dec 2023 15:27:45 -0800 (PST)
Received: by mail-oo1-f44.google.com with SMTP id 006d021491bc7-59431ecabb0so430029eaf.0 for <v6ops@ietf.org>; Thu, 21 Dec 2023 15:27:45 -0800 (PST)
X-Received: by 2002:a05:6358:7581:b0:170:6ed7:3148 with SMTP id x1-20020a056358758100b001706ed73148mr399194rwf.22.1703201265227; Thu, 21 Dec 2023 15:27:45 -0800 (PST)
MIME-Version: 1.0
References: <0D527AB4-FE71-4EFB-AAD3-533FD174E669@employees.org> <ZYQapnuzH22P6_no@Space.Net> <267AD928-CCAE-46B1-912C-C09800C9DE56@employees.org> <ZYQmPaU-5mNGLgLx@Space.Net> <6C8EE69C-BD35-4BF3-87E1-4F3704F99FDD@employees.org> <CACyFTPEkfd=u=R9SNFvnE4bAY-Rzs4VCWM0gQsjODo_jpbX4=Q@mail.gmail.com> <ZYQ46Kg4_oDSE3g-@Space.Net> <CACyFTPGiKvOkwk3Cmu1eJVxDMank48M2Bz4+eFOigS_=Wy72Ng@mail.gmail.com> <ZYSIcOK6-nS-xP-F@Space.Net> <CACyFTPHbCc00z36PRSUCsP=8Av=z4Ms0KHwk1Rxd=19TXzdyhg@mail.gmail.com> <CAPt1N1=82h05qZRqhtDirXwS1Fvz8OPt0iFRWasFHMXkEp4Fuw@mail.gmail.com> <CACyFTPFJ=CjiYbZjdF8T63a14SgeNAKaAQeTVSbAxde4J9ZfRQ@mail.gmail.com> <02142da9-59f0-6d62-2484-5ad8f8d2719a@gmail.com> <CACyFTPGqVbvzdAKhwZB=9PEpq2CZxJTiU1kmSRNUAV78zmWCMQ@mail.gmail.com> <50199a9b-df1a-4292-9395-e12593e41fc5@gmail.com> <CACyFTPGdypzCg1RqyfWO0CmerLGfEzEb2EN-B3g-cVfA5wmpnA@mail.gmail.com> <d99bf3ae-0317-4969-a393-f2b922095aec@gmail.com> <CACyFTPEUc2-uMYd4yfoq-V3=K2HfN5zWEJRQ=pj7L_rvyufS4w@mail.gmail.com> <f9eb0eaa-da13-4750-8713-120283f00f72@gmail.com>
In-Reply-To: <f9eb0eaa-da13-4750-8713-120283f00f72@gmail.com>
From: Daryll Swer <contact@daryllswer.com>
Date: Fri, 22 Dec 2023 04:57:31 +0530
X-Gmail-Original-Message-ID: <CACyFTPHTpj_2HYF6YmjbZouCjzaJnNRuCkK2UHCv7Ez64PLMUw@mail.gmail.com>
Message-ID: <CACyFTPHTpj_2HYF6YmjbZouCjzaJnNRuCkK2UHCv7Ez64PLMUw@mail.gmail.com>
To: "Soni \"They/Them\" L." <fakedme+ipv6@gmail.com>
Cc: v6ops@ietf.org
Content-Type: multipart/alternative; boundary="000000000000651f49060d0d72d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/QLA3fhJmfDyBdeB3ieK8GH_T94g>
Subject: Re: [v6ops] DHCP Option 108 Issue with Mac and iOS devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Dec 2023 23:28:04 -0000

Soni

I explained the problem with SLAAC logging in the other email to Jen, even
if we do use NDP Table. If you still think NDP table export with SLAAC is a
financially smart idea in small (to medium-sized even) business, be my
guest and go ahead and do it ;)

--
Sent from my iPhone


On Fri, 22 Dec 2023 at 4:37 AM, Soni "They/Them" L. <fakedme+ipv6@gmail.com>
wrote:

> 1. Being completely honest we never looked if logging MAC addresses
> alongside IP addresses is standard among the industry, we don't really have
> experience in the enterprise IT network area, it just seems like the
> obvious solution to us and it's the solution we'd deploy if we were making
> a custom solution for it. We mostly just work with OS dev stuff (and still
> trying to get wasm to ship "IPv6-only networking in userspace" which is
> even more cursed than some of the other stuff we've brought up on this
> list)...
> 2. You can argue TLS is obscurity since 256-bit keys are finite after all.
> Technically all encryption is obscurity really, it's just generally
> infeasible to break it. So no, that's... really not a good argument.
>
> On 2023-12-21 19:53, Daryll Swer wrote:
>
> Soni
>
> Since apparently you've solved SLAAC logging issues for enterprise.
>
> 1. Share with us all the steps required for packet-logging free method to
> track SLAAC address in an enterprise network. We need the steps for common
> market vendors such as Juniper, MikroTik, Arista etc. I'm listening.
> Preferably it be an open standard/protocol/tooling that's widely available
> in the industry and one that's well supported by all major network vendors.
>
> 2. > hiding the exact number of devices in a network
> Obscurity is not security. This is the same argument and logic IPv4 NAT
> users make. "Oh but I'm hiding 100 hosts behind single public IP".
>
> --
> Sent from my iPhone
>
>
> On Fri, 22 Dec 2023 at 4:06 AM, Soni "They/Them" L. <
> fakedme+ipv6@gmail.com> wrote:
>
>> Nah, locally you'd be using MAC addresses to identify the device. The
>> Ephemeral IPv6 is just there to help with one aspect of IP address privacy
>> (hiding the exact number of devices in a network by making remote servers
>> think there are a lot more of them, and, while at it, also breaking some
>> login forms for the fun of it).
>>
>>
>> On 2023-12-21 19:27, Daryll Swer wrote:
>>
>> Soni
>>
>> Ah, encouraging cybercrime through multiple randomly generated IPv6
>> source IPs, are we? Fantastic idea. I'll be sure to share this explanation
>> of yours with law enforcement when they come asking for logs. And point
>> them to this mailing list on why I failed to provide reliable and
>> consistent logs for my SLAAC VLAN.
>>
>> I'm not interested in making it easier for cybercrime to occur through my
>> network as origin, therefore comes the need for DHCPv6.
>>
>> In the past with early days of CGNAT, it took quite some time and
>> pressure from law enforcement before deterministic NAT logging was drafted
>> at the IETF. If this pattern holds true, it's only a matter of time before
>> similar pressure hits IPv6 as IPv6 adoption is increasing. I don't think
>> the IETF will draft NAT66 deterministic logging. I only see ia_na as the
>> viable option.
>>
>>
>> --
>> Sent from my iPhone
>>
>>
>> On Fri, 22 Dec 2023 at 3:41 AM, Soni "They/Them" L. <
>> fakedme+ipv6@gmail.com> wrote:
>>
>>>
>>>
>>> On 2023-12-21 18:59, Daryll Swer wrote:
>>>
>>> We're going in circles here, hashing the same thing over and over again.
>>> I genuinely do not understand why the decision makers in the IETF with
>>> respect to SLAAC/DHCPv6 don't seem to grasp the reality that SLAAC isn't a
>>> one size fits all.
>>>
>>> A major pain for operators (like me) is exactly this type of debate
>>> (going in circles) in IETF mailing lists. This is the real reason why, we
>>> don't have a lot of operators on these lists.
>>>
>>> A ia_na only VLAN is probably something I wouldn't do because of the
>>> CLAT issues at this point in time. What I would do is ia_na + ia_pd, if
>>> we're talking something like campus Wi-Fi or public Wi-Fi, I would likely
>>> opt for /128 ia_na + /127 ia_pd (need to check if all vendors supports
>>> this, MikroTik does if I remember correctly). There's no reason for me to
>>> give a /48 per thousands of mobile phone users connected over Wi-Fi.
>>>
>>> The need for ia_na isn't really driven from IPv4 thinking. I'm not about
>>> to deploy NAT66. The need for ia_na is for auditing and making it easier to
>>> provide logs for security incidents not only for internal company but also
>>> to law enforcement. I shouldn't need to perform gymnastics with SLAAC in an
>>> enterprise network to figure out which device used which /128 that law
>>> enforcement is asking for information about.
>>>
>>> By definition SLAAC is stateless. And we need state tracking (state of
>>> address assignment not CLAT).
>>>
>>> As far as "security" is concerned, we normally deploy stateful firewall
>>> anyhow (which permits ICMPv6 through and through at the least), to protect
>>> the clients.
>>>
>>> Regarding, privacy, come on, are you really telling me Google analytics
>>> and big tech analytics can't tracked me if I use SLAAC? They can, via
>>> system/OS/Device and browser fingerprinting, not even just cookies. They've
>>> been doing this for decades, for devices that switch between "Wi-Fi" and
>>> cellular for instance.
>>>
>>> This strange idea that analytics only work on static IPs (and therefore
>>> dynamic IPs give privacy) is something I can never understand.
>>>
>>>
>>> It's not "a" dynamic IP that gives you privacy. It's *multiple*.
>>>
>>> Are you familiar with the concept of "poisoning" where you fill the data
>>> with extra, autogenerated data?
>>>
>>> For example, filling up a library with AI-generated books, or filling up
>>> a search history with markov chain search queries, or sending "You have
>>> been blocked" posts to mastodon instances you have... blocked.
>>>
>>> It makes it harder to find real books, it makes it harder to identify
>>> real queries, it prevents real posts from getting federated through
>>> third-parties.
>>>
>>> The same is true for using lots and lots and lots of IPv6. The more IPv6
>>> per second, the harder it is to identify the device.
>>>
>>>
>>>
>>> --
>>> Sent from my iPhone
>>>
>>>
>>> On Fri, 22 Dec 2023 at 3:13 AM, Brian E Carpenter <
>>> brian.e.carpenter@gmail.com> wrote:
>>>
>>>> On 22-Dec-23 08:45, Daryll Swer wrote:
>>>> >  > E.g., the Google IPv6-mostly deployment Jen has been talking about
>>>> over the years enables SLAAC
>>>> >
>>>> > The decision should be left up to the network operator on whether to
>>>> use DHCPv6 or SLAAC or both. But unfortunately even if an operator wants to
>>>> use DHCPv6 they can't if they have Android clients.
>>>> >
>>>> > *Why is Google allowed to dictate how other operators should deploy
>>>> IPv6? Are they the IPv6 police?*
>>>>
>>>> Welcome to capitalism. The market has chosen to buy a lot of Android
>>>> devices. That's all.
>>>>
>>>> >
>>>> > As for preference, just search up "DHCPv6 enterprise", you can find
>>>> many operators who discussed this very issue or preference over the years.
>>>> I'm surprised you never encountered enterprise folks who explicitly and
>>>> vocally prefers DHCPv6.
>>>>
>>>> They tend to, because they wish to determine the relationship between a
>>>> device and its IP address in advance, as they've been doing for years.
>>>> Whether this is actually necessary is another question. With SLAAC, this
>>>> relationship can be logged and determined retrospectively. I've never been
>>>> quite clear why this is problematic, for either audit purposes or incident
>>>> management. Isn't there just a false assumption that the way addresses had
>>>> to be managed for IPv4 is also the way it must be done for IPv6?
>>>>
>>>>      Brian
>>>>
>>>> >
>>>> > It doesn't take very long to figure out "general" preference just by
>>>> reading this thread top to bottom:
>>>> > https://issuetracker.google.com/issues/36949085 <
>>>> https://issuetracker.google.com/issues/36949085>
>>>> >
>>>> > Another source:
>>>> >
>>>> https://www.nullzero.co.uk/android-does-not-support-dhcpv6-and-google-wont-fix-that/
>>>> <
>>>> https://www.nullzero.co.uk/android-does-not-support-dhcpv6-and-google-wont-fix-that/
>>>> >
>>>> >
>>>> > /Do I really need to share 100 links here on this mailing list, of
>>>> folks who've been complaining about this Android DHCPv6 issue for the last
>>>> 10+ years?/
>>>> >
>>>> > Every single enterprise folk I know prefers stateful DHCPv6, but are
>>>> often if not always stuck with SLAAC.
>>>> >
>>>> > --
>>>> > Sent from my iPhone
>>>> >
>>>> >
>>>> > On Fri, 22 Dec 2023 at 12:59 AM, Ted Lemon <mellon@fugue.com <mailto:
>>>> mellon@fugue.com>> wrote:
>>>> >
>>>> >     I think your stated preference says more about you than about
>>>> enterprise networks in general. E.g., the Google IPv6-mostly deployment Jen
>>>> has been talking about over the years enables SLAAC.
>>>> >
>>>> >     I don't mean that you're wrong to have this preference, just that
>>>> it seems clearly wrong to generalize from your preference (for which you
>>>> haven't stated a reason for us to consider) to all enterprise settings. Of
>>>> the two enterprise settings about which I have personal knowledge, zero
>>>> have deployed DHCPv6. Deploying DHCPv6 requires extra work and extra cost.
>>>> It seems absurd to think that this would be peoples' default choice.
>>>> >
>>>> >     On Thu, Dec 21, 2023 at 2:17 PM Daryll Swer <contact=
>>>> 40daryllswer.com@dmarc.ietf.org <mailto:40daryllswer.com@dmarc.ietf.org>>
>>>> wrote:
>>>> >
>>>> >          > Dual-stack in the edge needs to go away.
>>>> >
>>>> >         Very likely we have different definitions of an edge router.
>>>> But either way, I'm happy to do v6-only network if Android and/or other
>>>> popular end-user OSes supported DHCPv6 to the fullest extent.
>>>> >
>>>> >         For me SLAAC should be limited largely, by default to home
>>>> networks, SOHO etc. In an enterprise or ISP network, I think most operators
>>>> would prefer DHCPv6 stateful, including me.
>>>> >
>>>> >         I would prefer stateful DHCPv6 even in my own home lab. But
>>>> alas, Android devices prevents that, at least on the same SSID, oh well,
>>>> more reasons to buy an iOS device - Why waste money on a vendor with
>>>> incomplete IPv6 feature set...
>>>> >
>>>> >         *--*
>>>> >         Sent from my iPhone
>>>> >
>>>> >
>>>> >         On Fri, 22 Dec 2023 at 12:18 AM, Gert Doering <gert@space.net
>>>> <mailto:gert@space.net>> wrote:
>>>> >
>>>> >             Hi,
>>>> >
>>>> >             On Thu, Dec 21, 2023 at 10:22:00PM +0530, Daryll Swer
>>>> wrote:
>>>> >              > > Not wanting to operate a dual-stack network is less
>>>> an "IPv6 purist"
>>>> >              > thing as more "pure lazyness".  Dual-stack is,
>>>> basically, more work to set
>>>> >              > up and maintain things, for very little gain.
>>>> >              >
>>>> >              > Dual stack on the layer 3 devices in the access layer
>>>> does not imply dual
>>>> >              > stack network-wide, you can use IPv6-only PtP links
>>>> with IPv4 routed over
>>>> >              > the IPv6 next-hop, this limits dual stack only on your
>>>> layer 3
>>>> >              > sub-interface VLANs on each layer 3 devices in the
>>>> access layer.
>>>> >
>>>> >             Yes, but backbone links are an order of magnitude less
>>>> than access VLANs,
>>>> >             and much easier to (auto-)provision and monitor than
>>>> "random access
>>>> >             networks with random clients, random applications, and
>>>> random failure
>>>> >             modes hiding real issues".
>>>> >
>>>> >             Dual-stack in the edge needs to go away.
>>>> >
>>>> >             Gert Doering
>>>> >                      -- NetMaster
>>>> >             --
>>>> >             have you enabled IPv6 on something today...?
>>>> >
>>>> >             SpaceNet AG                      Vorstand: Sebastian v.
>>>> Bomhard, Michael Emmer
>>>> >             Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A.
>>>> Grundner-Culemann
>>>> >             D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
>>>> >             Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
>>>> >
>>>> >
>>>>  131829f8f8575132ef0687e1489e7952ad119c16​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​
>>>> _______________________________________________
>>>> >
>>>> >
>>>> >         v6ops mailing list
>>>> >         v6ops@ietf.org <mailto:v6ops@ietf.org>
>>>> >         https://www.ietf.org/mailman/listinfo/v6ops <
>>>> https://www.ietf.org/mailman/listinfo/v6ops>
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > v6ops mailing list
>>>> > v6ops@ietf.org
>>>> > https://www.ietf.org/mailman/listinfo/v6ops
>>>>
>>>
>>> _______________________________________________
>>> v6ops mailing listv6ops@ietf.orghttps://www.ietf.org/mailman/listinfo/v6ops
>>>
>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>
>>
>>
>

v2.23.0 | Report a Bug | By Email