Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Vasilenko Eduard <vasilenko.eduard@huawei.com> Tue, 07 February 2023 07:17 UTC
Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD707C169537 for <v6ops@ietfa.amsl.com>; Mon, 6 Feb 2023 23:17:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQ-RhbWqyxqY for <v6ops@ietfa.amsl.com>; Mon, 6 Feb 2023 23:17:46 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C8EEC1388D1 for <v6ops@ietf.org>; Mon, 6 Feb 2023 23:17:46 -0800 (PST)
Received: from mscpeml100002.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4P9vVR3C01z6J6LC; Tue, 7 Feb 2023 15:13:19 +0800 (CST)
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by mscpeml100002.china.huawei.com (7.188.26.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.6; Tue, 7 Feb 2023 10:17:43 +0300
Received: from mscpeml500001.china.huawei.com ([7.188.26.142]) by mscpeml500001.china.huawei.com ([7.188.26.142]) with mapi id 15.01.2507.017; Tue, 7 Feb 2023 10:17:43 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>
Thread-Topic: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Thread-Index: AQHZOqzJlS1vPSVRSUmztMRk3eCHwK7DED+A
Date: Tue, 07 Feb 2023 07:17:43 +0000
Message-ID: <eb2e613ce5154139a4e18eebff21b822@huawei.com>
References: <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com> <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com>
In-Reply-To: <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.45.147.173]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Sfytg56queZpwRqF5R9utxvEqEw>
Subject: Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 07:17:47 -0000
Hi Fernando, You did not mention that the /48 may be dynamic (PA changing over time). Hence, even /48 block may not block the offender. The offender in principle may buy a connection from such a Carrier. Then rotate his /56 periodically. The possibility to trace offenses against RIR blocks is missing in the document. It is the most meaningful statistic. IMHO: it may sense to mention in the absent conclusion that "there is no reliable way to block only offender. If the offense is big enough, it is possible to block legal entity (consulting with RIRs registry)." Eduard -----Original Message----- From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Fernando Gont Sent: Tuesday, February 7, 2023 7:28 AM To: IPv6 Operations <v6ops@ietf.org> Subject: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Folks, FYI, this one is targeted at opsec, but might be of interest to this group: * TXT: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt * HTML: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html Thanks! Regards, Fernando -------- Forwarded Message -------- Subject: (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Date: Fri, 3 Feb 2023 01:28:17 -0300 From: Fernando Gont <fgont@si6networks.com> To: opsec@ietf.org Hi, All, I happened to participate in an IPv6 deployment meeting with some large content provider. Eventually there was a discussion about how to mitigate some attacks using block-lists, and they argued that they ban offending addresses (/128 for the IPv6 case), following IPv4 practices. While they had already deployed IPv6, some of the associated implications arising from the increased address space seemed to be non-obvious to them. So that's what motivated the publication of this document. * TXT: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt * HTML: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html Comments welcome! Thanks, Fernando -------- Forwarded Message -------- Subject: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt Date: Thu, 02 Feb 2023 19:48:40 -0800 From: internet-drafts@ietf.org To: Fernando Gont <fgont@si6networks.com>, Guillermo Gont <ggont@si6networks.com> A new version of I-D, draft-gont-opsec-ipv6-addressing-00.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Name: draft-gont-opsec-ipv6-addressing Revision: 00 Title: Implications of IPv6 Addressing on Security Operations Document date: 2023-02-02 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-addressing/ Htmlized: https://datatracker.ietf.org/doc/html/draft-gont-opsec-ipv6-addressing Abstract: The increased address availability provided by IPv6 has concrete implications on security operations. This document discusses such implications, and sheds some light on how existing security operations techniques and procedures might need to be modified accommodate the increased IPv6 address availability. The IETF Secretariat _______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] Fwd: (IETF I-D): Implications of IPv6 Add… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Vasilenko Eduard
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… David Conrad
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Ted Lemon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Vasilenko Eduard
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Henri Alves de Godoy
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Simon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Fernando Gont