[v6ops] Re: DHCPv6 PD in a multi-prefix environment

[Daryll Swer <contact@daryllswer.com>]

> So, are you saying the SNAC router should use a GUA prefix in all cases
and expose the IOT devices to the Global Internet?

What do you mean precisely by this? Yes, I'd give *native* *GUA* for
*everything,
*including my thermometer. But how did you conclude it'll be exposed to the
global internet? The CE for average home users is stateful
firewalled-default enabled for IPv6 with devices like TP-Link, Asus etc, in
fact, most of these off-the-shelf CPEs don't even support IPv6 firewall
disable-mode nor manual port allow on their firewall implementation
(usually legacy iptables in the backend). And for any enterprise or
professional users, they'd know how to set up their own stateful firewall,
either on the CE or on a middle-box below it.

I see zero reasons for ULA (other than the re-numbering possibility). What
I'd do (if we are discussing enterprise/business use cases) is getting my
own prefix from a RIR (or cheaper LIR? Whatever works), and:

   1. Get the ISP to advertise it for me and route it to me, OR
   2. Use my own GUA prefix internally (remember this is not globally
   advertised in this example) and then NPTv6 it back to the upstream's ISP(s)
   prefix delegation for a pure stateless, transport-agnostic translation.
   That solves your numbering problem permanently, even if you changed ISPs
   daily (assuming each ISP complies with BCOP-690 and gives you a /56 or
   larger GUA), OR
   3. If own-GUA is no go, I opt for *200::/7* space (reasoning being to
   avoid ULA-related operational issues, but perhaps even the new
   documentation prefix would suffice and might be a “cleaner” approach) and
   use it internally to avoid renumbering, and then combine it with NPTv6.

As someone who works professionally in this line of work, who also happens
to be a major advocate for native P2P networking without hacks (TURN) —
This is what I do to balance between stateful firewalling and P2P — I'm
sure there are many other professionals who do something similar as well:

   1. *Stateless* filters on the CE or middle-box (In Linux world that
   means, iptables prerouting chain, nftables -400 or -450 priority hook,
   IIRC) to drop bogons and for example, port 25 (with ACLs), basic ACLs to
   protect localhost daemons (BGP, OSPF etc).
   2. On-Host firewall and application security configuration/hardening —
   For example, my Windows machines all have default stateful firewall enabled
   which blocks all unsolicited ingress by default, my Linux hosts are
   configured via templates to do the same thing, and for additional security,
   let's assume nginx is running and exposed to WAN, I implement recommended
   practices to harden nginx on layer 7. Of course, we should implement
   OS-hardening as well, per industry norms.
   3. And if these are enterprise work-stations, the IT/System teams should
   ideally deploy policy control and management on their employee's
   company-owned devices to additionally block installation of unauthorised
   software, modifications etc.
   4. IoT devices (thermometer, cameras etc) are on IoT-dedicated VLANs —
   Said VLANs are always, permanently behind stateful firewall rules. However,
   I do not block ICMPv6 and always permit global ICMPv6 reachability — I only
   drop deprecated ICMPv6 subtypes
   <https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-4>,
   directly on the edge. That being said, most devices' kernel comes with a
   default ICMPv4/v6 rate-limit as well, so that helps a bit.

tl;dr
No need for ULAs, NAT66 hacks, renumbering — To
achieve security/firewalling and “mobility” (probably poor choice of word
here) across ISP-numbering.

*--*
Best Regards
Daryll Swer
Website: daryllswer.com
<https://mailtrack.io/l/6a46e2daa868111b9f7696db0b6127dd572ecadc?url=https%3A%2F%2Fwww.daryllswer.com&u=2153471&signature=62149b81261996e4>


On Wed, 24 Jul 2024 at 08:39, David Farmer <farmer=40umn.edu@dmarc.ietf.org>
wrote:

> So, are you saying the SNAC router should use a GUA prefix in all cases
> and expose the IOT devices to the Global Internet?
>
> On Tue, Jul 23, 2024 at 9:55 PM Ted Lemon <mellon@fugue.com> wrote:
>
>> No, I mean can you describe a real-world scenario where this would
>> happen. I get that you could configure a DHCP server to do this. The
>> question is, when would someone configure the DHCP server that way?
>>
>> On Tue, Jul 23, 2024 at 7:49 PM David Farmer <farmer@umn.edu> wrote:
>>
>>> I already did scenario A.3 in draft-ietf-snac-simple. It is appropriate
>>> for the SNAC router to obtain a ULA prefix instead of a GUA prefix to
>>> reduce the attack surface of the IOT devices.
>>>
>>> On Tue, Jul 23, 2024 at 9:33 PM Ted Lemon <mellon@fugue.com> wrote:
>>>
>>>> Can you give us an example of a situation where such a decision would
>>>> need to be made?
>>>>
>>>> On Tue, Jul 23, 2024 at 6:48 PM David Farmer <farmer=
>>>> 40umn.edu@dmarc.ietf.org> wrote:
>>>>
>>>>> The classic ISP use case for DHCPv6 PD, as envisioned initially by
>>>>> RFC3633 and integrated into RFC8415, typically expected a single prefix to
>>>>> be delegated to a requesting router from the ISP. Meanwhile, many of the
>>>>> draft-ietf-v6ops-cpe-lan-pd use cases probably expect a subdelegation from
>>>>> this ISP provided prefix. Nevertheless, an RFC7084 CE Router may also have
>>>>> a ULA prefix to subdelegate from, and a ULA prefix may be more appropriate
>>>>> for some of the use cases. Not to mention, there may be prefixes from more
>>>>> than one ISP or additional prefixes while renumbering.
>>>>>
>>>>> Should the delegating router in draft-ietf-v6ops-cpe-lan-pd advertise
>>>>> subdelegations from all prefixes it may have and let the requesting router
>>>>> choose one or more? How does the requesting router know which prefixes it
>>>>> is appropriate to select in what circumstances? If the delegating router
>>>>> doesn't advertise subdelegations from all prefixes, how does it know which
>>>>> prefixes to advertise to which requesting routers?
>>>>>
>>>>> You can also ask the question from the opposite direction: How does
>>>>> the requesting router solicit for a ULA prefix instead of a GUA prefix if
>>>>> that is more appropriate for its use case?
>>>>>
>>>>> These questions came to mind while reading draft-ietf-snac-simple, as
>>>>> it would seem reasonable to want the SCAC router to obtain a ULA prefix
>>>>> from the delegating router and not a GUA prefix, especially in the scenario
>>>>> described in A.3. However, similar questions exist for downstream RFC7084
>>>>> or PD-per-device in a multi-prefix environment.
>>>>>
>>>>> Thanks.
>>>>> --
>>>>> ===============================================
>>>>> David Farmer               Email:farmer@umn.edu
>>>>> Networking & Telecommunication Services
>>>>> Office of Information Technology
>>>>> University of Minnesota
>>>>> 2218 University Ave SE        Phone: 612-626-0815
>>>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>>>> ===============================================
>>>>> _______________________________________________
>>>>> v6ops mailing list -- v6ops@ietf.org
>>>>> To unsubscribe send an email to v6ops-leave@ietf.org
>>>>>
>>>>
>>>
>>> --
>>> ===============================================
>>> David Farmer               Email:farmer@umn.edu
>>> Networking & Telecommunication Services
>>> Office of Information Technology
>>> University of Minnesota
>>> 2218 University Ave SE        Phone: 612-626-0815
>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>> ===============================================
>>>
>>
>
> --
> ===============================================
> David Farmer               Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
> _______________________________________________
> v6ops mailing list -- v6ops@ietf.org
> To unsubscribe send an email to v6ops-leave@ietf.org
>