Re: [v6ops] SLAAC renum: Problem Statement & Operational workarounds

Owen DeLong <owen@delong.com> Tue, 29 October 2019 03:00 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F0B212008D for <v6ops@ietfa.amsl.com>; Mon, 28 Oct 2019 20:00:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.998
X-Spam-Level:
X-Spam-Status: No, score=-6.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=delong.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ti6jiR4xZQmp for <v6ops@ietfa.amsl.com>; Mon, 28 Oct 2019 20:00:40 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id 64CDA120047 for <v6ops@ietf.org>; Mon, 28 Oct 2019 20:00:40 -0700 (PDT)
Received: from [172.20.0.85] (rrcs-97-79-186-2.sw.biz.rr.com [97.79.186.2]) (authenticated bits=0) by owen.delong.com (8.15.2/8.15.2) with ESMTPSA id x9T30I0I029734 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Oct 2019 20:00:21 -0700
DKIM-Filter: OpenDKIM Filter v2.11.0 owen.delong.com x9T30I0I029734
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delong.com; s=mail; t=1572318022; bh=Dhv68lDdWMX0sO4XYXgKHrE/Xb+HLq89fjoYAuEtqP8=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=A8/KE/rdqxxcdf3Dgy5BVlQPfSztPDqcEcx3KQ76i/1XdeZWXzGYQn8mhKerjVWCw cGaGBHdwBY5sXZcBWu9t8QQ74G8V77jFaRCIiYnbg2LaFnoq6JsfsynGm+Ugl8aj4O f7WxJecWZAx6yk06PO5nWLe9QiICB7eJWOB4e5tU=
From: Owen DeLong <owen@delong.com>
Message-Id: <FA25340B-0CBA-407D-85EB-FB1E26FA3EFF@delong.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D6459AC7-F240-4452-844E-C84B49E93283"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Mon, 28 Oct 2019 20:00:17 -0700
In-Reply-To: <FB1EEF1D-1D5D-4DEE-B433-ADC3904D7917@fugue.com>
Cc: Philip Homburg <pch-v6ops-9@u-1.phicoh.com>, v6ops@ietf.org
To: Ted Lemon <mellon@fugue.com>
References: <CAO42Z2yQ_6PT3nQrXGD-mKO1bjsW6V3jZ_2kNGC2x586EMiNZg@mail.gmail.com> <B53CE471-C6E8-4DC1-8A72-C6E23154544F@fugue.com> <m1iOk6q-0000IyC@stereo.hq.phicoh.net> <855496CB-BF7E-41E6-B273-41C4AA771E41@fugue.com> <3E4C671B-A03E-4A3F-A68B-5849BDCC6267@delong.com> <FB1EEF1D-1D5D-4DEE-B433-ADC3904D7917@fugue.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (owen.delong.com [192.159.10.2]); Mon, 28 Oct 2019 20:00:22 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/YM0rXkeuTeBm4WreJkax0Q6cidQ>
Subject: Re: [v6ops] SLAAC renum: Problem Statement & Operational workarounds
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 03:00:42 -0000


> On Oct 27, 2019, at 12:46 PM, Ted Lemon <mellon@fugue.com>; wrote:
> 
> On Oct 27, 2019, at 3:35 PM, Owen DeLong <owen@delong.com <mailto:owen@delong.com>> wrote:
>> In the vast majority of situations where I would expect hostile hosts to be likely to be on LAN, I don’t think I’d be using
>> SLAAC for address assignment in the first place. Most likely, I’d want stateful DHCP in such instances.
> 
> Hostile hosts happen when you get hit with malware, e.g. ransomware.   Being resilient in situations like this is important, even if they aren’t all that common, because the cost of non-resilience is so high.
> 

There’s a difference between networks where hostile hosts can occur in extreme circumstances (what you describe) and networks where hostile hosts are expected as a normal occurrence (what I was intending to describe).

The type of attack and type of resilience required vary between these two situations as well.

Owen