IETF Logo Mail Archive

Re: [v6ops] multiple prefixes [no longer draft-ietf-v6ops-ula-usage-recommendations-02.txt]

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 21 February 2014 19:37 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0457C1A059D for <v6ops@ietfa.amsl.com>; Fri, 21 Feb 2014 11:37:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lsnD3i6xCZrP for <v6ops@ietfa.amsl.com>; Fri, 21 Feb 2014 11:37:15 -0800 (PST)
Received: from mail-pb0-x235.google.com (mail-pb0-x235.google.com [IPv6:2607:f8b0:400e:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id 4A61D1A05AD for <v6ops@ietf.org>; Fri, 21 Feb 2014 11:36:50 -0800 (PST)
Received: by mail-pb0-f53.google.com with SMTP id ma3so1225368pbc.12 for <v6ops@ietf.org>; Fri, 21 Feb 2014 11:36:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=JB8zgSszD/TyDjs17pP0welm2ujNTmsIOYBFx2bdH4E=; b=Vi5dGlBy7mh7kIAi+PucV4dPqhaDqs+VXxUlnVCR8mPMul/otU2+s4sGQmbe+A6OFc dTC7FZVloNhiIhey346i6XyffyvuDhoXDD5flu0HKRJtW3/+NNqY54C64LoXEaUpahyd o4D+xV6HO6rk1Qvc6jOvXtJaYemF7lwSCQAfl9XXOBZLDCzy+K2skbcs50ysWqzBIwzZ 9rnraAHvgVIbe8Ttr6Xf1PaR0B50KDstEpealWokwjXJKSOpZlrXl6EazgaINA44cSCa 5sQrsYxarmxd6A1K4LRA0iDGrqHdCjyawD6r0zEFLjGX3I9EmtjTAn3u31mSmSUpoq9F Xo3w==
X-Received: by 10.66.146.199 with SMTP id te7mr11041571pab.106.1393011406429; Fri, 21 Feb 2014 11:36:46 -0800 (PST)
Received: from [192.168.178.23] (130.192.69.111.dynamic.snap.net.nz. [111.69.192.130]) by mx.google.com with ESMTPSA id ug2sm55391792pac.21.2014.02.21.11.36.43 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 21 Feb 2014 11:36:45 -0800 (PST)
Message-ID: <5307AAD9.3060401@gmail.com>
Date: Sat, 22 Feb 2014 08:36:57 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Ray Hunter <v6ops@globis.net>
References: <20140214091302.13219.20624.idtracker@ietfa.amsl.com> <1442fd6c81e.5859224653900445752.5189762259388794287@internetdraft.org> <52FEBE28.1010006@gmail.com> <8E2A8B56-6F05-4F09-BE7E-651B9CA42458@delong.com> <5300CE32.1050808@gmail.com> <BD473E46-E382-44E6-B474-A56D074318FA@delong.com> <530104B3.3070205@gmail.com> <53010E70.5000401@gmail.com> <20140217110013.GA31822@mushkin> <62FF9B8A-2F21-4FDD-B1D2-82B8C02A21B3@delong.com> <37638184-17C6-4C8B-86B1-C596A5A5504A@nominum.com> <530242C3.4070108@bogus.com> <E91E49CA-7BA6-4DA3-B4F3-46BB0F25F8F1@delong.com> <5303CD3E.1010907@gmail.com> <m2a9dnr4vk.wl%randy@psg.com> <5304BAAF.60608@gmail.com> <53052B43.2070904@gmail.com> <CAKD1Yr2fyZ9FezX5dh=P-PiruiOqKBKO9f5hroD-CHDJS+ZMQQ@mail.gmail.com> <53055FF3.2040605@gmail.com> <CAKD1Yr0SgVtTCTppiJkfgao91xR5jZ-1N+b+dE5m9_6ovky4gQ@mail.gmail.com> <5305B159.2050402@globis.net> <53065F7D.1010909@gmail.com> <5306796F.5030709@globis.net> <53069CE6.90009@gmail. com> <53072DE0.1090702@globis.net>
In-Reply-To: <53072DE0.1090702@globis.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/ZvBK0mULbj3bzsPTdJ-fSHc_K1o
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] multiple prefixes [no longer draft-ietf-v6ops-ula-usage-recommendations-02.txt]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2014 19:37:18 -0000

> Only authorised machines should communicate. 

In such a regime you're bound to have stateful or static address
assignment, so if you have N prefixes each machine will need to have
N stateful or static addresses. I understand that it's N times the
hassle and that you might not want to do it.

However, an address derived from a ULA prefix would never be
authorised to communicate with the Internet. If you had a subclass
of machines that were allowed to communicate with a business
partner via ULA but not with the Internet, a ULA would just be
one of the N.

Regards
   Brian

On 21/02/2014 23:43, Ray Hunter wrote:
>> Brian E Carpenter <mailto:brian.e.carpenter@gmail.com>
>> 21 February 2014 01:25
>> On 21/02/2014 10:53, Ray Hunter wrote:
>>>> Brian E Carpenter<mailto:brian.e.carpenter@gmail.com>
>>>> 20 February 2014 21:03
>>>> On 20/02/2014 20:40, Ray Hunter wrote:
>>>> ...
>>>>
>>>> Ray, ULA prefixes *are* global unicast prefixes; their only special
>>>> characteristic is that they are not routed outside a given
>>>> administrative
>>>> domain.
> 
> OK ULA = Globally unique with high probability of uniqueness, and
> limited reachability scope.
> 
> RFC 6887 states "These IP addresses may have distinct reachability
> scopes (e.g., if IPv6, they might have global reachability scope as is
> the case for a Global Unicast Address (GUA) [RFC3587] or limited scope
> as is the case for a Unique Local Address (ULA) [RFC4193])." which
> suggests to me that they are distinct.
> 
> And RFC 3587 refers to "The TLA/NLA scheme has been replaced by a
> coordinated allocation policy defined by the Regional Internet
> Registries (RIRs) [IPV6RIR]" which does not cover self-generated ULA.
> 
> So I'm not the first to blur that particular boundary.
>>>> Also, it is common for large enterprises to run multiple disjoint
>>>> prefixes
>>>> within the corporate network, and has been for many years.
>>>>
>>> So how do they set up firewall rules?
>>
>> I'm not sure why you ask, and when I worked for such a company
>> (IBM) it wasn't something I ever looked at. However, I assume
>> that the filters for every border device to the Internet cited
>> all the internal prefixes in use.
> Nope. Especially at private NNI's, the enterprises have a duty to
> protect each other from attack by e.g. virus storms.
> Only authorised machines should communicate.
> 
>> Certainly the config file for
>> the call-home VPN on my company laptop included a very long list of
>> prefixes, and I guess that was pretty much the same list as they
>> needed in the border firewalls.
> Nope. Many businesses have a requirement for controlled and tracked
> outbound access. e.g. to see which machine FTPed a copy of the corporate
> development code to the Internet, and when.
>>>> I think the issues you're concerned about are all due to the fact that
>>>> in IPv6, it is bog standard to run more than one prefix on the same
>>>> phsyical subnet. The fact that one of them might be delegated from
>>>> a ULA /48 seems to me to be a side issue.
>>>>
>>>> Brian
>>> So you see no problems with a machine running multiple prefixes, where
>>> the IID for each may also be different (stable privacy addresses), and
>>> each session may source from a different prefix depending on where it's
>>> terminating (address selection + address rotation of privacy addresses)?
>>
>> That's the design of IPv6.
>>
>>> How will the firewall even know it's the same machine sending the
>>> packets, never mind the same user, so that the communication stream can
>>> be authorised or blocked?
>>
>> You're talking about a firewall that censors outgoing sessions?
> Yes.
>> Well, that's bound to be a pain. But you'll find the MAC address
>> in the ND cache, so you could check that way.
> They are not connected at L2.
>>
>>> Will users have to re-authenticate for every prefix + IID combination?
>>
>> If it's a firewall that authenticates users, yes, I would think so.
>> But I don't see why that would require user action; it should just be
>> automatic after the user's initial authentication. If not, the
>> authentication mechanism is not well designed for IPv6.
>>
>>     Brian
>>
>>
> Is there any IETF standard for this authentication?
> 
> When I check PCP it doesn't seem to explicitly correlate requests from
> the same machine, and ULA's should not be used as the source of the PCP
> message.
>> IPv6 addresses without global reachability (e.g., ULAs) SHOULD NOT be
> used as the source interface when generating a PCP request.
> 
> What about internal firewalls within an enterprise? ULA only networks?
> Ignore the SHOULD?
> GUA prefix that arrives after the ULA is configured? Before ULA is
> configured?
> 
> I still expect operational issues with synchronising access requests
> from a single machine across multiple prefixes:
> GUA rule times out, but the ULA rule doesn't or vice versa. It's going
> to be a nightmare to debug.
> 
> To my mind, there definitely seems to be operational gaps in the
> assumptions made for GUA + ULA operation in parallel.
>

v2.23.0 | Report a Bug | By Email