Re: [v6ops] multiple prefixes [no longer draft-ietf-v6ops-ula-usage-recommendations-02.txt]
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 21 February 2014 19:37 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0457C1A059D for <v6ops@ietfa.amsl.com>; Fri, 21 Feb 2014 11:37:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lsnD3i6xCZrP for <v6ops@ietfa.amsl.com>; Fri, 21 Feb 2014 11:37:15 -0800 (PST)
Received: from mail-pb0-x235.google.com (mail-pb0-x235.google.com [IPv6:2607:f8b0:400e:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id 4A61D1A05AD for <v6ops@ietf.org>; Fri, 21 Feb 2014 11:36:50 -0800 (PST)
Received: by mail-pb0-f53.google.com with SMTP id ma3so1225368pbc.12 for <v6ops@ietf.org>; Fri, 21 Feb 2014 11:36:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=JB8zgSszD/TyDjs17pP0welm2ujNTmsIOYBFx2bdH4E=; b=Vi5dGlBy7mh7kIAi+PucV4dPqhaDqs+VXxUlnVCR8mPMul/otU2+s4sGQmbe+A6OFc dTC7FZVloNhiIhey346i6XyffyvuDhoXDD5flu0HKRJtW3/+NNqY54C64LoXEaUpahyd o4D+xV6HO6rk1Qvc6jOvXtJaYemF7lwSCQAfl9XXOBZLDCzy+K2skbcs50ysWqzBIwzZ 9rnraAHvgVIbe8Ttr6Xf1PaR0B50KDstEpealWokwjXJKSOpZlrXl6EazgaINA44cSCa 5sQrsYxarmxd6A1K4LRA0iDGrqHdCjyawD6r0zEFLjGX3I9EmtjTAn3u31mSmSUpoq9F Xo3w==
X-Received: by 10.66.146.199 with SMTP id te7mr11041571pab.106.1393011406429; Fri, 21 Feb 2014 11:36:46 -0800 (PST)
Received: from [192.168.178.23] (130.192.69.111.dynamic.snap.net.nz. [111.69.192.130]) by mx.google.com with ESMTPSA id ug2sm55391792pac.21.2014.02.21.11.36.43 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 21 Feb 2014 11:36:45 -0800 (PST)
Message-ID: <5307AAD9.3060401@gmail.com>
Date: Sat, 22 Feb 2014 08:36:57 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Ray Hunter <v6ops@globis.net>
References: <20140214091302.13219.20624.idtracker@ietfa.amsl.com> <1442fd6c81e.5859224653900445752.5189762259388794287@internetdraft.org> <52FEBE28.1010006@gmail.com> <8E2A8B56-6F05-4F09-BE7E-651B9CA42458@delong.com> <5300CE32.1050808@gmail.com> <BD473E46-E382-44E6-B474-A56D074318FA@delong.com> <530104B3.3070205@gmail.com> <53010E70.5000401@gmail.com> <20140217110013.GA31822@mushkin> <62FF9B8A-2F21-4FDD-B1D2-82B8C02A21B3@delong.com> <37638184-17C6-4C8B-86B1-C596A5A5504A@nominum.com> <530242C3.4070108@bogus.com> <E91E49CA-7BA6-4DA3-B4F3-46BB0F25F8F1@delong.com> <5303CD3E.1010907@gmail.com> <m2a9dnr4vk.wl%randy@psg.com> <5304BAAF.60608@gmail.com> <53052B43.2070904@gmail.com> <CAKD1Yr2fyZ9FezX5dh=P-PiruiOqKBKO9f5hroD-CHDJS+ZMQQ@mail.gmail.com> <53055FF3.2040605@gmail.com> <CAKD1Yr0SgVtTCTppiJkfgao91xR5jZ-1N+b+dE5m9_6ovky4gQ@mail.gmail.com> <5305B159.2050402@globis.net> <53065F7D.1010909@gmail.com> <5306796F.5030709@globis.net> <53069CE6.90009@gmail. com> <53072DE0.1090702@globis.net>
In-Reply-To: <53072DE0.1090702@globis.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/ZvBK0mULbj3bzsPTdJ-fSHc_K1o
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] multiple prefixes [no longer draft-ietf-v6ops-ula-usage-recommendations-02.txt]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2014 19:37:18 -0000
> Only authorised machines should communicate. In such a regime you're bound to have stateful or static address assignment, so if you have N prefixes each machine will need to have N stateful or static addresses. I understand that it's N times the hassle and that you might not want to do it. However, an address derived from a ULA prefix would never be authorised to communicate with the Internet. If you had a subclass of machines that were allowed to communicate with a business partner via ULA but not with the Internet, a ULA would just be one of the N. Regards Brian On 21/02/2014 23:43, Ray Hunter wrote: >> Brian E Carpenter <mailto:brian.e.carpenter@gmail.com> >> 21 February 2014 01:25 >> On 21/02/2014 10:53, Ray Hunter wrote: >>>> Brian E Carpenter<mailto:brian.e.carpenter@gmail.com> >>>> 20 February 2014 21:03 >>>> On 20/02/2014 20:40, Ray Hunter wrote: >>>> ... >>>> >>>> Ray, ULA prefixes *are* global unicast prefixes; their only special >>>> characteristic is that they are not routed outside a given >>>> administrative >>>> domain. > > OK ULA = Globally unique with high probability of uniqueness, and > limited reachability scope. > > RFC 6887 states "These IP addresses may have distinct reachability > scopes (e.g., if IPv6, they might have global reachability scope as is > the case for a Global Unicast Address (GUA) [RFC3587] or limited scope > as is the case for a Unique Local Address (ULA) [RFC4193])." which > suggests to me that they are distinct. > > And RFC 3587 refers to "The TLA/NLA scheme has been replaced by a > coordinated allocation policy defined by the Regional Internet > Registries (RIRs) [IPV6RIR]" which does not cover self-generated ULA. > > So I'm not the first to blur that particular boundary. >>>> Also, it is common for large enterprises to run multiple disjoint >>>> prefixes >>>> within the corporate network, and has been for many years. >>>> >>> So how do they set up firewall rules? >> >> I'm not sure why you ask, and when I worked for such a company >> (IBM) it wasn't something I ever looked at. However, I assume >> that the filters for every border device to the Internet cited >> all the internal prefixes in use. > Nope. Especially at private NNI's, the enterprises have a duty to > protect each other from attack by e.g. virus storms. > Only authorised machines should communicate. > >> Certainly the config file for >> the call-home VPN on my company laptop included a very long list of >> prefixes, and I guess that was pretty much the same list as they >> needed in the border firewalls. > Nope. Many businesses have a requirement for controlled and tracked > outbound access. e.g. to see which machine FTPed a copy of the corporate > development code to the Internet, and when. >>>> I think the issues you're concerned about are all due to the fact that >>>> in IPv6, it is bog standard to run more than one prefix on the same >>>> phsyical subnet. The fact that one of them might be delegated from >>>> a ULA /48 seems to me to be a side issue. >>>> >>>> Brian >>> So you see no problems with a machine running multiple prefixes, where >>> the IID for each may also be different (stable privacy addresses), and >>> each session may source from a different prefix depending on where it's >>> terminating (address selection + address rotation of privacy addresses)? >> >> That's the design of IPv6. >> >>> How will the firewall even know it's the same machine sending the >>> packets, never mind the same user, so that the communication stream can >>> be authorised or blocked? >> >> You're talking about a firewall that censors outgoing sessions? > Yes. >> Well, that's bound to be a pain. But you'll find the MAC address >> in the ND cache, so you could check that way. > They are not connected at L2. >> >>> Will users have to re-authenticate for every prefix + IID combination? >> >> If it's a firewall that authenticates users, yes, I would think so. >> But I don't see why that would require user action; it should just be >> automatic after the user's initial authentication. If not, the >> authentication mechanism is not well designed for IPv6. >> >> Brian >> >> > Is there any IETF standard for this authentication? > > When I check PCP it doesn't seem to explicitly correlate requests from > the same machine, and ULA's should not be used as the source of the PCP > message. >> IPv6 addresses without global reachability (e.g., ULAs) SHOULD NOT be > used as the source interface when generating a PCP request. > > What about internal firewalls within an enterprise? ULA only networks? > Ignore the SHOULD? > GUA prefix that arrives after the ULA is configured? Before ULA is > configured? > > I still expect operational issues with synchronising access requests > from a single machine across multiple prefixes: > GUA rule times out, but the ULA rule doesn't or vice versa. It's going > to be a nightmare to debug. > > To my mind, there definitely seems to be operational gaps in the > assumptions made for GUA + ULA operation in parallel. >
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Randy Bush
- [v6ops] I-D Action: draft-ietf-v6ops-ula-usage-re… internet-drafts
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… ek
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Sander Steffann
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Alexandru Petrescu
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Alexandru Petrescu
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Alexandru Petrescu
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark ZZZ Smith
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mikael Abrahamsson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Jan-Frode Myklebust
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Gert Doering
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark Andrews
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… joel jaeggli
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… joel jaeggli
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark ZZZ Smith
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Liubing (Leo)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Liubing (Leo)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Liubing (Leo)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Randy Bush
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Alexandru Petrescu
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark Andrews
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark Andrews
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark Andrews
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ray Hunter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Nick Hilliard
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… David Farmer
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… David Farmer
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Eric Vyncke (evyncke)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mikael Abrahamsson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Gert Doering
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ray Hunter
- [v6ops] multiple prefixes [no longer draft-ietf-v… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Liubing (Leo)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mikael Abrahamsson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mikael Abrahamsson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Tore Anderson
- Re: [v6ops] multiple prefixes [no longer draft-ie… Ray Hunter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] multiple prefixes [no longer draft-ie… Brian E Carpenter
- Re: [v6ops] multiple prefixes [no longer draft-ie… Ray Hunter
- Re: [v6ops] multiple prefixes [no longer draft-ie… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Liubing (Leo)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark ZZZ Smith
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Victor Kuarsingh
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark Andrews
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mikael Abrahamsson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… William Cerveny
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong