Re: [v6ops] Default IPv6 Local Only Addressing for Non-Internet Devices (Fwd: New Version Notification for draft-smith-v6ops-local-only-addressing-00.txt)

Alexandre Petrescu <alexandre.petrescu@gmail.com> Thu, 17 October 2019 12:51 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B29D1200DF for <v6ops@ietfa.amsl.com>; Thu, 17 Oct 2019 05:51:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.631
X-Spam-Level:
X-Spam-Status: No, score=-2.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gih4N7kBoGtl for <v6ops@ietfa.amsl.com>; Thu, 17 Oct 2019 05:51:50 -0700 (PDT)
Received: from cirse-smtp-out.extra.cea.fr (cirse-smtp-out.extra.cea.fr [132.167.192.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B89DE120100 for <v6ops@ietf.org>; Thu, 17 Oct 2019 05:51:49 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by cirse-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id x9HCpm8t001007 for <v6ops@ietf.org>; Thu, 17 Oct 2019 14:51:48 +0200
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 1E655206C78 for <v6ops@ietf.org>; Thu, 17 Oct 2019 14:51:48 +0200 (CEST)
Received: from muguet2-smtp-out.intra.cea.fr (muguet2-smtp-out.intra.cea.fr [132.166.192.13]) by pisaure.intra.cea.fr (Postfix) with ESMTP id 14DE7202E62 for <v6ops@ietf.org>; Thu, 17 Oct 2019 14:51:48 +0200 (CEST)
Received: from [10.8.35.150] (is154594.intra.cea.fr [10.8.35.150]) by muguet2-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id x9HCpmkH013857 for <v6ops@ietf.org>; Thu, 17 Oct 2019 14:51:48 +0200
To: v6ops@ietf.org
References: <157110985111.24757.5250925329628210289.idtracker@ietfa.amsl.com> <CAO42Z2wFHVwUG+P8fhFqCJg9X4BN0JLooCtKjiQ8LsxzxKsCDQ@mail.gmail.com> <CAFU7BATLc8dF--hMhEoJj0n4bKD_MEt_BVbbEmGFp_hkrnaPqw@mail.gmail.com> <20191015081553.GO55186@Space.Net> <16dcff0d5c1.ccf1d708118262.791262979954754844@shytyi.net>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <00e1172f-6958-6636-0f32-047b206646f6@gmail.com>
Date: Thu, 17 Oct 2019 14:51:47 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.1.2
MIME-Version: 1.0
In-Reply-To: <16dcff0d5c1.ccf1d708118262.791262979954754844@shytyi.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/a-3XxakvAD0DXTaydDnNWN8-Vfg>
Subject: Re: [v6ops] Default IPv6 Local Only Addressing for Non-Internet Devices (Fwd: New Version Notification for draft-smith-v6ops-local-only-addressing-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2019 12:51:53 -0000


Le 15/10/2019 à 17:02, Dmytro Shytyi a écrit :
> Hello,
> 
> From the point when device is connected to the internet it becomes a
>  Node that could be reached outside by external users. The firmware
> of such devices is updated not that frequenly. It could be 
> dangerous. From the point I put my device in DMZ in few moments i see
> in the log the "Access denied via ssh for user root". Thus, I think,
> it is an important thing the authors of the draft highlight.

True, the network topology that involves a DMZ is another way of solving
the problem.

Yet one may wonder how the address scoping solution would work together
with a network topology solution involving a DMZ.  Is ULA space to be
used within the DMZ and GUAs on both sides of it, such that to better
protect legitimate end users from attackers?

Formulating a problem statement would help.

Alex

> ______________ *Dmytro SHYTYI*
> 
> 
> ---- On Tue, 15 Oct 2019 10:15:53 +0200 *Gert Doering
> <gert@space.net>* wrote ----
> 
> Hi,
> 
> On Tue, Oct 15, 2019 at 07:11:00PM +1100, Jen Linkova wrote:
>> The draft says '...when it is clear to a device manufacturer that
>> a device should be isolated from the Internet by default..'
> 
> I'd say that most devices built by manufacturers today SHOULD be 
> isolated from the Internet... but I'm afraid that *manufacturers* are
> never going to agree that their shiny new toys are not mature 
> enough...
> 
> Gert Doering -- NetMaster -- have you enabled IPv6 on something
> today...?
> 
> SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer 
> Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann 
> D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444
> USt-IdNr.: DE813185279
> 
> _______________________________________________ v6ops mailing list 
> v6ops@ietf.org <mailto:v6ops@ietf.org> 
> https://www.ietf.org/mailman/listinfo/v6ops
> 
> 
> 
> 
> _______________________________________________ v6ops mailing list 
> v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops
>