IETF Logo Mail Archive

Re: [v6ops] Implementation Status of PREF64

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Tue, 28 September 2021 19:02 UTC

Return-Path: <prvs=1905ce9653=jordi.palet@consulintel.es>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26E003A0B4C for <v6ops@ietfa.amsl.com>; Tue, 28 Sep 2021 12:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jy1xx2L2H2P7 for <v6ops@ietfa.amsl.com>; Tue, 28 Sep 2021 12:02:40 -0700 (PDT)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) by ietfa.amsl.com (Postfix) with ESMTP id BC4A43A0BC2 for <v6ops@ietf.org>; Tue, 28 Sep 2021 12:02:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1632855755; x=1633460555; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:Message-ID:Thread-Topic:References:In-Reply-To: Mime-version:Content-type; bh=BSOpRIUw8mAmF56Ncsa8b7Cndz+txUzqdq 6I0XRMrD4=; b=w5nv3br/WXtazjTz2s4R63gmUli0Gmq6UCGWTOVZ+38y+oHw/t OZBiErAW6npgnen0WKcxuy88PPlWCCMLqc0ecJWfeJb5D6c+iO7rFFprvWQm7wsf B46Wp9dk6IEYGT3ZtEGGRLKXGZZwaFhpNRFZYtqoJQ7LubwfyoUpoIqGI=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Tue, 28 Sep 2021 21:02:35 +0200
X-Spam-Processed: mail.consulintel.es, Tue, 28 Sep 2021 21:02:34 +0200
Received: from [10.10.10.146] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50000688224.msg for <v6ops@ietf.org>; Tue, 28 Sep 2021 21:02:34 +0200
X-MDRemoteIP: 2001:470:1f09:495:c9e4:c98a:c41b:5192
X-MDHelo: [10.10.10.146]
X-MDArrival-Date: Tue, 28 Sep 2021 21:02:34 +0200
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=1905ce9653=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: v6ops@ietf.org
User-Agent: Microsoft-MacOutlook/16.53.21091200
Date: Tue, 28 Sep 2021 21:02:29 +0200
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: V6 Ops List <v6ops@ietf.org>
Message-ID: <37A98BC0-4528-44AE-8C40-FC6FC4931C84@consulintel.es>
Thread-Topic: [v6ops] Implementation Status of PREF64
References: <CAN-Dau2in52xSUkqKEXu=2AAiR4O_jLhna7hY-hshYDORfGtcQ@mail.gmail.com> <CAMGpriWFp4JPtqDK5tEj1RkS-SzEfvscfUUnxgK+o6qP2pusRA@mail.gmail.com> <6E95834D-12B3-447B-8326-8EDE9DC6FFB1@delong.com> <CAO42Z2zA-4cK489nxKsWUN8vvU0eAiz-jS0e-_eWPg+OmP8wLw@mail.gmail.com> <DDA36020-90CC-471B-83AD-3D98950F1164@delong.com> <CAO42Z2wdoSdJDOB2Zo0=ZK0ecOARRsdg2nbHZGSDOhryPbLfDw@mail.gmail.com> <F2BD0A42-E9AD-45DD-999A-638E73BE1177@delong.com> <CAKD1Yr2K3Gd3JD=NJFOoH6GYgs-8ACxRQB9-sKJ7cbF4_hxsow@mail.gmail.com> <0B533C71-5DB0-410D-A5A3-7E8FD559F214@delong.com> <CAKD1Yr3NoYfNT7+OVJoCCdgdif6AHHw29tNCPttS=-NuRZKv3w@mail.gmail.com> <DM6PR02MB692426B0EEDDC2C4D78D8EC0C3A89@DM6PR02MB6924.namprd02.prod.outlook.com> <EFC78F4B-873B-42EE-8DC5-04C29758B0D0@consulintel.es> <F9E669E9-04E4-4153-812B-04B63F492878@delong.com>
In-Reply-To: <F9E669E9-04E4-4153-812B-04B63F492878@delong.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3715707749_1664495903"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/bZRxkF7zCP1vpzIWE9clvjr-vlk>
Subject: Re: [v6ops] Implementation Status of PREF64
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2021 19:02:57 -0000

Yep, I understand the usage of addresses for auditing and because the apps that were doing that auditing were not supporting IPv6 addresses, it was neccesary to modify them and then take in consideration that using IP addresses is not necessarily the best way.

 

 

 

El 28/9/21 20:14, "Owen DeLong" <owen=40delong.com@dmarc.ietf.org> escribió:

 

There are ways to use SLAAC (I don’t recommend using DHCPv6 because the lack of Android and derivatives support), and ensure proper security, such as 802.1x.

 

Funny… I don’t recommend Android for exactly that reason. lol

 

In fact, depending on IP (v4 or v6) addresses for providing security I believe is wrong and prone to be faked by attackers.

 

It’s not about using the address for security, it’s about securing the address for auditing.

 

Owen



 

Regards,

Jordi

@jordipalet

 

 

 

El 28/9/21 18:02, "v6ops en nombre de STARK, BARBARA H" <v6ops-bounces@ietf.org en nombre de bs7652@att.com> escribió:

 

Just to provide a few more facts inline with <bhs>...

Barbara

 

From: v6ops <v6ops-bounces@ietf.org> On Behalf Of Lorenzo Colitti
Sent: Tuesday, September 28, 2021 12:21 AM
To: Owen DeLong <owen=40delong.com@dmarc.ietf.org>
Cc: V6 Ops List <v6ops@ietf.org>; Jen Linkova <furry@google.com>
Subject: Re: [v6ops] Implementation Status of PREF64

 

On Tue, Sep 28, 2021 at 1:54 PM Owen DeLong <owen=40delong.com@dmarc.ietf.org> wrote:

No… That’s not what it amounts to.

 

It amounts to a machine can only use the network _IF_ it completes 802.1x Authentication _AND_ the IP address(es) it is using match the DHCP server’s expectation of the address it issued to the MAC address in question.

 

Why would you want to do this? IPv6 addresses are plentiful and ephemeral. What does it matter to some server on the Internet (or, in general, off-link) if a given host uses 2001:db8:1:2:3::f00 or 2001:db8:1:2:3::b00 or both? Why take the privacy implications of using a fixed IID (because DHCPv6 can't seamlessly change IIDs) to talk to all off-link destinations all the time?

 

<bhs> Just as a note, MAC address or DUID are not the only “identities” that can be used with 802.1x. Some managed or factory-configured devices are given a specific identity and credentials to prove the identity for use with 802.1x. A very common “telco wireline” network architecture is for the CE router to do 802.1x authentication which then lets the RADIUS server tell the DHCP server configuration info specific to that device – such as the stable (effectively static) IPv4/v6 addresses and IPv6 prefix to assign to that device. 3GPP networks don’t need 802.1x because they have IMEI/IMSI. Fixed wireless broadband services use 3GPP-defined networks to supply broadband access and have been very limited from an IPv6-prefix-assignment perspective by the lack of prefix assignment other than PREF64 in 3GPP network equipment. Naturally, it’s impossible to deploy DHCPv6 if the vendor whose equipment is used doesn’t support DHCPv6. I’ve seen some people suggest that operators should completely replace their entire networks to use a vendor that does support DHCPv6 – which is a very humorous and unrealistic suggestion. PREF64 is all those fixed wireless subscribers get. Many large enterprises use RADIUS with DHCP in a manner similar to wireline networks. I’m not aware of widely-deployed equipment that supports good RADIUS/RA integration for similar device configuration via RA.

 

This is better than the DHCP version above because it allows the client to use multiple IP addresses and does not need to be re-done when the IP address changes.

Sometimes the network administrator doesn’t want the host using multiple IP addresses for a variety of reasons.

 

Ok, but that's also harmful for a variety of reasons, and for general purpose devices, it's not recommended by the IETF. That's exactly what RFC 7934 is about - explaining why it's harmful.

 

<bhs> Enterprise networks are not general-purpose networks. They do not want devices (which may in other contexts be used as “general-purpose” devices) to behave like general-purpose devices. They want to control and restrict what those devices do. And until the equipment available to enterprises allows them assert this level of control, IETF can create Best Practices and fume about lack of enterprise IPv6 deployment until it’s blue in the face. It’s not “harmful” for enterprise operators to restrict what devices can do inside their enterprise network. It’s a good and necessary security practice.

 

I repeat… Your anti-DHCP religion is NOT HELPING.

 

Not helping with what? The transition to IPv6? But if so - why bother using IPv6 if it's just just 128-bit IPv4, with one address per host, no dynamic address changes (because DHCPv6 can't really support that) and NAT (because if you can't tell the host that its network configuration has changed, you need to ensure that the configuration *doesn't* change)? Why use IPv6 to do that, which requires hosts to implement all the associated complexities such as NAT traversal, NAT keepalives, etc.? That model works perfectly well today using IPv4, and I'm pretty sure that OS support for IPv4 isn't going anywhere any time soon.

 

<bhs> I mostly agree. Unfortunately, some governments are putting pressure on enterprises and government networks (which are just a type of enterprise network) to support IPv6. This is largely due to messaging coming from the IETF. Maybe IETF should produce a Best Practice recommendation that enterprise and government networks not support IPv6 until all tools they need to properly secure an IPv6-enabled network are widely available as software updates to legacy equipment. 

Barbara

_______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops


**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops






**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

v2.23.0 | Report a Bug | By Email