IETF Logo Mail Archive

Re: [v6ops] Why should IP networks be different? [DHCP Option 108 Issue with Mac and iOS devices]

Daryll Swer <contact@daryllswer.com> Tue, 02 January 2024 16:41 UTC

Return-Path: <contact@daryllswer.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83EA4C14F702 for <v6ops@ietfa.amsl.com>; Tue, 2 Jan 2024 08:41:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=daryllswer.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nH8ZmX8dqO7w for <v6ops@ietfa.amsl.com>; Tue, 2 Jan 2024 08:41:24 -0800 (PST)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4930DC14F6AC for <v6ops@ietf.org>; Tue, 2 Jan 2024 08:41:18 -0800 (PST)
Received: by mail-pl1-x630.google.com with SMTP id d9443c01a7336-1d3e8a51e6bso70947895ad.3 for <v6ops@ietf.org>; Tue, 02 Jan 2024 08:41:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daryllswer.com; s=google; t=1704213678; x=1704818478; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=C7HOfBrikokyjfMsLanDtInY2DIz+J44iYRpuQJlxuc=; b=Hig6udZzdvFCz2ETEIwr9VIxx+lwnYfS5We23z9Qg+sdaPMq5+897uAXkEJpvPvYO6 Cw/nhggu09IIXFPLL7a+kgUVSoBl5BX0Nv/BOxGk4OA4N7hhd3OKtzbZDpiwEXTxxzfu rgWCKW7lj1ydcdu3X9ssFveygoHm0yNSZZ3MD4ty5titZ1An8EA9tR07ncRrJ7TtNUxc B5DsHKjkhs0x6SQwvWfznoQi6Q7IEitTEDnkR4IMM+qq7lsh7D9j87VRdz2x9tWQqY9q jE87Ig2OuQ88a5x03rdXweStXYvu5JLmSpOQEYWETPyKrlVmV+N7Dy3OLfQ2Ioo/fhcS X8MQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704213678; x=1704818478; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=C7HOfBrikokyjfMsLanDtInY2DIz+J44iYRpuQJlxuc=; b=Y5VQquejX8AQhmqYa71C8nXeSMkiXbf8smjy5GDEhtIzGMSNVGsL7iVbgDaSXRf6VV TpKBj1PuCvMM6NiTOV+8ExgDH4pz92rzblhKYBRwW54gBvU2kh/nowqOoeXdSe6ZQY8p /L2fPx0coq/oSUSiw5jbNdLBeTkOXLXf6JyjMhQjDGRHfLVpDvDjJPm+NpnAU7HvTcVb vy7CCEik0UAtTRo6XpextJVxCUd5Wm+M7DqNT8+TFYDZZc0orcrGwyU4ET2qVmKAIZ+M /DaL1rfcFpuFFi/dEaUrTNLjS/xXK51p17DLdbDWj2QhdiCIVkqPiP7MP/HqSjWHrhtC CI/w==
X-Gm-Message-State: AOJu0YxE/idqkAcW9RjMCTiU50UXDEfIzWo0WEVd8d+3nszAbb77cyrE Wdk7J7NtAxGZJwg4Xr2Hjy205wR1sOiWovRfal9Qc7Xx4DTTaEKz
X-Google-Smtp-Source: AGHT+IE9Z96+EUgqz2I2ed/8AjChAUxAfGTR+AkBOMSZmIUi2vWlzkN94JXbVopLuD+HcI7KziItug==
X-Received: by 2002:a17:903:32cd:b0:1d4:be46:5325 with SMTP id i13-20020a17090332cd00b001d4be465325mr2949380plr.78.1704213677878; Tue, 02 Jan 2024 08:41:17 -0800 (PST)
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com. [209.85.216.45]) by smtp.gmail.com with ESMTPSA id be10-20020a170902aa0a00b001d3c3d486bfsm22084406plb.163.2024.01.02.08.41.16 for <v6ops@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Jan 2024 08:41:17 -0800 (PST)
Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-28c7c422ad9so4410531a91.3 for <v6ops@ietf.org>; Tue, 02 Jan 2024 08:41:16 -0800 (PST)
X-Received: by 2002:a17:90a:b002:b0:28b:cdfd:42d6 with SMTP id x2-20020a17090ab00200b0028bcdfd42d6mr8093057pjq.50.1704213676291; Tue, 02 Jan 2024 08:41:16 -0800 (PST)
MIME-Version: 1.0
References: <CACyFTPHbCc00z36PRSUCsP=8Av=z4Ms0KHwk1Rxd=19TXzdyhg@mail.gmail.com> <CAPt1N1=82h05qZRqhtDirXwS1Fvz8OPt0iFRWasFHMXkEp4Fuw@mail.gmail.com> <CACyFTPFJ=CjiYbZjdF8T63a14SgeNAKaAQeTVSbAxde4J9ZfRQ@mail.gmail.com> <CAO42Z2zfzwx2NuCYZh_-ncTvmQ0T1+AsOi540RQ2BjQC0w6Kkg@mail.gmail.com> <ZYSv6CZllItMyNSQ@Space.Net> <CAO42Z2y-zKtWWJXX837RfD9XuxKaXkhg75TiEGHF=hFdnnsydQ@mail.gmail.com> <CACyFTPHDhrANP+tssS3x14Dm19TiyAYpeEF=sZdLJsrwUpAWjw@mail.gmail.com> <CAPt1N1nFk1QYmcJe4vmnj_vKp2EZ8iLipcrW3QixPKayER50LA@mail.gmail.com> <8d990f81-d4ae-b602-1f58-a0aa0fc9de28@gmail.com> <CAO42Z2wBZ3EQVtH0-EBsDhkR8owCpxTAJZJE59pVC5-jSMjUzA@mail.gmail.com> <ZYayNL9kuwH37EqP@Space.Net> <CACyFTPEn2ag2ZtgFag1N+0MqJbagw6HzYkVw0rC=0VV+DDCm+g@mail.gmail.com> <8fb2c7c5-938c-3728-17c9-85e7004883e6@gmail.com> <CACyFTPHWCCLsiUT0GEuvpq5fhnaDdD-w910x3R0wMprUGnZ9nA@mail.gmail.com> <CAO42Z2z9bFemih_0_wDa8TA1ez4zSnACF6gU5yU74rknHKCwgw@mail.gmail.com> <CACyFTPGXNyhBHV_w0Uj3QQdz3OCQ-hqtAmPNNNgUKCFGoEbxow@mail.gmail.com> <CAPt1N1kQB9PYrt70vRTQT=cgvVOaRms=+OsH117_-H9Uj9kS1A@mail.gmail.com> <53322B92-1354-4CF9-98C8-A56EE5EA8EBD@jisc.ac.uk> <CAPt1N1=k9NO_ci_zJus8LM0_eH9QBvdtoZc3FR8h8TU0_+50_g@mail.gmail.com> <5E6C7984-EED0-46DD-82BB-86F554E20795@employees.org> <CAPt1N1mHvpfbqaocnc6nBwDZ2RocMfi3ydtiSxqRq7dZwF1EQg@mail.gmail.com> <2D0D28C9-F1EE-4AB7-987E-CD9D6A28A4F1@employees.org> <CAPt1N1m5Jdt7+AzB7_r0EmsV-yP0DUh5uFxy_3WyooMrCbJ7qQ@mail.gmail.com> <705971AB-BCE4-46D1-B043-396C59BC552C@employees.org> <CAPt1N1kM0g3nbEsodaUMGsNx93FG5o=PWyr+VFfp24_sv6PL5A@mail.gmail.com>
In-Reply-To: <CAPt1N1kM0g3nbEsodaUMGsNx93FG5o=PWyr+VFfp24_sv6PL5A@mail.gmail.com>
From: Daryll Swer <contact@daryllswer.com>
Date: Tue, 02 Jan 2024 22:10:35 +0530
X-Gmail-Original-Message-ID: <CACyFTPG91wc3LAZ1QRBm6t-cDL1OtyVh2P6zrh_zGiAeBnVeBg@mail.gmail.com>
Message-ID: <CACyFTPG91wc3LAZ1QRBm6t-cDL1OtyVh2P6zrh_zGiAeBnVeBg@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Ole Troan <otroan@employees.org>, Tim Chown <Tim.Chown@jisc.ac.uk>, v6ops list <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cbfd9f060df92a11"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/eAPPQkUfXKqWQQ9YntVdvr7ZXxI>
Subject: Re: [v6ops] Why should IP networks be different? [DHCP Option 108 Issue with Mac and iOS devices]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2024 16:41:28 -0000

I've given much thought to this DHCPv6/SLAAC debate over the week, and my
final opinion is.

1. The “address notification” mechanism likely just adds more complexity
(and the time required for devices to support it) vs just fixing ia_na
specific issues
2. The “state sync” problem is fixed in ISC Kea, which means there's no
technical reason for the IETF to not adopt the open source protocol into a
standard
3. I will recommend enterprises do “Do IPv6 for everything but Android”
(already the reality as is)
4. ia_na does help with traceroutes/troubleshooting vs link-local for
PD-only

I'm not sure if the time/energy required for “address notification” top to
bottom, is significantly less than what would be required to patch ia_na
specific issues.

*--*
Best Regards
Daryll Swer
Website: daryllswer.com
<https://mailtrack.io/link/b8fbb9af84a504e9046468dc0a0438e543cb4486?url=https%3A%2F%2Fwww.daryllswer.com&userId=2153471&signature=dd709ee618d93ac2>


On Tue, 2 Jan 2024 at 21:28, Ted Lemon <mellon@fugue.com> wrote:

> It's rather unkind of you to respond to a thoughtful answer that I took
> some time to compose with an accusation that it came from ChatGPT. I have a
> lot going on today, and participating in this conversation isn't free for
> me. I would encourage the chairs to weigh in on whether they think this is
> appropriate.
>
> That said, I agree with (what I think is) your point: if the DHCP address
> registration is not enforced with e.g. 802.1x, it's actually harmful. But
> the same criticism is also valid for the DHCPv6 IA_NA use case, so I don't
> think you've said anything new. This is precisely why there isn't consensus
> to require these mechanisms: by default they don't do what people want them
> to do. But it's easy to pretend that they do, and that leads to bad
> outcomes for end users. As the service provider, unless you can be held
> liable for false accusations (and they can be proven) you can freely accuse
> your users of bad behavior and back it up with your DHCPv6 logs, and it's
> likely that you won't be held accountable for any accidental false
> accusations that you make in good faith.
>
> In case it's not obvious, I'm not actually advocating for this. I think
> it's a bad idea. It's not an accident that I used the term "surveillance"
> in my previous message.
>
> On Tue, Jan 2, 2024 at 10:44 AM Ole Troan <otroan@employees.org> wrote:
>
>> Ted,
>>
>> ChatGPT?
>>
>> For an idea of what the network does already:
>>
>> https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/IPv6_Security.pdf
>>
>>
>> Again, I can’t quite see how the DHCPv6 registration mechanism would help
>> the network in tracking endpoints.
>> Given that the network cannot trust the hosts that support the mechanism
>> to provide a truthful answer, then you have the other set of endpoints that
>> do not support the mechanism at all, which the network also has to handle.
>>
>> I may have missed it, but I have not seen this question answered in the
>> draft, nor in your reply.
>>
>> O.
>>
>>
>> > On 2 Jan 2024, at 16:31, Ted Lemon <mellon@fugue.com> wrote:
>> >
>> > If the problem is attributing flows to particular users, then you need
>> a way to associate a particular flow with a particular user. The easiest
>> way to do this is with the IP address of the non-server endpoint of the
>> flow (that is, the IP address the surveilled device is using to
>> communicate). So you have two things you need to do to be able to
>> successfully do this attribution:
>> >
>> > 1. Establish an association between a device/user and every IP address
>> that device will use to communicate with other devices where surveillance
>> is required.
>> > 2. Make sure only the owner of the device is able to successfully use
>> each such IP address to communicate.
>> > 3. Maintain a record of what IP addresses were in use by what devices
>> during what time periods.
>> >
>> > So, DHCPv6 IA_NA and DHCPv6 address registration provide a way for a
>> host to communicate the IP addresses it is using to a DHCPv6 server. The
>> DHCPv6 server can log these addresses. It can also reach out and enable
>> those addresses on the per-port filter for ethernet, or per 802.1x identity
>> for WiFi. This is all stuff we've talked about many times before.
>> >
>> > One slight issue we'd need to be sure of is that the DHCPv6 address
>> registration packet comes from a link-local address, so that it's not
>> filtered. I think that's contrary to what the document currently says.
>> >
>> >
>> > On Tue, Jan 2, 2024 at 9:54 AM Ole Troan <otroan@employees.org> wrote:
>> > Since the network has to do enforcement anyway, then it can do so with
>> existing mechanisms.
>> > Are you suggesting that network enforcement of devices somehow become
>> easier with the proposed mechanism?
>> > If so, how exactly?
>> >
>> > O.
>> >
>> > > On 2 Jan 2024, at 15:49, Ted Lemon <mellon@fugue.com> wrote:
>> > >
>> > > Presumably if the user disables tracking on their host, the network
>> won't allow them transit, so problem solved. Without that enforcement
>> mechanism, there's no point in implementing DHCPv6-based tracking: the
>> notion that you can just assume based on the source address that the packet
>> originated from a particular host is actively harmful, because it creates
>> an opportunity for malware to spoof a host and engage in bad actions, which
>> will then be blamed on the legitimate owner of that host.
>> > >
>> > > Indeed, in order to be able to reliably attribute traffic from a
>> particular IP address to a particular host or user, the filtering would
>> need to be done in a way that can't be spoofed—at Tim says, using 802.1x
>> might prevent this since the packets are all signed with a per-host key (if
>> I understand it correctly—not claiming to be an expert).
>> > >
>> > > On Tue, Jan 2, 2024 at 9:33 AM Ole Troan <otroan@employees.org>
>> wrote:
>> > > > In order to disable it, you have to be on a network that allows
>> arbitrary devices to be DHCPv6 servers. So I think it's still useful, since
>> blocking DHCP from unauthorized servers isn't that hard. Even if you aren't
>> actively blocking it, finding a DHCPv6 server that's poisoning the well
>> isn't that hard.
>> > >
>> > > The user of a host that doesn’t want tracking can disable it for that
>> host.
>> > > Rendering the mechanism less than useful for the problem of tracking
>> hosts on a network.
>> > >
>> > > O.
>> >
>> >
>>
>>
>>

v2.23.0 | Report a Bug | By Email