Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157

Mark ZZZ Smith <markzzzsmith@yahoo.com.au> Mon, 24 September 2012 20:37 UTC

Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7090A21F88E8 for <v6ops@ietfa.amsl.com>; Mon, 24 Sep 2012 13:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.915
X-Spam-Level:
X-Spam-Status: No, score=0.915 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, FROM_LOCAL_NOVOWEL=0.5, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lKvLdrr7f8rC for <v6ops@ietfa.amsl.com>; Mon, 24 Sep 2012 13:37:23 -0700 (PDT)
Received: from nm2.bullet.mail.ne1.yahoo.com (nm2.bullet.mail.ne1.yahoo.com [98.138.90.65]) by ietfa.amsl.com (Postfix) with SMTP id 8D30521F88E7 for <v6ops@ietf.org>; Mon, 24 Sep 2012 13:37:23 -0700 (PDT)
Received: from [98.138.90.54] by nm2.bullet.mail.ne1.yahoo.com with NNFMP; 24 Sep 2012 20:37:14 -0000
Received: from [98.138.87.9] by tm7.bullet.mail.ne1.yahoo.com with NNFMP; 24 Sep 2012 20:37:14 -0000
Received: from [127.0.0.1] by omp1009.mail.ne1.yahoo.com with NNFMP; 24 Sep 2012 20:37:14 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 945054.46818.bm@omp1009.mail.ne1.yahoo.com
Received: (qmail 75375 invoked by uid 60001); 24 Sep 2012 20:37:14 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s1024; t=1348519034; bh=JzRan45Q1NOgcfXNfNn7w6EpasfIrE/9g894h2EuTCM=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=nF+n9A3iWZEmtq8QsJ2KHyVrKwKmjQnGyYEhD+VB+YWhVy7G7zby863mxo9DtKgvTOluI3l6sHjr73j1OULq48C5LeCDp6APRlOEIJA4iPdpBGO9OOGOkCMvQX2V1evmBMV5bNcVRiIGvjKuIGLhj/r1faFwAKp5TZz7QnyrN1o=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.au; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=L1EKxK5jEhe2w5RGOMoiSQOfCX6Kt7yrK9s2dGM60w+MRRVqIPLRIHSLNu9LqPiX2CoGPmQXaaO4S7RyecOQgEI1wf8YCfu7IO9hgmPILp90IJoY0PNpEkfNjXl6SSwMaTAuPzw8B9qzpYvGCTcFmaphP2K3SdRAMmY+aiJbTts=;
X-YMail-OSG: f5Hei64VM1kkbNPDlxFreoHtnG1IVwqgntASEqO7w98IxmR msYv3zIpSTqVG_tdVtI6qkiiNbd..i1J5jXmMSYwuhZna5S0wL1rc2DE_GTe wewJX7GEyRYzfYCXqnyJ7nX1z7GjizLlgWF9SGTn_gCCmnwefDILQDlSKCiF mElcxOEF5lkjD9kFjLwAnCIWfHRjOk4TVyKva7NZAUT1KbYlBttShhDLI17P v8UbfxmVYd0zW0IXmDieaA5pXFbXJoVZgoauRnK29YBO_re5TVhV1ytaEw1a JmSAtFHLVQl1oWD5VlWLjykCFfg2wOKdlLGbUfwLOlBrYQthy.Z5c.3bMTWz 2fpMJ.SvfJt7khGMrVpjUGstlkcaMKuzRWsi12hQynd6vQrXUcGvfG0MXTVX DFjxky58n3XNcrQ_NK0SDIhqQWWhuyJiqdYMqQBhfCHBy3sRUNZKmFU1Suz3 aGQgBz8W1UHg3sa_xLvxxYHXwbLRepEUFGNvfOTDI8tBFnP_g9EbSc2G0Xa9 L1g--
Received: from [150.101.221.237] by web32503.mail.mud.yahoo.com via HTTP; Mon, 24 Sep 2012 13:37:14 PDT
X-Mailer: YahooMailWebService/0.8.121.434
References: <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D8FF@RZJC1EX.jr1.local>
Message-ID: <1348519034.47465.YahooMailNeo@web32503.mail.mud.yahoo.com>
Date: Mon, 24 Sep 2012 13:37:14 -0700
From: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
To: "Marksteiner, Stefan" <stefan.marksteiner@joanneum.at>, IPv6 Ops WG <v6ops@ietf.org>
In-Reply-To: <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D8FF@RZJC1EX.jr1.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 20:37:24 -0000

Hi Stefan,

----- Original Message -----

> From: "Marksteiner, Stefan" <stefan.marksteiner@joanneum.at>
> To: IPv6 Ops WG <v6ops@ietf.org>
> Cc: 
> Sent: Tuesday, 25 September 2012 4:03 AM
> Subject: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
> 
> 
> Hi Folks,
> 
> RFC5157 presents hazards of sequentially numbering IPv6 networks and technical 
> means (like CGAs and privacy extensions) to mitigate them. Unfortunately these 
> mitigation methods may be deemed difficult to handle for administrators (SEND 
> may be too complicated to implement, PEs bring difficulties to keep track of IP 
> addresses). Therefore there may be demand for an addressing scheme (rather than 
> a technical method) that makes IPv6 addresses easy to predict for tech staff but 
> difficult to do so by outsiders, building a low-end supplement for the methods 
> mentioned in RFC5157.


I think it might be worth having a bit more of a think about who might be inclined to attack you - for a typical non-Internet services organisation, I think it's more likely going to be 
disgruntled ex-staff, and it'll be hard to make them forget "numbers" / addresses or prevent them copying the mapping application if they have an inkling they're going to get fired.


> 

> What I have in mind is an simple mental arithmetic operation, which generates an 
> address out of a company fixed part plus a sequential number for host. 
> Alternatively a Hash-Operation consisting again of a secret organisational plus 
> a sequential host number. The first requires the scheme to be slightly different 
> in every organisation in order to have a negative impact on IPv6 scanning from 
> external sources, the second is more secure but requires an internal web site or 
> smartphone app in order for field engineers to calculate an address out of the 
> sequential information.
> 

It sounds like here you're talking about a subnet numbering scheme. The common prefix size for most organisations is going to be /56 or 256 /64 subnets, or /48 or 65K /64 subnets. Many providers seem to be leaning towards /56s unless their customers ask for a /48, which provides very little address space to effectively hide the in-use subnet numbers from a scanning based attack (and that's one of the reasons why I'd be giving customers /48s from the outset). One advantage though of IPv6 is that it is possible to phase in and phase out addressing using the address/prefix lifetimes mechanism, so it would be possible to change assigned in your network prefixes on e.g. a weekly basis.

If your fundamental goal is to make internal links unreachable from the Internet, they can be not assigned a global prefix, and numbered from either the ULA address space (RFC4193) or left as link-locals only ("unnumbered"). You may be interested in the following, which discusses link-local only addressing -

"Using Only Link-Local Addressing Inside an IPv6 Network"
http://tools.ietf.org/html/draft-behringer-lla-only-01


Regards,

Mark.

> My question is, in your opinion, would this be worthwhile to be formulated as an 
> ID an be drafted or does this idea sound absurd?
> 
> 

> Cheers,
> 
> Stefan
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>