Re: [v6ops] draft-smith-v6ops-local-only-addressing
Ole Troan <otroan@employees.org> Mon, 02 December 2019 21:33 UTC
Return-Path: <otroan@employees.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EF3312008C for <v6ops@ietfa.amsl.com>; Mon, 2 Dec 2019 13:33:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFC6zNhYj3qs for <v6ops@ietfa.amsl.com>; Mon, 2 Dec 2019 13:33:11 -0800 (PST)
Received: from clarinet.employees.org (clarinet.employees.org [198.137.202.74]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1FD2120018 for <v6ops@ietf.org>; Mon, 2 Dec 2019 13:33:11 -0800 (PST)
Received: from astfgl.hanazo.no (246.51-175-81.customer.lyse.net [51.175.81.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id D0F024E11AFF; Mon, 2 Dec 2019 21:33:09 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id 888012462FE9; Mon, 2 Dec 2019 22:33:06 +0100 (CET)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <6CF0CF5C-7E72-4E21-A476-3A5A65DBF7FA@gmail.com>
Date: Mon, 02 Dec 2019 22:33:06 +0100
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F2E9EB76-756C-41FF-9AC3-2E7B18DE1A3E@employees.org>
References: <SN6PR05MB57109A5048345A6B2ECD6C5EAE410@SN6PR05MB5710.namprd05.prod.outlook.com> <8237CDA6-DF99-43BB-8FFD-FC06179F5C75@employees.org> <6CF0CF5C-7E72-4E21-A476-3A5A65DBF7FA@gmail.com>
To: Fred Baker <fredbaker.ietf@gmail.com>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/fZ8BddLikS6XT3wdNI9DZCPrAqE>
Subject: Re: [v6ops] draft-smith-v6ops-local-only-addressing
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2019 21:33:14 -0000
Hi Fred, > I think you're thinking of an opec draft by Michael Behringer, https://tools.ietf.org/html/rfc7404. In essence, it suggests that routers only talk with each other and their local hosts using link-layer addressing in the "destination" address. > > To my way of thinking, forcing that for all sessions means that one cannot access a device from a system that it is not directly connected to. Michael's proposal was in essence to prevent attacks on routers, permitting them to white-list network management devices and exclude pretty much everything else. Doing that for hosts would make the network pretty useless, I suspect. No it wasn't that one. It was very much along Mark's lines of increasing security by controlling reachability and scope of addressing to end hosts. Perhaps it was just something he talked about when Eric and he did advanced-security. Regardless, seems like a fine idea. Devices that have no business being on the Internet, should as Mark proposes by default not have a global address. Now you might argue, are there really any such device. Cheers, Ole > >> On Dec 2, 2019, at 12:14 AM, Ole Troan <otroan@employees.org> wrote: >> >> >> >>> On 30 Nov 2019, at 21:14, Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org> wrote: >>> >>> draft-smith-v6ops-local-only-addressing >> >> I believe Townsley or was it Vyncke described a security model, where a device by default would only accept incoming connections on link-local or ULA addresses. >> The device would have a global address that could be used for outbound connections, e.g. software updated. >> Can't find or recall exactly where they described this model. >> >> Best regards, >> Ole >> _______________________________________________ >> v6ops mailing list >> v6ops@ietf.org >> https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] draft-smith-v6ops-local-only-addressing Ron Bonica
- Re: [v6ops] draft-smith-v6ops-local-only-addressi… Ole Troan
- Re: [v6ops] draft-smith-v6ops-local-only-addressi… Fernando Gont
- Re: [v6ops] draft-smith-v6ops-local-only-addressi… Fred Baker
- Re: [v6ops] draft-smith-v6ops-local-only-addressi… Ole Troan
- Re: [v6ops] draft-smith-v6ops-local-only-addressi… Brian E Carpenter
- Re: [v6ops] draft-smith-v6ops-local-only-addressi… Brian E Carpenter
- Re: [v6ops] draft-smith-v6ops-local-only-addressi… Fernando Gont
- Re: [v6ops] draft-smith-v6ops-local-only-addressi… Alexandre Petrescu
- Re: [v6ops] draft-smith-v6ops-local-only-addressi… Fred Baker