IETF Logo Mail Archive

Re: [v6ops] Please review the No IPv4 draft

Nick Hilliard <nick@foobar.org> Tue, 29 April 2014 21:39 UTC

Return-Path: <nick@foobar.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F182F1A0950 for <v6ops@ietfa.amsl.com>; Tue, 29 Apr 2014 14:39:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2dtxTonABZo for <v6ops@ietfa.amsl.com>; Tue, 29 Apr 2014 14:38:58 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) by ietfa.amsl.com (Postfix) with ESMTP id 6F4B11A0957 for <v6ops@ietf.org>; Tue, 29 Apr 2014 14:38:57 -0700 (PDT)
X-Envelope-To: v6ops@ietf.org
Received: from cupcake.foobar.org ([IPv6:2001:4d68:2002:100::110]) (authenticated bits=0) by mail.netability.ie (8.14.8/8.14.5) with ESMTP id s3TLcrCN075190 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 29 Apr 2014 22:38:54 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.netability.ie: Host [IPv6:2001:4d68:2002:100::110] claimed to be cupcake.foobar.org
Message-ID: <53601BED.4050200@foobar.org>
Date: Tue, 29 Apr 2014 22:38:53 +0100
From: Nick Hilliard <nick@foobar.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Ted Lemon <ted.lemon@nominum.com>
References: <9B4139A3-77F7-4109-93AD-A822395E5007@nominum.com> <m24n1l8i1a.wl%Niall.oReilly@ucd.ie> <3BA3E5A3-4385-43CE-B73F-A0686AA31B4E@nominum.com> <m238gxpgrt.wl%Niall.oReilly@ucd.ie> <73221D87-5F50-4689-AA42-553AF757ABF5@nominum.com> <m2mwf59uht.wl%Niall.oReilly@ucd.ie> <7310412C-64E9-4A11-9812-92A969082131@nominum.com> <20140428190804.GK43641@Space.Net> <446A720E-1128-4FFF-BB3B-780EACA9610B@nominum.com> <535EBC20.10900@foobar.org> <20140428213045.GL511@havarti.local> <19B5B5AB-FF86-408B-8E73-D5350853965B@foobar.org> <3563D9EE-CD40-4E75-A1CB-C3FB50EEEBC4@nominum.com> <535F3624.4020801@foobar.org> <alpine.DEB.2.02.1404290726011.29282@uplift.swm.pp.se> <535F3A8C.2050902@foobar.org> <E68028C1-2E6D-4D07-A113-60757457E286@nominum.com> <535F99A9.3030402@foobar.org> <0C03200E-B349-44D4-BE3F-512AD6A7A417@nominum.com> <535FCB2C.3030502@foobar.org> <8DB83B3D-D09C-4977-9B4F-75EA2DD3B71D@nominum.com>
In-Reply-To: <8DB83B3D-D09C-4977-9B4F-75EA2DD3B71D@nominum.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/g7LskhSoVeuTN8xTurI7r4cSVXg
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] Please review the No IPv4 draft
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 21:39:03 -0000

On 29/04/2014 17:08, Ted Lemon wrote:
> It also doesn't establish it.   That was what I was asking for earlier.
> I think that if there is a serious gap here, the working group should
> consider that.   But we haven't actually established that such a gap
> exists.   My intuition is that you may be right about this, but I'd like
> to go on more than intuition.

there are three issues here: 1. how much kit out there that doesn't support
ra guard / dhcpv6 snooping or basic ipv6 acls on l2 ports, 2. for the kit
that does support these features, how good is that support and 3. how
important this is to the noipv4 proposal.

#1 is highly platform specific and depends on both hardware and software
support. e.g. Cisco Nexus 3000 doesn't support ipv6 acls on L2 ports.
cisco nexus 1000v doesn't support ipv6 acls at all.  Cisco 6500 boxes
support ra guard but not dhcpv6 guard.  Brocade ironware boxes will support
IPv6 ACLs, but can only install them on L2 ports on certain platforms, and
even then only if you don't have mac filters installed on those ports.
Same mac||ip filter problem on netiron s/w.

#2 is complicated enough that Fernando Gont wrote an ID on the topic.  Many
platforms are subject to the sort of fragmentation / extension header
evasion techniques that Fernando describes.  The only switch which I've
heard to support ra guard for difficult packets is the windows hyperv
soft-switch.  Hardware forwarded switches seem to be particularly prone to
the problem

#3: the ietf is fully within remit to write this off as an operational
issue and not a protocol problem, and that if your ipv6 first hop security
mechanism is broken, then you have bigger problems.  While this is
undoubtedly true, the draft will create the requirement for all networks -
including legacy ones - to protect against rogue RA / DHCPv6 packets
because otherwise you could find that newer clients on unprotected legacy
networks would be susceptible to having their ipv4 stacks shut down if
someone with a sense of humour starts playing around.

#3 means that the network operator must be trusted.  I don't trust many of
the networks that I connect to because sometimes operators and other agents
are malicious and I expect my phone / laptop / etc not to be particularly
interfered with by their malice.  The level of policy interference from
this ID is very large indeed.

Nick

v2.23.0 | Report a Bug | By Email