Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Henri Alves de Godoy <henri.godoy@fca.unicamp.br> Wed, 08 February 2023 20:11 UTC
Return-Path: <henri@unicamp.br>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 722C6C1522CD for <v6ops@ietfa.amsl.com>; Wed, 8 Feb 2023 12:11:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.883
X-Spam-Level:
X-Spam-Status: No, score=-1.883 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fca-unicamp-br.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FK7Loun-rZPJ for <v6ops@ietfa.amsl.com>; Wed, 8 Feb 2023 12:11:18 -0800 (PST)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87F1AC1575A0 for <v6ops@ietf.org>; Wed, 8 Feb 2023 12:11:17 -0800 (PST)
Received: by mail-yb1-xb36.google.com with SMTP id 74so23259901ybl.12 for <v6ops@ietf.org>; Wed, 08 Feb 2023 12:11:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fca-unicamp-br.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2FbOYAjiLviClwHD2oHpQvzKN6OptcnZ36DBfozIglo=; b=l0EypIndCnO25PiGuV6IEsHFBJXh2rEIXw3tLPpi2VHdxBLIvu1zPkDw9fUL2oItzg c2+QTmwYhEfcC8WXdezn4lilwFJpUJz6Lzdaw8ls9cXPX95K+yHkznDmTAetmjzlxApu leGCrtAQT4IKVdqSkjSrYCVlqIJTPGMbsw9X6vufvoy2eXwEY3E0X9gJdN7jRiRvURYV PTEbb75yo2b/dq/aMEdX2H7S9Kdym/iUocTCaz/robpHTlryNWVF3dQH8F0btBQ7ZC3+ RPsjEopVzyvK3FN23VmiubJcHDvr3aQIntUGHv7ksb30wvBMSRIdillA4adU2uWK9+kK C63Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2FbOYAjiLviClwHD2oHpQvzKN6OptcnZ36DBfozIglo=; b=HBhChLnzwIVnRJvVW6bXjKh3li8tNP2eSx+AdlSq9w7R9mMh71WXEXkq3rYmDhtA8s 5Y7rnfvEbiwAkGUvuwyKU60D9Yrevfie8fI/AzGjk59kiJdVF4tM58baWZxXnNTYg/II NSrOam9eT9wDKQBcvkp7XYGJY8p6VHhKaXml4soGBWNYs0T70HDWRozp8oeZMboESfwu HVze+QCv92LYueg9fsyHG9A/ro4Ji1c8l6atbQjrc/WzuaHOvVmkcqrz8UsUreJrTE1m Lguok8tH6tMol5rCYjXwzkxaimj+bIQwg+VfyqiL0NEuJrQkuyq52XHfYLn2ZVqiwCSv 8NlA==
X-Gm-Message-State: AO0yUKVRt0J8EFqWIq4fbj6TWbDh/yfiI6CFNCLhRxj646G8xqsRCExb M8DyRSEMtfjmJ/qddZrd/oW8He6rZi4rtputvQGW2xfF8t+J8ewO
X-Google-Smtp-Source: AK7set8CYkLPQy0Jg22s7UTEHCetWIHTSRIAyhjdrW3Y4FsxYfPnF4LpUwEkM83Tp66AVhP0KFeX0nATWKBsS2accRs=
X-Received: by 2002:a5b:891:0:b0:82f:5d3c:bbb0 with SMTP id e17-20020a5b0891000000b0082f5d3cbbb0mr1055422ybq.111.1675887076113; Wed, 08 Feb 2023 12:11:16 -0800 (PST)
MIME-Version: 1.0
References: <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com> <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com>
In-Reply-To: <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com>
From: Henri Alves de Godoy <henri.godoy@fca.unicamp.br>
Date: Wed, 08 Feb 2023 17:09:22 -0300
Message-ID: <CALRKgT7r6nzsarRtOBnA49GQxTz6EgbXL4DXt+EsaS22X0aY=g@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: IPv6 Operations <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000db186805f435dd32"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/jRvwzvOrPmnFqkg_VwW4X_ew-1I>
Subject: Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2023 20:11:25 -0000
Hi Fernando, Let's say that ACL in the IPv6 world is pretty unknown and not covered much. Many people don't want and resist IPv6 because of ACL. They don't understand how to do it, so this document is necessary to clear up many obscure points. Practicing an ACL for a simple /128 is unfeasible and leads us to inherited thoughts and habits from IPv4. We have always learned that IPv6 can deliver entire networks and is no longer a simple IP. The document goes in the right direction in guiding and stating its implications but not forcing a practice. The network professional needs to understand and change the habits of using ACL in IPv6. For example, I use fail2ban, and despite reporting a /128, I temporarily block the network address /64 when alarmed in the report. But this is an action from my point of view. Thanks, Henri. Em ter., 7 de fev. de 2023 às 01:29, Fernando Gont <fgont@si6networks.com> escreveu: > Folks, > > FYI, this one is targeted at opsec, but might be of interest to this group: > > * TXT: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > * HTML: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html > > Thanks! > > Regards, > Fernando > > > > > -------- Forwarded Message -------- > Subject: (IETF I-D); Implications of IPv6 Addressing on Security > Operations (Fwd: New Version Notification for > draft-gont-opsec-ipv6-addressing-00.txt) > Date: Fri, 3 Feb 2023 01:28:17 -0300 > From: Fernando Gont <fgont@si6networks.com> > To: opsec@ietf.org > > Hi, All, > > I happened to participate in an IPv6 deployment meeting with some large > content provider. Eventually there was a discussion about how to > mitigate some attacks using block-lists, and they argued that they ban > offending addresses (/128 for the IPv6 case), following IPv4 practices. > While they had already deployed IPv6, some of the associated > implications arising from the increased address space seemed to be > non-obvious to them. > > So that's what motivated the publication of this document. > > * TXT: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > * HTML: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html > > Comments welcome! > > Thanks, > Fernando > > > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-gont-opsec-ipv6-addressing-00.txt > Date: Thu, 02 Feb 2023 19:48:40 -0800 > From: internet-drafts@ietf.org > To: Fernando Gont <fgont@si6networks.com>, Guillermo Gont > <ggont@si6networks.com> > > > A new version of I-D, draft-gont-opsec-ipv6-addressing-00.txt > has been successfully submitted by Fernando Gont and posted to the > IETF repository. > > Name: draft-gont-opsec-ipv6-addressing > Revision: 00 > Title: Implications of IPv6 Addressing on Security Operations > Document date: 2023-02-02 > Group: Individual Submission > Pages: 8 > URL: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-addressing/ > Htmlized: > https://datatracker.ietf.org/doc/html/draft-gont-opsec-ipv6-addressing > > > Abstract: > The increased address availability provided by IPv6 has concrete > implications on security operations. This document discusses such > implications, and sheds some light on how existing security > operations techniques and procedures might need to be modified > accommodate the increased IPv6 address availability. > > > > > The IETF Secretariat > > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops > --
- [v6ops] Fwd: (IETF I-D): Implications of IPv6 Add… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Vasilenko Eduard
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… David Conrad
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Ted Lemon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Vasilenko Eduard
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Henri Alves de Godoy
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Simon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Fernando Gont