IETF Logo Mail Archive

Re: [v6ops] Some comments on draft-ietf-v6ops-ipv6-deployment

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 22 April 2022 20:01 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9F533A1427; Fri, 22 Apr 2022 13:01:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7YvJo_2XFaN; Fri, 22 Apr 2022 13:01:15 -0700 (PDT)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D45143A1437; Fri, 22 Apr 2022 13:01:14 -0700 (PDT)
Received: by mail-pf1-x42f.google.com with SMTP id y14so8173508pfe.10; Fri, 22 Apr 2022 13:01:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=h1IlUFu9SHcIkIhsGgMHXrdCtAjutLjHLrweaJTR1es=; b=qlF9G90nv1TcIA3S7hCluIEF4HaM2sElDLRBpYFvGj74pC369z8JPtzYqs4NrRWdK7 2slbdXEsWUDFum2VRgDoVDcpGsqX0uki0a1iQ884fUAZn8INtGXjZ4p031GIgRscJZFk 04PFrlFCbaVlqFSUPWDnOhzakJ/olFZhDXlOKHugXpn2SY+DW6FpKkdyKCr5XaaL2s+B 4A6bY+b3SUrteXkMmXlu0KQNp8vELyHLNMSnHXsd9P72LQS8CX6s+0rY7NFBZe86SEdE yc1ed5GoM7B7qkESjk9AI5WAQ9tAcN8ycpIeyLQN9OZDSs3yh/kVFG4REEt0r9dstr9Y PN8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=h1IlUFu9SHcIkIhsGgMHXrdCtAjutLjHLrweaJTR1es=; b=CJKvd4aMiK91oj58yAPBSLTidbuVJ4SJFiunlcGOSrJXC8ibX6CddG8+8aHjhd/aSG 7fNImhE6pl6Qj+EVMDhwvD+DEfDE5TvS2XvSCVwjWVP2iI+ibW4LrmQFnuEpz10RWzgQ SiMgvcxRqalERtIk6C7LLwgyccRBswgy2n6cYk8d+6l0S/VEWF+OuBEvT/ICY5aQCcrc wJa+XGGZq3DI8MHhA4insuUkBlTROu/F5P51+ppZVf2awFF+ose3dT/RN0RPIbBiomfl 6ChCvm5q09iVGGZYmB9s975a37UL2h9fVl0+u7LPo1eYLZJxmncLPOEftnmEtQumxPxG /gFA==
X-Gm-Message-State: AOAM532asaZjjBzX0eRjdYfGioqyXxhXom6OurUnlEcpidDaLtkhaKeb 9hB4JpycqWaa+1Z07ClUe3hJ0bvgzVA3q9mY
X-Google-Smtp-Source: ABdhPJzKWuUXDO8rcwOx5rnjNmaBix/NanlJhlJcX6KP2vIO6HDFL+3nqfc8eFnmGYaQzlcd4eLvFw==
X-Received: by 2002:a05:6a00:a85:b0:4e0:57a7:2d5d with SMTP id b5-20020a056a000a8500b004e057a72d5dmr6663213pfl.81.1650657673632; Fri, 22 Apr 2022 13:01:13 -0700 (PDT)
Received: from [10.248.23.127] ([125.168.223.160]) by smtp.gmail.com with ESMTPSA id e126-20020a621e84000000b0050567191161sm3386892pfe.210.2022.04.22.13.01.10 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 22 Apr 2022 13:01:12 -0700 (PDT)
To: Fernando Gont <fernando.gont@edgeuno.com>, V6 Ops List <v6ops@ietf.org>
Cc: draft-ietf-v6ops-ipv6-deployment@ietf.org
References: <3008655b-2af6-7df0-1302-63cf81bad8b4@edgeuno.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <fa919654-7855-8896-0166-1c7286ea0ec1@gmail.com>
Date: Sat, 23 Apr 2022 08:01:07 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <3008655b-2af6-7df0-1302-63cf81bad8b4@edgeuno.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/kpba3ITNvkDOTKQP4PCR5FIEdPg>
Subject: Re: [v6ops] Some comments on draft-ietf-v6ops-ipv6-deployment
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 20:01:20 -0000

Fernando's points are all correct.

Some people may remember that we killed draft-ietf-iab-case-for-ipv6 20 years ago because it made too many dubious public relations claims for IPv6. The current draft still has similar problems.

On one point, I believe that there are measured scenarios where IPv6 performance is better than IPv4, and the opposite, but a general claim without data definitely does more harm than good.

(The authors of https://www.researchgate.net/publication/335865993_IPv6_in_production_its_deployment_and_usage_in_WLCG may have current data, for example.)

Regards
    Brian Carpenter

On 22-Apr-22 23:48, Fernando Gont wrote:
> HI, All,
> 
> Apologies for the bad timing (I guess it could still be worse... i.e.,
> past IETF-LC ;-)  ).
> 
> I've read through the I-D, and it seems that there are a number of
> claims that seem to be technically inaccurate.
> 
> These are my comments:
> 
> 
> * Section 6, page 24:
> 
> "   4.  Future Proof: IPv6 was designed from scratch to be future-proof,
>          despite some incompatibilities with IPv4. "
> 
> Isn't IPv6 *fully* incompatible with IPv4?
> 
> 
> * Section 6, page 24:
>    "     A side effect to that, this approach brings the
>          connectivity model back to the end-to-end client/server
>          paradigm."
> 
> It's not just NATs, but firewalls and other middle-boxes. So no, I think
> that ship has sailed already. (see e.g.:
> https://datatracker.ietf.org/doc/html/draft-gont-v6ops-ipv6-addressing-considerations#section-4.3)
> 
> 
> * Section 6, page 24:
>         "The introduction of new functionality is
>          one of the technical benefit of IPv6 due to the flexible
>          structure of the packet header.  The IETF is currently active in
>          defining operational recommendations for the usage of Extension
>          Headers and Options left open by the base standards."
> 
> But then Geoff Huston argues in
> https://blog.apnic.net/2022/03/25/notes-from-the-iepg-meeting-at-ietf-113/
> that:
> 
> "....all IPv6 extension headers are unusable in the public IPv6 Internet
> and proposals to carry information in such headers are completely
> unrealistic in this context. The conclusion is simple: If you want to
> deploy a robust service on the IPv6 public Internet then you should
> avoid any use of extension headers."
> 
> 
> 
> * Section 7.5, page 31:
> 
> "  There are some concerns in terms of the security but, on the other
>      hand, IPv6 offers increased efficiency.  There are measurable
>      benefits to IPv6 to notice, like more transparency, improved
>      mobility, and also end to end security (if implemented)."
> 
> This is wrong, or misleading at best.
> 
> First of all, you're discussing security, and you;re kind of saying
> "IPv6 security is bad... but well, the protocol is fast" -- in the
> context of a discussion of security, who cares about the later? :-)
> 
> The statement that IPv6 offers increased efficiency is also misleading.
> If you;re going to make that claim, please provide a reference. (Note:
> measurements tend to argue the other way around).
> 
> "Improved mobility" probably refers to mobile-IP. But, what's the level
> of mobile-ip deployment/usage?  Do folks still have any hopes on mobile 
ip?
> 
> "End to end security" might also be misleading. You can deliver "end to
> end security" with IPv4 as well.
> 
> 
> * Section 7.5, page 31:
> 
> "  However, this is turning also in the other way around, as with more
>      IPv6 deployment there may be older IPv4 flaws not discovered or even
>      not resolved anymore by vendors."
> 
> Are you really expecting that vendors will stop patching IPv4
> vulnerabilities anytime soon?
> 
> 
> * Section 7.5.1, page 31:
> 
> "Since it is used in many IPv6 related
>      protocols, ICMPv6 packet with multicast address should be filtered
>      carefully to avoid attacks."
> 
> Multicast packets don;t generally represent an issue, since in most
> networks you won't have multicast routing, anyway.
> 
> 
> * Section 7.5.2, page 33:
> 
> A reference to RFC8990 is probably warranted here.
> 
> 
> 
> * Section 7.5.2, page 33:
> 
> "   IPv6 Extension Headers imply some issues, in particular their
>      flexibility also means an increased complexity, indeed security
>      devices and software must process the full chain of headers while
>      firewalls must be able to filter based on Extension Headers."
> 
> At the risk of sounding our own horn, a reference RFC9098 is probably
> warranted here.
> 
> 
> 
> * Section 7.5.2, page 33:
> 
> "   Additionally, packets with IPv6 Extension Headers may be dropped in
>      the public Internet."
> 
> Ditto for RFC7872.
> 
> 
> * Section 7.5.2, page 33:
> 
>     "Some documents, e.g.
>      [I-D.hinden-6man-hbh-processing], [I-D.bonica-6man-ext-hdr-update],
>      [I-D.peng-v6ops-hbh] analyze and provide guidance regarding the
>      processing procedures of IPv6 Extension Headers."
> 
> They don't really provide guidance, but rather aim at changing the
> standard. Please also note that all of them seem to be individual
> submissions, and not wg documents.
> 
> 
> * Section 7.5.2, page 33:
> 
> "   There are some possible attacks through EHs, for example RH0 can be
>      used for traffic amplification over a remote path and it is
>      deprecated. "
> 
> One should not that probably most IPv6-related vulnerabilities have been
> associted with implementation flaws in the processing of IPv6 extension
> headers.
> 
> 
> * Section 7.5.2, page 33:
>     "There are some possible attacks through EHs, for example RH0 can be
>      used for traffic amplification over a remote path and it is
>      deprecated.  Other attacks based on Extension Headers are based on
>      IPv6 Header Chains and Fragmentation that could be used to bypass
>      filtering, but to mitigate this effect, Header chain should go only
>      in the first fragment and the use of the IPv6 Fragmentation Header 
is
>      forbidden in all Neighbor Discovery messages.
> 
>      Fragment Header is used by IPv6 source node to send a packet bigger
>      than path MTU and the Destination host processes fragment headers.
>      There are several threats related to fragmentation to pay attention
>      to e.g. overlapping fragments (not allowed) resource consumption
>      while waiting for last fragment (to discard), atomic fragments (to 
be
>      isolated)."
> 
> A reference to RFC8200 is probably warranted here. Also one to RFC6980.
> 
> 
> 
> 
> * Section 7.5.2, page 33:
>    " A lot of additional functionality has been added to IPv6 primarily 
by
>      adding Extension Headers and/or using overlay encapsulation."
> 
> But then Geoff Huston argues in
> https://blog.apnic.net/2022/03/25/notes-from-the-iepg-meeting-at-ietf-113/
> that:
> 
> "The high order takeaway from both of these measurements is that all
> IPv6 extension headers are unusable in the public IPv6 Internet and
> proposals to carry information in such headers are completely
> unrealistic in this context. The conclusion is simple: If you want to
> deploy a robust service on the IPv6 public Internet then you should
> avoid any use of extension headers."
> 
> 
> 
> * Section 7.5.2, page 33:
>      "All of
>      the these expand the packet size and this could lead to oversized
>      packets that would be dropped on some links.  It is important to
>      investigate the potential problems with oversized packets in the
>      first place. "
> 
> In many (most?) cases, it's the presence of IPv6 EHs or the length of
> the EH chain that leads to drops, rather than the overall packet size
> itself.
> 
> Thanks!
> 
> Cheers,
> --
> Fernando Gont
> Director of Information Security
> EdgeUno
> PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
> 
> 
> 
> 
> “This communication is the property of EdgeUno or one of its group companies and/or affiliates. This electronic message contains information which may be privileged or confidential. The information is intended 
to be for the exclusive use of the individual(s) named above and if you are not the intended recipient be aware that any non-explicitly authorized 
disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, 
and will be considered a criminal offense. Please notify legal@edgeuno.com about the unintended receipt of this electronic message and delete it.”
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email