Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Fernando Gont <fgont@si6networks.com> Tue, 07 February 2023 23:34 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C2B7C14CE2D for <v6ops@ietfa.amsl.com>; Tue, 7 Feb 2023 15:34:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kXod49CQqBzZ for <v6ops@ietfa.amsl.com>; Tue, 7 Feb 2023 15:34:22 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47F3FC14F731 for <v6ops@ietf.org>; Tue, 7 Feb 2023 15:34:20 -0800 (PST)
Received: from [10.0.0.133] (unknown [186.19.8.47]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id EAACC280BC7; Tue, 7 Feb 2023 20:34:15 -0300 (-03)
Message-ID: <aca5adfd-422e-ff9e-6cdf-56dd4c9f284d@si6networks.com>
Date: Tue, 07 Feb 2023 20:34:12 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: Ted Lemon <mellon@fugue.com>
Cc: IPv6 Operations <v6ops@ietf.org>
References: <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com> <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com> <CAPt1N1keDFsseXVXqr8YuQgEDCHHusJxxpm-mS_vkdPyNqmEdQ@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
In-Reply-To: <CAPt1N1keDFsseXVXqr8YuQgEDCHHusJxxpm-mS_vkdPyNqmEdQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/n3ap2e9Yo4otdbcrPMBVtB7ZkSg>
Subject: Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 23:34:25 -0000
Hi, Ted, Thanks for weighing in! In-line.... On 7/2/23 10:33, Ted Lemon wrote: > This seems like fairly iffy advice, which is perhaps not surprising > given that the discussion you’re trying to ameliorate seems unrealistic. > Thanks for trying to do something to improve it! At the very least, the intent is to document the challenges and constraints. > Block lists for ip addresses might be useful, but I suspect are more > likely to cause operational issues—eg I’ve had addresses i use blocked > because someone did something nefarious from them previously. Agreed on this. Part of the motivation for this document is that, aside from the usual challenges of IP reputation (like the one you describe), there are new considerations when this is done for the IPv6 case.... > Where they are appropriate, it is likely because the owner of the full > delegation is untrustworthy, in which case it would make sense to block > the whole range, or even refuse whatever route they publish. > > It doesn’t make sense to try to use DHCPv6 or disable temporary > addresses in order to enable the continued use of single-address block > lists, and mentioning it in an IETF document seems harmful. The question here is: can you implement ACLs for just a single /128? Or is the only option to implement ACLs with e.g. a /64 granularity? > The problem > is that the operator who would be motivated to do this doesn’t control > the address space that is the source of the problem, so they can’t force > the owner of that address space to use DHCPv6 or disable temporary > addresses. Probably the text was clear enough: this part of the text is mean to discuss ACLs for your own resources. e.g., I control a GCP and an AWS VPC... is there a way to do /128 ACLs, or should I just use /64 ACLs? e.g., in my case, my addresses have manual or DHCPv6 configuration -- and hence /128 ACLs are possible. > Instead, this advice will likely be taken to mean that the use of SLAAC > is generally bad, and should be prevented. This would be a very bad > outcome. We might want to note that we're actually discussing stable vs temporary addresses. -- it just happens that SLAAC temporary addresses are widely supported and deployed, whereas DHCPv6 temporary addresses aren't. Hence, DHCPv6 typically results in only stable addresses, even when, in theory, that need not be the case. > Similarly, your observations about /56 delegations making it possible > for a host to pretend to be multiple hosts are likely to discourage ISPs > from offering delegations larger than /64, which again would be an > unfortunate outcome. Well, but... is the observation technically incorrect? > The simple advice which I think is appropriate for the context you > described is simply to point out that with IPv6, prefixes are the > identifier, not individual addresses. The rest is too much. Then the next obvious question is: what prefix size? Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
- [v6ops] Fwd: (IETF I-D): Implications of IPv6 Add… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Vasilenko Eduard
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… David Conrad
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Ted Lemon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Vasilenko Eduard
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Henri Alves de Godoy
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Simon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Fernando Gont