Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios
j h woodyatt <jhw@conjury.org> Thu, 21 February 2019 02:28 UTC
Return-Path: <jhw@conjury.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70BC9130F81; Wed, 20 Feb 2019 18:28:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b7Wu1e88nWUc; Wed, 20 Feb 2019 18:28:29 -0800 (PST)
Received: from mail.conjury.org (prime.conjury.org [174.136.98.234]) by ietfa.amsl.com (Postfix) with ESMTP id 713C1130F5C; Wed, 20 Feb 2019 18:28:29 -0800 (PST)
Received: from [IPv6:2607:f598:b0b2:cf00:d4fb:b027:be5d:c37d] (unknown [IPv6:2607:f598:b0b2:cf00:d4fb:b027:be5d:c37d]) by mail.conjury.org (Postfix) with ESMTPSA id BC5B7E6011; Wed, 20 Feb 2019 17:51:15 -0800 (PST)
From: j h woodyatt <jhw@conjury.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_433CA7B3-AB2C-47C5-AFCB-E81469EDFE57"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Wed, 20 Feb 2019 18:28:27 -0800
References: <6D78F4B2-A30D-4562-AC21-E4D3DE019D90@consulintel.es> <B6E2EC33-EEAF-40D0-AFCC-BDAFA9134ACD@consulintel.es> <20190220113603.GK71606@Space.Net> <28fbc2c305c640c9afb3704050f6e8d7@boeing.com> <20190220213107.GS71606@Space.Net> <019c552eb1624d348641d6930829fd1f@boeing.com> <CAKD1Yr0HBG+rhyFWg9zh0t3mW486Mjx9umjn+CRqAZg4z9r0dg@mail.gmail.com> <c86c9322-743c-477b-ad8a-373ce47ace6e@si6networks.com>
To: "6man@ietf.org" <6man@ietf.org>, IPv6 Operations <v6ops@ietf.org>
In-Reply-To: <c86c9322-743c-477b-ad8a-373ce47ace6e@si6networks.com>
Message-Id: <2EEFFB58-C665-48BF-B09E-5AF5A7CA91E6@conjury.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/o-Ougj8JUcYIBY0V37ekasrZGuo>
Subject: Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 02:28:31 -0000
On Feb 20, 2019, at 17:13, Fernando Gont <fgont@si6networks.com> wrote: > > Given that RFC6092 recommends "only allow outgoing connections”... I certainly don’t remember writing that, and I just double-checked the text, and I’m pretty sure that recommendation is not in RFC 6092. The relevant portion is Section 3.4 Passive Listeners, I think, and it only goes so far as to say this: REC-49: Internet gateways with IPv6 simple security capabilities MUST provide an easily selected configuration option that permits a "transparent mode" of operation that forwards all unsolicited flows regardless of forwarding direction, i.e., not to use the IPv6 simple security capabilities of the gateway. The transparent mode of operation MAY be the default configuration. The recommendation to deny inbound flows to passive listeners by default, I believe, comes from RFC 4864, which says this on page 15: These should provide a default configuration where incoming traffic is limited to return traffic resulting from outgoing packets (sometimes known as reflective session state). The reason this is important: RFC 6092 includes all that special requirements language despite being Informational category because IPv6 Ready and various other groups were asking for guidance by which they could write their own standards for IPv6 Simple Security requirements, and IETF wanted to give them that guidance. And so, RFC 6092 was written with that aim in mind. RFC 4864 is just an Informational document that offers some opinionated assertions on the topic, and I would say it’s worth what you paid for it. As far as I know, IETF has not yet actually written a Standards Track RFC that says Internet gateways SHOULD (note well: requirements language) block inbound flows to passive listeners. I’d be interested to know if I’ve missed that news. In any case, my recollection is that it wasn’t the case when RFC 6092 was published. Shorter james: don’t blame me for this. I didn’t do it. --james woodyatt <jhw@conjury.org>
- [v6ops] A common problem with SLAAC in "renumberi… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Tassos Chatzithomaoglou
- Re: [v6ops] A common problem with SLAAC in "renum… Bernie Volz (volz)
- Re: [v6ops] A common problem with SLAAC in "renum… Mikael Abrahamsson
- Re: [v6ops] A common problem with SLAAC in "renum… JORDI PALET MARTINEZ
- Re: [v6ops] A common problem with SLAAC in "renum… JORDI PALET MARTINEZ
- Re: [v6ops] A common problem with SLAAC in "renum… Sander Steffann
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Mikael Abrahamsson
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Sander Steffann
- Re: [v6ops] A common problem with SLAAC in "renum… JORDI PALET MARTINEZ
- Re: [v6ops] A common problem with SLAAC in "renum… JORDI PALET MARTINEZ
- Re: [v6ops] A common problem with SLAAC in "renum… Philip Homburg
- Re: [v6ops] A common problem with SLAAC in "renum… Richard Patterson
- Re: [v6ops] A common problem with SLAAC in "renum… Mikael Abrahamsson
- Re: [v6ops] A common problem with SLAAC in "renum… Tarko Tikan
- Re: [v6ops] A common problem with SLAAC in "renum… Philip Homburg
- Re: [v6ops] A common problem with SLAAC in "renum… Tarko Tikan
- Re: [v6ops] A common problem with SLAAC in "renum… Richard Patterson
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Sander Steffann
- Re: [v6ops] A common problem with SLAAC in "renum… Sander Steffann
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Smith
- Re: [v6ops] A common problem with SLAAC in "renum… Mikael Abrahamsson
- Re: [v6ops] A common problem with SLAAC in "renum… Philip Homburg
- Re: [v6ops] A common problem with SLAAC in "renum… Ole Troan
- Re: [v6ops] A common problem with SLAAC in "renum… Fred Baker
- Re: [v6ops] A common problem with SLAAC in "renum… Mikael Abrahamsson
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Ole Troan
- Re: [v6ops] A common problem with SLAAC in "renum… Mikael Abrahamsson
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Ole Troan
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Ole Troan
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Smith
- Re: [v6ops] A common problem with SLAAC in "renum… Mikael Abrahamsson
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… JORDI PALET MARTINEZ
- Re: [v6ops] A common problem with SLAAC in "renum… Joel M. Halpern
- Re: [v6ops] A common problem with SLAAC in "renum… Nick Hilliard
- Re: [v6ops] A common problem with SLAAC in "renum… Michael Richardson
- Re: [v6ops] A common problem with SLAAC in "renum… Gert Doering
- Re: [v6ops] A common problem with SLAAC in "renum… Brian E Carpenter
- Re: [v6ops] A common problem with SLAAC in "renum… JORDI PALET MARTINEZ
- Re: [v6ops] A common problem with SLAAC in "renum… Ole Troan
- Re: [v6ops] A common problem with SLAAC in "renum… Christian Huitema
- Re: [v6ops] A common problem with SLAAC in "renum… Ole Troan
- Re: [v6ops] A common problem with SLAAC in "renum… Michael Richardson
- Re: [v6ops] A common problem with SLAAC in "renum… Michael Richardson
- Re: [v6ops] A common problem with SLAAC in "renum… Ole Troan
- Re: [v6ops] A common problem with SLAAC in "renum… Christian Huitema
- Re: [v6ops] A common problem with SLAAC in "renum… Ole Troan
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Smith
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Andrews
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Smith
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Christian Huitema
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Smith
- Re: [v6ops] A common problem with SLAAC in "renum… Tore Anderson
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Jen Linkova
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Ole Troan
- Re: [v6ops] A common problem with SLAAC in "renum… Jen Linkova
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Joel M. Halpern
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Jen Linkova
- Re: [v6ops] A common problem with SLAAC in "renum… Richard Patterson
- Re: [v6ops] A common problem with SLAAC in "renum… Nick Hilliard
- Re: [v6ops] A common problem with SLAAC in "renum… Richard Patterson
- Re: [v6ops] A common problem with SLAAC in "renum… Gert Doering
- Re: [v6ops] A common problem with SLAAC in "renum… JORDI PALET MARTINEZ
- Re: [v6ops] A common problem with SLAAC in "renum… JORDI PALET MARTINEZ
- Re: [v6ops] A common problem with SLAAC in "renum… Gert Doering
- Re: [v6ops] A common problem with SLAAC in "renum… sthaug
- Re: [v6ops] A common problem with SLAAC in "renum… Gert Doering
- Re: [v6ops] A common problem with SLAAC in "renum… Gert Doering
- Re: [v6ops] A common problem with SLAAC in "renum… j h woodyatt
- Re: [v6ops] A common problem with SLAAC in "renum… Manfredi (US), Albert E
- Re: [v6ops] A common problem with SLAAC in "renum… Nick Hilliard
- Re: [v6ops] A common problem with SLAAC in "renum… Gert Doering
- Re: [v6ops] A common problem with SLAAC in "renum… Manfredi (US), Albert E
- Re: [v6ops] A common problem with SLAAC in "renum… Brian E Carpenter
- Re: [v6ops] A common problem with SLAAC in "renum… Lorenzo Colitti
- Re: [v6ops] A common problem with SLAAC in "renum… Manfredi (US), Albert E
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Erik Kline
- Re: [v6ops] A common problem with SLAAC in "renum… Erik Kline
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Erik Kline
- Re: [v6ops] A common problem with SLAAC in "renum… Brian E Carpenter
- Re: [v6ops] A common problem with SLAAC in "renum… j h woodyatt
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Erik Kline
- Re: [v6ops] A common problem with SLAAC in "renum… j h woodyatt
- Re: [v6ops] A common problem with SLAAC in "renum… Gert Doering
- Re: [v6ops] A common problem with SLAAC in "renum… Tim Chown
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Timothy Winters
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Brian E Carpenter
- Re: [v6ops] A common problem with SLAAC in "renum… Manfredi (US), Albert E
- Re: [v6ops] A common problem with SLAAC in "renum… Brian E Carpenter
- Re: [v6ops] A common problem with SLAAC in "renum… Brian E Carpenter
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Smith
- Re: [v6ops] A common problem with SLAAC in "renum… Gert Doering
- Re: [v6ops] A common problem with SLAAC in "renum… Manfredi (US), Albert E
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Smith
- Re: [v6ops] A common problem with SLAAC in "renum… Tom Herbert
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Smith
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Andrews
- Re: [v6ops] A common problem with SLAAC in "renum… Owen DeLong
- Re: [v6ops] A common problem with SLAAC in "renum… Lorenzo Colitti
- Re: [v6ops] A common problem with SLAAC in "renum… Lorenzo Colitti
- Re: [v6ops] A common problem with SLAAC in "renum… Tom Herbert
- Re: [v6ops] A common problem with SLAAC in "renum… Owen DeLong
- Re: [v6ops] A common problem with SLAAC in "renum… Tom Herbert
- Re: [v6ops] A common problem with SLAAC in "renum… JORDI PALET MARTINEZ
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- [v6ops] NAT debate (Re: A common problem with SLA… Fernando Gont
- Re: [v6ops] NAT debate (Re: A common problem with… Tom Herbert
- Re: [v6ops] NAT debate (Re: A common problem with… Kristian McColm
- Re: [v6ops] NAT debate (Re: A common problem with… Tom Herbert
- Re: [v6ops] NAT debate (Re: A common problem with… Kristian McColm
- Re: [v6ops] NAT debate (Re: A common problem with… Ca By
- Re: [v6ops] NAT debate (Re: A common problem with… Raymond Burkholder
- Re: [v6ops] NAT debate (Re: A common problem with… Kristian McColm
- [v6ops] Is addressing privacy via NAT really achi… Mark Smith
- Re: [v6ops] A common problem with SLAAC in "renum… Christian Huitema
- Re: [v6ops] NAT debate (Re: A common problem with… Mark Smith
- [v6ops] 464XLAT -- Re: NAT debate (Re: A common p… Lencse Gábor
- Re: [v6ops] A common problem with SLAAC in "renum… Nick Hilliard
- Re: [v6ops] 464XLAT -- Re: NAT debate (Re: A comm… Ca By
- [v6ops] Stability and Resilience (was Re: A commo… Lee Howard
- Re: [v6ops] A common problem with SLAAC in "renum… Christian Huitema
- Re: [v6ops] Stability and Resilience (was Re: A c… Owen DeLong
- Re: [v6ops] Stability and Resilience (was Re: A c… Michael Richardson
- Re: [v6ops] Is addressing privacy via NAT really … Tom Herbert
- Re: [v6ops] Stability and Resilience (was Re: A c… Tim Chown
- Re: [v6ops] Stability and Resilience (was Re: A c… Timothy Winters
- Re: [v6ops] Stability and Resilience (was Re: A c… David Farmer
- Re: [v6ops] Is addressing privacy via NAT really … Ca By
- Re: [v6ops] Stability and Resilience (was Re: A c… Lee Howard
- Re: [v6ops] Stability and Resilience (was Re: A c… Lee Howard
- Re: [v6ops] Is addressing privacy via NAT really … Tom Herbert
- Re: [v6ops] Is addressing privacy via NAT really … Michael Richardson
- Re: [v6ops] Stability and Resilience (was Re: A c… David Farmer
- Re: [v6ops] Stability and Resilience (was Re: A c… Lee Howard
- Re: [v6ops] Stability and Resilience (was Re: A c… Owen DeLong
- Re: [v6ops] Is addressing privacy via NAT really … Ca By
- Re: [v6ops] Is addressing privacy via NAT really … Tom Herbert
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] Stability and Resilience (was Re: A c… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] Stability and Resilience (was Re: A c… Fernando Gont
- Re: [v6ops] Stability and Resilience (was Re: A c… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Ted Lemon
- Re: [v6ops] A common problem with SLAAC in "renum… Lee Howard
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Ted Lemon
- Re: [v6ops] A common problem with SLAAC in "renum… Richard Patterson
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Smith
- Re: [v6ops] A common problem with SLAAC in "renum… Lorenzo Colitti
- Re: [v6ops] A common problem with SLAAC in "renum… STARK, BARBARA H
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Tim Chown
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Tim Chown
- Re: [v6ops] A common problem with SLAAC in "renum… Ole Troan
- Re: [v6ops] A common problem with SLAAC in "renum… Richard Patterson
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Mark Smith
- Re: [v6ops] A common problem with SLAAC in "renum… Richard Patterson
- Re: [v6ops] A common problem with SLAAC in "renum… Michael Richardson
- Re: [v6ops] A common problem with SLAAC in "renum… Mikael Abrahamsson
- Re: [v6ops] A common problem with SLAAC in "renum… Lorenzo Colitti
- Re: [v6ops] A common problem with SLAAC in "renum… Lorenzo Colitti
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] Is addressing privacy via NAT really … Behcet Sarikaya
- Re: [v6ops] A common problem with SLAAC in "renum… 神明達哉
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… 神明達哉
- Re: [v6ops] A common problem with SLAAC in "renum… Fernando Gont
- Re: [v6ops] A common problem with SLAAC in "renum… Owen DeLong
- Re: [v6ops] A common problem with SLAAC in "renum… Richard Patterson
- Re: [v6ops] A common problem with SLAAC in "renum… 神明達哉