IETF Logo Mail Archive

Re: [v6ops] [GROW] Deaggregation by large organizations

Owen DeLong <owen@delong.com> Fri, 17 October 2014 01:03 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ADD31A9088; Thu, 16 Oct 2014 18:03:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.4
X-Spam-Level:
X-Spam-Status: No, score=0.4 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_ADSP_ALL=0.8, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VmNVWcFShSjj; Thu, 16 Oct 2014 18:03:25 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id 031691A9087; Thu, 16 Oct 2014 18:03:24 -0700 (PDT)
Received: from [IPv6:2620::930:0:ca2a:14ff:fe3e:d024] ([IPv6:2620:0:930:0:ca2a:14ff:fe3e:d024]) (authenticated bits=0) by owen.delong.com (8.14.2/8.14.2) with ESMTP id s9H0wWS7024770 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 16 Oct 2014 17:58:32 -0700
X-DKIM: Sendmail DKIM Filter v2.8.3 owen.delong.com s9H0wWS7024770
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=delong.com; s=mail; t=1413507512; bh=vBazpTOI2PSOIggsLZB3e6KD/jQ=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Message-Id:References:To; b=W7lCgTrjKpBGEdASL6rCXJyxlGGajghHQITDYXprmQuXjVk+7QG39tx7xnvVEcUrn 7rFLX6y/2xEPChEGmpPrwm+XkNUDbLx28NJkRT7/YAHSu/yZ8b3njro35cqZnSZRag G3nKiwfSswBZyU/wtD74EIHpeyB0cSvSGj0H/yks=
Content-Type: multipart/alternative; boundary="Apple-Mail=_426DF50B-6FE6-4B57-8239-A846958E32F5"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20141016233533.1B73521A106C@rock.dv.isc.org>
Date: Thu, 16 Oct 2014 17:58:15 -0700
Message-Id: <142A1C5B-33C8-4A44-8DE0-11FC3D88D1D5@delong.com>
References: <F5C06CAF-0AD2-4225-8EE7-FC72CE9913F0@muada.com> <755DE4C3-CDDF-41AF-BA9C-E8EC5B4DFC4C@muada.com> <A7F6BEA0-BCDD-4197-B6CB-7EB8797ACA9C@delong.com> <20141016233533.1B73521A106C@rock.dv.isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.1878.6)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0rc1 (owen.delong.com [IPv6:2620:0:930::200:2]); Thu, 16 Oct 2014 17:58:32 -0700 (PDT)
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/o7qSuIf1UHE4ep5R2zFpxDh7ins
Cc: v6ops@ietf.org, grow@ietf.org
Subject: Re: [v6ops] [GROW] Deaggregation by large organizations
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 01:03:30 -0000

On Oct 16, 2014, at 16:35 , Mark Andrews <marka@isc.org> wrote:

> 
> In message <A7F6BEA0-BCDD-4197-B6CB-7EB8797ACA9C@delong.com>, Owen DeLong writes:
>> 
>> On Oct 16, 2014, at 02:43 , Iljitsch van Beijnum <iljitsch@muada.com> wrote:
>> 
>>> Let me address a few points that were brought up by different people.
>>> 
>>> Renumbering:
>>> 
>>> We had great plans for making renumbering easy in the early days of IPv6. Remember A6 records and bit
>> labels in the DNS? But none of that went anywhere. The problem isn't so much that we can't push a prefi
>> x down the network or update the DNS (although both of these still have challenges associated with them
>> ), but that addresses tend to get hardcoded all over the place, starting with firewalls all the way up 
>> to homegrown applications. I don't think renumbering addresses this issue, although it could help steer
>> some smaller organizations away from PI.
>> 
>> They never went anywhere because they focused on solving the easy part of the renumbering problem while
>> utterly and completely ignoring the hard part.
>> 
>> Easy part: Changing your stuff.
>> Hard part: Updating all of the prefix lists, filters, firewall rules, VPN configurations, and other con
>> figuration elements in systems not under your control that contain your prefixes (partner VPNs, peer ro
>> uters, etc.).
> 
> Owen this a collective response to the list.
> 
> Not all that hard at all.  Just send signed update requests.  I did
> that with email over a decade ago.  You just have to have something
> listening for them that verifies the signature and updates the
> system.

No, you have to have all your {customers, suppliers, partners, etc.} implement
a compatible system of listeners that can configure their equipment on the basis
of those requests.

> Write a draft "Remote Firewall Update Request Protocol" and submit
> it.

I don't have time to engage in this, but I think such a thing would be a
more useful use of IETF time than what has been proposed in the earlier
discussions in this thread. I still question whether it would get widely
adopted, but having it documented would at least be a good first step.

> The alternative is stop worrying about the remote address and use
> security at the application layer.

Again, not a solution unless you can achieve ubiquitous deployment of
such a scenario.

> Or complain to your vendor that you can't use a hostname in the
> configuration file element.  In many cases it doesn't require
> anything more than looking up a address in the DNS before the
> operation.  Yes, I need to fix the masters clause in named to support
> this.  We already do something similar for NOTIFY messages so it
> is possible to do this.

It's not my vendor that's at issue here. I can configure whatever I bought
from my vendor. Convincing my {customers', suppliers', partners'} vendors
to listen to me is, well, unlikely. Convincing my {customers, suppliers, partners}
to make demands of their vendors on my behalf is slightly less likely.

> For masters clauses there is a bootstrap problem to deal with but
> it is not impossible.  Just sending periodic NOTIFY messages will
> work.  Named has had support to do this for 1 1/2 decades now to
> allow for a a stealth master behind a dial on demand link.  It would
> send a notify periodically.  That would bring up the line.  The
> slave would refresh and transfer if required.  When that was complete
> the idle timer on link would drop it.

Less concerned about that than the above issues. Do you really think that
partner A wants to allow partner B to send signed messages to modify his
firewall configuratoin? Who is liable for what happens to partner A if partner
B's private key gets compromised? The transitive trust involved in such a
scenario is not something I have found to be widely accepted by enterprise
security people.

> This just used standard signalling designed by the IETF in a different
> way.
> 
> Stop expecting someone else to *find* and fix these issues for you.
> You know what the issues are.  Ask your vendors to fix them.  If
> they need to co-ordinate they should know where to go to do it.

I don't expect them to get fixed. They've been widely known for years. They're not
easy problems to solve and there isn't money commensurate with their difficulty
available to solve them. Further, the human interface problems involved are probably
just as difficult if not more so than the technical hurdles, so even if the technology
were miraculously solved, it might not matter.

Owen

v2.23.0 | Report a Bug | By Email