Re: [v6ops] [GROW] Deaggregation by large organizations
Owen DeLong <owen@delong.com> Fri, 17 October 2014 01:03 UTC
Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ADD31A9088; Thu, 16 Oct 2014 18:03:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.4
X-Spam-Level:
X-Spam-Status: No, score=0.4 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_ADSP_ALL=0.8, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VmNVWcFShSjj; Thu, 16 Oct 2014 18:03:25 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id 031691A9087; Thu, 16 Oct 2014 18:03:24 -0700 (PDT)
Received: from [IPv6:2620::930:0:ca2a:14ff:fe3e:d024] ([IPv6:2620:0:930:0:ca2a:14ff:fe3e:d024]) (authenticated bits=0) by owen.delong.com (8.14.2/8.14.2) with ESMTP id s9H0wWS7024770 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 16 Oct 2014 17:58:32 -0700
X-DKIM: Sendmail DKIM Filter v2.8.3 owen.delong.com s9H0wWS7024770
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=delong.com; s=mail; t=1413507512; bh=vBazpTOI2PSOIggsLZB3e6KD/jQ=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Message-Id:References:To; b=W7lCgTrjKpBGEdASL6rCXJyxlGGajghHQITDYXprmQuXjVk+7QG39tx7xnvVEcUrn 7rFLX6y/2xEPChEGmpPrwm+XkNUDbLx28NJkRT7/YAHSu/yZ8b3njro35cqZnSZRag G3nKiwfSswBZyU/wtD74EIHpeyB0cSvSGj0H/yks=
Content-Type: multipart/alternative; boundary="Apple-Mail=_426DF50B-6FE6-4B57-8239-A846958E32F5"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20141016233533.1B73521A106C@rock.dv.isc.org>
Date: Thu, 16 Oct 2014 17:58:15 -0700
Message-Id: <142A1C5B-33C8-4A44-8DE0-11FC3D88D1D5@delong.com>
References: <F5C06CAF-0AD2-4225-8EE7-FC72CE9913F0@muada.com> <755DE4C3-CDDF-41AF-BA9C-E8EC5B4DFC4C@muada.com> <A7F6BEA0-BCDD-4197-B6CB-7EB8797ACA9C@delong.com> <20141016233533.1B73521A106C@rock.dv.isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.1878.6)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0rc1 (owen.delong.com [IPv6:2620:0:930::200:2]); Thu, 16 Oct 2014 17:58:32 -0700 (PDT)
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/o7qSuIf1UHE4ep5R2zFpxDh7ins
Cc: v6ops@ietf.org, grow@ietf.org
Subject: Re: [v6ops] [GROW] Deaggregation by large organizations
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 01:03:30 -0000
On Oct 16, 2014, at 16:35 , Mark Andrews <marka@isc.org> wrote: > > In message <A7F6BEA0-BCDD-4197-B6CB-7EB8797ACA9C@delong.com>, Owen DeLong writes: >> >> On Oct 16, 2014, at 02:43 , Iljitsch van Beijnum <iljitsch@muada.com> wrote: >> >>> Let me address a few points that were brought up by different people. >>> >>> Renumbering: >>> >>> We had great plans for making renumbering easy in the early days of IPv6. Remember A6 records and bit >> labels in the DNS? But none of that went anywhere. The problem isn't so much that we can't push a prefi >> x down the network or update the DNS (although both of these still have challenges associated with them >> ), but that addresses tend to get hardcoded all over the place, starting with firewalls all the way up >> to homegrown applications. I don't think renumbering addresses this issue, although it could help steer >> some smaller organizations away from PI. >> >> They never went anywhere because they focused on solving the easy part of the renumbering problem while >> utterly and completely ignoring the hard part. >> >> Easy part: Changing your stuff. >> Hard part: Updating all of the prefix lists, filters, firewall rules, VPN configurations, and other con >> figuration elements in systems not under your control that contain your prefixes (partner VPNs, peer ro >> uters, etc.). > > Owen this a collective response to the list. > > Not all that hard at all. Just send signed update requests. I did > that with email over a decade ago. You just have to have something > listening for them that verifies the signature and updates the > system. No, you have to have all your {customers, suppliers, partners, etc.} implement a compatible system of listeners that can configure their equipment on the basis of those requests. > Write a draft "Remote Firewall Update Request Protocol" and submit > it. I don't have time to engage in this, but I think such a thing would be a more useful use of IETF time than what has been proposed in the earlier discussions in this thread. I still question whether it would get widely adopted, but having it documented would at least be a good first step. > The alternative is stop worrying about the remote address and use > security at the application layer. Again, not a solution unless you can achieve ubiquitous deployment of such a scenario. > Or complain to your vendor that you can't use a hostname in the > configuration file element. In many cases it doesn't require > anything more than looking up a address in the DNS before the > operation. Yes, I need to fix the masters clause in named to support > this. We already do something similar for NOTIFY messages so it > is possible to do this. It's not my vendor that's at issue here. I can configure whatever I bought from my vendor. Convincing my {customers', suppliers', partners'} vendors to listen to me is, well, unlikely. Convincing my {customers, suppliers, partners} to make demands of their vendors on my behalf is slightly less likely. > For masters clauses there is a bootstrap problem to deal with but > it is not impossible. Just sending periodic NOTIFY messages will > work. Named has had support to do this for 1 1/2 decades now to > allow for a a stealth master behind a dial on demand link. It would > send a notify periodically. That would bring up the line. The > slave would refresh and transfer if required. When that was complete > the idle timer on link would drop it. Less concerned about that than the above issues. Do you really think that partner A wants to allow partner B to send signed messages to modify his firewall configuratoin? Who is liable for what happens to partner A if partner B's private key gets compromised? The transitive trust involved in such a scenario is not something I have found to be widely accepted by enterprise security people. > This just used standard signalling designed by the IETF in a different > way. > > Stop expecting someone else to *find* and fix these issues for you. > You know what the issues are. Ask your vendors to fix them. If > they need to co-ordinate they should know where to go to do it. I don't expect them to get fixed. They've been widely known for years. They're not easy problems to solve and there isn't money commensurate with their difficulty available to solve them. Further, the human interface problems involved are probably just as difficult if not more so than the technical hurdles, so even if the technology were miraculously solved, it might not matter. Owen
- [v6ops] Deaggregation by large organizations Iljitsch van Beijnum
- Re: [v6ops] [GROW] Deaggregation by large organiz… Iljitsch van Beijnum
- Re: [v6ops] [GROW] Deaggregation by large organiz… Nick Hilliard
- Re: [v6ops] [GROW] Deaggregation by large organiz… Nick Hilliard
- Re: [v6ops] Deaggregation by large organizations Ted Lemon
- Re: [v6ops] [GROW] Deaggregation by large organiz… Brian E Carpenter
- Re: [v6ops] [GROW] Deaggregation by large organiz… Christopher Morrow
- Re: [v6ops] Deaggregation by large organizations Owen DeLong
- Re: [v6ops] [GROW] Deaggregation by large organiz… Mikael Abrahamsson
- Re: [v6ops] [GROW] Deaggregation by large organiz… Iljitsch van Beijnum
- Re: [v6ops] [GROW] Deaggregation by large organiz… Iljitsch van Beijnum
- Re: [v6ops] [GROW] Deaggregation by large organiz… Nick Hilliard
- Re: [v6ops] [GROW] Deaggregation by large organiz… Alvaro Retana (aretana)
- Re: [v6ops] [GROW] Deaggregation by large organiz… Christopher Morrow
- Re: [v6ops] [GROW] Deaggregation by large organiz… Gert Doering
- Re: [v6ops] [GROW] Deaggregation by large organiz… Christopher Morrow
- Re: [v6ops] [GROW] Deaggregation by large organiz… Gert Doering
- Re: [v6ops] [GROW] Deaggregation by large organiz… Christopher Morrow
- Re: [v6ops] [GROW] Deaggregation by large organiz… joel jaeggli
- Re: [v6ops] [GROW] Deaggregation by large organiz… Iljitsch van Beijnum
- Re: [v6ops] [GROW] Deaggregation by large organiz… Nick Hilliard
- Re: [v6ops] [GROW] Deaggregation by large organiz… Jeroen Massar
- Re: [v6ops] [GROW] Deaggregation by large organiz… Iljitsch van Beijnum
- Re: [v6ops] [GROW] Deaggregation by large organiz… Enno Rey
- Re: [v6ops] [GROW] Deaggregation by large organiz… Nick Hilliard
- Re: [v6ops] [GROW] Deaggregation by large organiz… Jeroen Massar
- Re: [v6ops] [GROW] Deaggregation by large organiz… Enno Rey
- Re: [v6ops] [GROW] Deaggregation by large organiz… Owen DeLong
- Re: [v6ops] [GROW] Deaggregation by large organiz… Owen DeLong
- Re: [v6ops] [GROW] Deaggregation by large organiz… Gert Doering
- Re: [v6ops] [GROW] Deaggregation by large organiz… Jeroen Massar
- Re: [v6ops] [GROW] Deaggregation by large organiz… Christopher Morrow
- Re: [v6ops] [GROW] Deaggregation by large organiz… Russ White
- Re: [v6ops] [GROW] Deaggregation by large organiz… Alvaro Retana (aretana)
- Re: [v6ops] [GROW] Deaggregation by large organiz… Nick Hilliard
- Re: [v6ops] [GROW] Deaggregation by large organiz… Enno Rey
- Re: [v6ops] [GROW] Deaggregation by large organiz… Jeroen Massar
- Re: [v6ops] [GROW] Deaggregation data (was: Deagg… Nick Hilliard
- Re: [v6ops] [GROW] Deaggregation by large organiz… Mark Andrews
- Re: [v6ops] [GROW] Deaggregation by large organiz… Matthew Petach
- Re: [v6ops] [GROW] Deaggregation by large organiz… Owen DeLong
- Re: [v6ops] [GROW] Deaggregation by large organiz… Mark Andrews
- Re: [v6ops] [GROW] Deaggregation by large organiz… Matthew Petach
- Re: [v6ops] [GROW] Deaggregation data (was: Deagg… Marc Binderberger
- Re: [v6ops] [GROW] Deaggregation data (was: Deagg… Iljitsch van Beijnum
- Re: [v6ops] [GROW] Deaggregation data (was: Deagg… Randy Bush
- Re: [v6ops] [GROW] Deaggregation by large organiz… Gert Doering
- Re: [v6ops] [GROW] Deaggregation data Brian E Carpenter
- Re: [v6ops] [GROW] Deaggregation data Randy Bush
- Re: [v6ops] [GROW] Deaggregation data Nick Hilliard
- Re: [v6ops] [GROW] Deaggregation data (was: Deagg… Robert Raszuk
- Re: [v6ops] [GROW] Deaggregation data Nick Hilliard
- Re: [v6ops] [GROW] Deaggregation data Christopher Morrow
- Re: [v6ops] [GROW] Deaggregation data Nick Hilliard
- Re: [v6ops] [GROW] Deaggregation data Randy Bush
- Re: [v6ops] [GROW] Deaggregation data Nick Hilliard
- Re: [v6ops] [GROW] Deaggregation data (was: Deagg… Marc Binderberger
- Re: [v6ops] [GROW] Deaggregation data (was: Deagg… Pedro Andres Aranda Gutierrez
- Re: [v6ops] [GROW] Deaggregation by large organiz… Gert Doering
- [v6ops] renumbering [was Deaggregation by large o… Brian E Carpenter
- Re: [v6ops] [GROW] Deaggregation by large organiz… Ray Hunter
- Re: [v6ops] [GROW] Deaggregation by large organiz… Iljitsch van Beijnum
- Re: [v6ops] [GROW] Deaggregation by large organiz… Ray Hunter
- Re: [v6ops] [GROW] Deaggregation by large organiz… Matthew Petach
- Re: [v6ops] [GROW] Deaggregation by large organiz… Iljitsch van Beijnum