Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
"Marksteiner, Stefan" <stefan.marksteiner@joanneum.at> Wed, 26 September 2012 15:01 UTC
Return-Path: <stefan.marksteiner@joanneum.at>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A08121F8694 for <v6ops@ietfa.amsl.com>; Wed, 26 Sep 2012 08:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.417
X-Spam-Level:
X-Spam-Status: No, score=-0.417 tagged_above=-999 required=5 tests=[AWL=0.413, BAYES_00=-2.599, HELO_EQ_AT=0.424, HOST_EQ_AT=0.745, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ETRG-2Nyvjcc for <v6ops@ietfa.amsl.com>; Wed, 26 Sep 2012 08:01:45 -0700 (PDT)
Received: from rzjgate1.joanneum.ac.at (rzjgate1.joanneum.ac.at [143.224.185.3]) by ietfa.amsl.com (Postfix) with ESMTP id 01D9A21F8629 for <v6ops@ietf.org>; Wed, 26 Sep 2012 08:01:44 -0700 (PDT)
Received: from RZJS077.jr1.local (rzjs077.joanneum.ac.at [143.224.71.18]) by rzjgate1.joanneum.ac.at (8.14.4/8.14.4) with ESMTP id q8QF1doQ026179; Wed, 26 Sep 2012 17:01:39 +0200
Received: from RZJC1EX.jr1.local ([169.254.2.9]) by RZJS077.jr1.local ([143.224.71.18]) with mapi; Wed, 26 Sep 2012 17:01:39 +0200
From: "Marksteiner, Stefan" <stefan.marksteiner@joanneum.at>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Wed, 26 Sep 2012 16:59:54 +0200
Thread-Topic: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
Thread-Index: Ac2b4JS8U98NjujjSQSLqE/k/k/BSwAFwGGJ
Message-ID: <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D90F@RZJC1EX.jr1.local>
References: <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D8FF@RZJC1EX.jr1.local>, <1348519034.47465.YahooMailNeo@web32503.mail.mud.yahoo.com> <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D902@RZJC1EX.jr1.local>, <5061B157.1090106@gmail.com> <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D90A@RZJC1EX.jr1.local> <1348602134.63605.YahooMailNeo@web32505.mail.mud.yahoo.com> <8A317FD8C00FEE448E52D4EE5B56BB3E0232A08499BB@RZJC1EX.jr1.local>, <5062F1D3.2030601@gmail.com>
In-Reply-To: <5062F1D3.2030601@gmail.com>
Accept-Language: de-DE, de-AT
Content-Language: de-AT
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: de-DE, de-AT
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: 'IPv6 Ops WG' <v6ops@ietf.org>
Subject: Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 15:01:46 -0000
Hi, >And if you care about easy-to-guess addresses, use a pseudorandom method to assign the >IID part of the addresses. yes, that's exactly my point. >We do need to get away from that as much as possible (see 6renum WG for more). I strongly agree. Regards, Stefan ________________________________________ Von: Brian E Carpenter [brian.e.carpenter@gmail.com] Gesendet: Mittwoch, 26. September 2012 14:15 An: Marksteiner, Stefan Cc: 'Mark ZZZ Smith'; 'IPv6 Ops WG' Betreff: Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157 On 26/09/2012 08:16, Marksteiner, Stefan wrote: > Hi, > > There's a variety of reasons to keep track of addresses from usage and statistics to forensic purposes in security incidents (also those which are perpetrated from inside sources to outside targets). > Privacy extensions would perhaps be too unpredictable to manage, but stateful DHCPv6 combined with a suitable IPAM-solution would probably do the trick. And if you care about easy-to-guess addresses, use a pseudorandom method to assign the IID part of the addresses. > Maybe I have been stuck in my mindset a little, as we use only static addresses in our productive IPv4 network. We do need to get away from that as much as possible (see 6renum WG for more). Brian > Thanks :) > > Cheers, > > Stefan > > > -----Ursprüngliche Nachricht----- > Von: Mark ZZZ Smith [mailto:markzzzsmith@yahoo.com.au] > Gesendet: Dienstag, 25. September 2012 21:42 > An: Marksteiner, Stefan; IPv6 Ops WG > Betreff: Re: AW: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157 > > > > > > ----- Original Message ----- >> From: "Marksteiner, Stefan" <stefan.marksteiner@joanneum.at> >> To: IPv6 Ops WG <v6ops@ietf.org> >> Cc: Mark ZZZ Smith <markzzzsmith@yahoo.com.au> >> Sent: Wednesday, 26 September 2012 12:18 AM >> Subject: AW: [v6ops] Operational guidelines for a company/organization >> IPv6 address scheme supplemental to RFC5157 >> >> Hi Brian, >> >> SLAAC is *somewhat* predictable, especially when you already have one >> address as a starting point (then you've got a vendor ID plus a >> probable batch which narrows the scanning address room significantly). >> Of course I assume workstation machines not to be in public a DNS zone... >> > > So if you want unpredictable, you use privacy addresses. They're not hard to enable, and in some cases (recent Windows OSes, Fedora 17) they're enabled by default. > > If you've chosen to go down the stateful DHCPv6 path, I'd verify what sort of allocation scheme it uses or can be enabled - there may and perhaps will likely be a "random" option. > > What problem are you trying to solve by having technical staff being able to determine addresses? Is it to record addresses in use? Or address utilisation within the subnet? > > Regards, > Mark. > >> Regards, >> >> Stefan >> >> >> ________________________________________ >> Von: Brian E Carpenter [brian.e.carpenter@gmail.com] >> Gesendet: Dienstag, 25. September 2012 15:27 >> An: Marksteiner, Stefan >> Cc: Mark ZZZ Smith; IPv6 Ops WG >> Betreff: Re: [v6ops] Operational guidelines for a company/organization >> IPv6 address scheme supplemental to RFC5157 >> >> On 25/09/2012 10:42, Marksteiner, Stefan wrote: >>> Hi Mark, >>> >>> First of all I think I've forgotten to clarify that I'm talking >> about IIDs, sorry ;) >>> The aim of my thoughts would be to make it harder for externals to >>> scan for >> attackable addresses. One often cited (mostly by marketeers) benefit >> of IPv6 is the vast amount of addresses per subnet making it seemingly >> harder to scan, which would be nullified if companies used simple sequential addressing. >>> You're of course right that most (potential) attackers are insiders >>> - >> but they likely wouldn't have to scan anyway, instead the would >> probably already have knowledge of alive (and maybe even vulnerable) >> hosts. Thus, they aren't my focus in this matter, but instead are >> "black box"-scanners and Internet worms. >>> ULA/LLA are, as you've correctly stated, the best choice if you >> don't need Internet connection, but what about workstations for >> employees needing the Internet? >>> I'm suggesting to recommend companies to use a different scheme as >> ::1;::2 or ::BABE;::CAFE or even ::4593;4594 and so on which according >> to some studies (e.g. [1], pp.65-75, especially 68) most >> administrators unfortunately do. >>> What might be needed to change this would be a scheme which is >>> practicably >> administrable in the easiest possible way. >> >> It depends what you mean by "administrable" but SLAAC doesn't need a >> scheme and therefore doesn't need administration. For machines that >> are in public DNS it doesn't matter anyway, so any scheme will do. >> >> Brian >> >>> This would have, in my opinion, two benefits. Firstly it would >>> render >> standard scanning procedures for IPv6 like sequential scanning and >> scanning for "funny" addresses pretty much useless. Secondly, if the >> numbers are, seen from the outside, seemingly random, it wouldn't help >> a scanner or worm if he or it discovered a single address by chance >> (e.g. by a log entry) and took it as a starting point for further scanning. >>> I'm aware of the discussions about security by obscurity and that a >> good firewall is needed anyway to secure internal assets, but I would >> find it nice if the often cited "security argument" that IPv6 subnets >> are merely impossible to scan would be true (again) :) >>> >>> Cheers, >>> >>> Stefan >>> >>> >>> [1]http://www.mh-sec.de/downloads/mh-ipv6_vulnerabilities.pdf >>> ________________________________________ >>> Von: Mark ZZZ Smith [markzzzsmith@yahoo.com.au] >>> Gesendet: Montag, 24. September 2012 22:37 >>> An: Marksteiner, Stefan; IPv6 Ops WG >>> Betreff: Re: [v6ops] Operational guidelines for a >>> company/organization IPv6 >> address scheme supplemental to RFC5157 >>> Hi Stefan, >>> >>> ----- Original Message ----- >>> >>>> From: "Marksteiner, Stefan" >> <stefan.marksteiner@joanneum.at> >>>> To: IPv6 Ops WG <v6ops@ietf.org> >>>> Cc: >>>> Sent: Tuesday, 25 September 2012 4:03 AM >>>> Subject: [v6ops] Operational guidelines for a company/organization >>>> IPv6 >> address scheme supplemental to RFC5157 >>>> >>>> Hi Folks, >>>> >>>> RFC5157 presents hazards of sequentially numbering IPv6 networks >>>> and >> technical >>>> means (like CGAs and privacy extensions) to mitigate them. >> Unfortunately these >>>> mitigation methods may be deemed difficult to handle for >>>> administrators >> (SEND >>>> may be too complicated to implement, PEs bring difficulties to keep >> track of IP >>>> addresses). Therefore there may be demand for an addressing scheme >> (rather than >>>> a technical method) that makes IPv6 addresses easy to predict for >>>> tech >> staff but >>>> difficult to do so by outsiders, building a low-end supplement for >>>> the >> methods >>>> mentioned in RFC5157. >>> >>> I think it might be worth having a bit more of a think about who >>> might be >> inclined to attack you - for a typical non-Internet services >> organisation, I think it's more likely going to be >>> disgruntled ex-staff, and it'll be hard to make them forget >> "numbers" / addresses or prevent them copying the mapping application >> if they have an inkling they're going to get fired. >>> >>>> What I have in mind is an simple mental arithmetic operation, which >> generates an >>>> address out of a company fixed part plus a sequential number for host. >>>> Alternatively a Hash-Operation consisting again of a secret >> organisational plus >>>> a sequential host number. The first requires the scheme to be >>>> slightly >> different >>>> in every organisation in order to have a negative impact on IPv6 >> scanning from >>>> external sources, the second is more secure but requires an >>>> internal >> web site or >>>> smartphone app in order for field engineers to calculate an address >>>> out >> of the >>>> sequential information. >>>> >>> It sounds like here you're talking about a subnet numbering scheme. >>> The >> common prefix size for most organisations is going to be /56 or 256 >> /64 subnets, or /48 or 65K /64 subnets. Many providers seem to be >> leaning towards /56s unless their customers ask for a /48, which >> provides very little address space to effectively hide the in-use >> subnet numbers from a scanning based attack (and that's one of the >> reasons why I'd be giving customers /48s from the outset). One >> advantage though of IPv6 is that it is possible to phase in and phase >> out addressing using the address/prefix lifetimes mechanism, so it would be possible to change assigned in your network prefixes on e.g. a weekly basis. >>> If your fundamental goal is to make internal links unreachable from >>> the >> Internet, they can be not assigned a global prefix, and numbered from >> either the ULA address space (RFC4193) or left as link-locals only >> ("unnumbered"). You may be interested in the following, which >> discusses link-local only addressing - >>> "Using Only Link-Local Addressing Inside an IPv6 Network" >>> http://tools.ietf.org/html/draft-behringer-lla-only-01 >>> >>> >>> Regards, >>> >>> Mark. >>> >>>> My question is, in your opinion, would this be worthwhile to be >> formulated as an >>>> ID an be drafted or does this idea sound absurd? >>>> >>>> >>>> Cheers, >>>> >>>> Stefan >>>> _______________________________________________ >>>> v6ops mailing list >>>> v6ops@ietf.org >>>> https://www.ietf.org/mailman/listinfo/v6ops >>>> >>> _______________________________________________ >>> v6ops mailing list >>> v6ops@ietf.org >>> https://www.ietf.org/mailman/listinfo/v6ops >>> > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] Operational guidelines for a company/orga… Marksteiner, Stefan
- Re: [v6ops] Operational guidelines for a company/… Mark ZZZ Smith
- Re: [v6ops] Operational guidelines for a company/… Marksteiner, Stefan
- Re: [v6ops] Operational guidelines for a company/… Brian E Carpenter
- Re: [v6ops] Operational guidelines for a company/… Marksteiner, Stefan
- Re: [v6ops] Operational guidelines for a company/… Mark ZZZ Smith
- Re: [v6ops] Operational guidelines for a company/… Marksteiner, Stefan
- Re: [v6ops] Operational guidelines for a company/… Brian E Carpenter
- Re: [v6ops] Operational guidelines for a company/… Marksteiner, Stefan
- Re: [v6ops] Operational guidelines for a company/… Philipp Kern
- Re: [v6ops] Operational guidelines for a company/… John Mann
- Re: [v6ops] Operational guidelines for a company/… Fernando Gont
- Re: [v6ops] Operational guidelines for a company/… Fernando Gont