Re: [v6ops] IPv6 LL-only as WG document - feedback requested
"Gunter Van de Velde (gvandeve)" <gvandeve@cisco.com> Mon, 06 August 2012 10:18 UTC
Return-Path: <gvandeve@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A98BD21F8628; Mon, 6 Aug 2012 03:18:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.261
X-Spam-Level:
X-Spam-Status: No, score=-10.261 tagged_above=-999 required=5 tests=[AWL=-0.262, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wceGfgQ7LHgw; Mon, 6 Aug 2012 03:18:39 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 94D9E21F8629; Mon, 6 Aug 2012 03:18:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=6064; q=dns/txt; s=iport; t=1344248313; x=1345457913; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=+psj8CAOAOoFBOaNvKF25CMvVW/q51oshA+noCVyR/A=; b=iFiFI+F5GZC0b9EcABB/3WCvFbqZjp8V8S7FwdDF2O3Q84OrKAHHasDC 1T6vX7aVa4utHn0ZtjtQNHhN+Vzfio9hgRAsDWaMufc92gqdNSNg98IzI ZFv76Frj9aYGmDbk5M6y+OcO9dvQPov6mf35WkLSaZ7PQbl6wSZ6dbq2v Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAEyZH1CtJXHB/2dsb2JhbABFhXuyTXaBB4IgAQEBBAEBAQ8BEBE6CwwEAgEIEQQBAQECAgYdAwICAh8GCxQBCAgBAQQOBQgah1wDDAubNo0ZiHYNiU6BIYlCZ4VyMmADk3aCZ4l1gx2BZoJf
X-IronPort-AV: E=Sophos;i="4.77,718,1336348800"; d="scan'208";a="108770680"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-4.cisco.com with ESMTP; 06 Aug 2012 10:18:33 +0000
Received: from xhc-aln-x03.cisco.com (xhc-aln-x03.cisco.com [173.36.12.77]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id q76AIWJM019737 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Aug 2012 10:18:32 GMT
Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-aln-x03.cisco.com ([173.36.12.77]) with mapi id 14.02.0298.004; Mon, 6 Aug 2012 05:18:32 -0500
From: "Gunter Van de Velde (gvandeve)" <gvandeve@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Thread-Topic: [v6ops] IPv6 LL-only as WG document - feedback requested
Thread-Index: Ac1zsaLKu65hBuxGQ1mVPU9TRZLT7QALZhOAAApGAYD//7IZAIAASnFA
Date: Mon, 06 Aug 2012 10:18:31 +0000
Message-ID: <67832B1175062E48926BF3CB27C49B240685F6@xmb-aln-x12.cisco.com>
References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <67832B1175062E48926BF3CB27C49B2406858F@xmb-aln-x12.cisco.com> <501F90F8.1050409@gmail.com>
In-Reply-To: <501F90F8.1050409@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.82.146]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19088.006
x-tm-as-result: No--48.409400-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "opsec@ietf.org" <opsec@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "v6ops v6ops WG (v6ops@ietf.org)" <v6ops@ietf.org>, "'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla-only@tools.ietf.org)" <draft-behringer-lla-only@tools.ietf.org>
Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2012 10:18:40 -0000
I am confused. Please correct my understanding if possible. 1) You are ok with the Behringer-LL draft being an informational draft? (not BCP) 2) Passive addresses is something that creates potential issues in your view? For (2) I would say... It is just as a normal address... no need at all to discard them on any other box then the receiving box as those boxes just see the address as being a normal IPv6 address. Nothing special about it. It is just a normal address. The behaviour of passive addresses is to do with the way the recipient device deals with this address. G/ -----Original Message----- From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] Sent: 06 August 2012 11:40 To: Gunter Van de Velde (gvandeve) Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); opsec-chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla-only@tools.ietf.org) Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested Hi Gunter, I have no problem with the passive address idea, but the immediate issue is that routers must not source ICMP packets that other routers must discard - hence no LL source addresses. Brian On 06/08/2012 10:36, Gunter Van de Velde (gvandeve) wrote: > Answer as individual contributor. > > Fred B. and myself did a draft to exactly address the traceability of > interfaces without increasing the attack vector on interfaces: Passive > IPv6 addresses > > No new class of addresses at all... no new IANA allocation... just behaviour of the address: > > 1) it is configured as a normal address > 2) just an extra keyword attached to the address identifying its > behavior > 3) It can only be used as a 'source' address > 4) if it is used as destination address, then when reaching the router > it will be directed to the Null0 interface > > This will help visibility of the trace-route in cases of LL-only... > > G/ > > > -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > Sent: 06 August 2012 11:25 > To: Gunter Van de Velde (gvandeve) > Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); > opsec-chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' > (draft-behringer-lla-only@tools.ietf.org) > Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested > > Hi, > >> o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo >> request ... can be addressed to loopback addresses of routers with >> a global scope address. Router management can also be done over >> out-of-band channels. >> >> o ICMP error message can also be sourced from the global scope >> loopback address. > > These statements seem too weak. Using GUAs for ICMP in particular needs to have a normative MUST somewhere (preferably in a BCP). In the context of this Informational draft, the language needs to state a requirement ("must" not "can") even if you don't use RFC 2119 terminology. > > This matters because packets with a LL source address MUST NOT be forwarded, so a router that is misconfigured to send ICMP replies with a LL source address breaks both ping and traceroute. > > I think the rule is that any packet that is *not* sent to a LL address must have a GUA as the source address. That takes care of ICMP, and everything else as well. > > Furthermore, that GUA needs to be associated with a prefix that belongs to the organisation operating the router in question. Otherwise the traceroute results can be very confusing. We discussed that on v6ops back in March. > > Regards > Brian Carpenter > > > > > On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote: >> (distributed to OPSEC WG and in cc v6ops) >> >> Dear all, >> >> During the OPSEC WG meeting last Wednesday there was consensus to adopt the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as working group document with Informational status. >> >> Please read the draft, and if there is no violent objection on the list, the document will be requested to be submitted as WG document in 7 days. >> >> Ciao, >> G/, KK & Warren >> >> >> >> --------------------------------------------------------------------- >> - >> -- >> >> _______________________________________________ >> v6ops mailing list >> v6ops@ietf.org >> https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] IPv6 LL-only as WG document - feedback re… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Michael Behringer (mbehring)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Carlos Pignataro (cpignata)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Mark ZZZ Smith
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Michael Behringer (mbehring)
- Re: [v6ops] [OPSEC] IPv6 LL-only as WG document -… Eric Vyncke (evyncke)