Re: [v6ops] comments about draft-ietf-v6ops-enterprise-incremental-ipv6-01
KK <kk@google.com> Mon, 24 September 2012 00:17 UTC
Return-Path: <kkumar@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C80121F8523 for <v6ops@ietfa.amsl.com>; Sun, 23 Sep 2012 17:17:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.505
X-Spam-Level:
X-Spam-Status: No, score=-102.505 tagged_above=-999 required=5 tests=[AWL=-0.129, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WOxfxOzDg1dc for <v6ops@ietfa.amsl.com>; Sun, 23 Sep 2012 17:17:31 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id E4EB721F853B for <v6ops@ietf.org>; Sun, 23 Sep 2012 17:17:29 -0700 (PDT)
Received: by lbok13 with SMTP id k13so152078lbo.31 for <v6ops@ietf.org>; Sun, 23 Sep 2012 17:17:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-system-of-record; bh=BrDZNYz/33daX3ys14IsgyNDBzS8YphTcp4ABP4ydaQ=; b=ERgeoiqa+D282jwH0d2leFU7YDukE/ovQdqV5cS1FgTrvTeJLLoVuW+w8bnV9f0cr6 OD4V47BLZkJTyvxRug5AceNemkPvZjzP0XIzvhBjoI6w8r3FB7NiDidCV3N26TjYkaOw RIxfS5lRRqEXPigURPjvsdopf+GmpS0aWb2Y/ngYGQm+cbT056JQegtKQt8WgwF3BrbD QCYRfD1c0dqFQAjRjvOgI1QWCpHYrFjQ9bfhO/ngKZ9nFkdK2ZwW1u7s25mwEqtKbq+W aF8GZrap+3l0ahq3C/wZc4ZWjE53H1K6duGq8sGbV2GmDqTedIaxETJydH+2nJDZ/ewb pWQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-system-of-record:x-gm-message-state; bh=BrDZNYz/33daX3ys14IsgyNDBzS8YphTcp4ABP4ydaQ=; b=EF8i6JoJRqHPlbV+gCJSvEL1L3Juapm4qh2flUQestHiwFO4i1D4Yv2zoNiBorNTW/ NCAWNv8d0eXscaOocDZH8A/JprcOLVB7Tu+FZjSQsiMMsSUOYamaTS5gPG7DJLRm3ljq Vwhy4wj3iA/seaXLr75UR5ulA70wG1NJ/0eUuXm8JTeyVS5niOQp1N5z94eWn+uorsZm /o/P429ltc5qi7h+zHFs8wdtZYhEVZvIaCR5EGeXogoklnt16Eu14jUBM3mpTweLcSV7 9zai1qWU9s6VTkUm6nQs3bX/FknQ92tbrML3N0gqqKsQ9G3N8Msx+eQergLZ+mRke8hL ZWRA==
Received: by 10.112.29.104 with SMTP id j8mr3722766lbh.127.1348445848604; Sun, 23 Sep 2012 17:17:28 -0700 (PDT)
Received: by 10.112.29.104 with SMTP id j8mr3722757lbh.127.1348445848306; Sun, 23 Sep 2012 17:17:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.66.42 with HTTP; Sun, 23 Sep 2012 17:17:08 -0700 (PDT)
In-Reply-To: <5055A457.9070408@forthnetgroup.gr>
References: <201208091245.q79Cj1g08088@ftpeng-update.cisco.com> <5055A457.9070408@forthnetgroup.gr>
From: KK <kk@google.com>
Date: Sun, 23 Sep 2012 17:17:08 -0700
Message-ID: <CAKaj4uRj5W34ObARsFtsr641=2Kc8oDu=mavxjufNdJGRRtp_Q@mail.gmail.com>
To: Tassos Chatzithomaoglou <achatz@forthnetgroup.gr>
Content-Type: multipart/alternative; boundary="f46d04016a31c983d104ca6783ab"
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQksflIauxk0iVvv+5m1vyC/EDJvYAhUT62OpSkAkov7PYNpODpE3UCUe/X7SqFezaenmZCae5I7kPUrgDGytk6bzExTKYpG81H01749l1DGznBu+Rf/bRlObQ8tLTEscqT7hhtZ8D/4TnjCxC/uXzZjmTOErMlvvH1aEZB+BhfsqerA5ikyxkgv1c0xk9xPAWXHmRLJ
Cc: v6ops <v6ops@ietf.org>, draft-ietf-v6ops-enterprise-incremental-ipv6@tools.ietf.org
Subject: Re: [v6ops] comments about draft-ietf-v6ops-enterprise-incremental-ipv6-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 00:17:32 -0000
Tassos, Thank you very much for your detailed feedback and apologies for the delayed response. There are many good points that you raise here. We will go through these individually and come back to you with further clarifications as we incorporate your suggested changes in the next rev. Regards, KK On Sun, Sep 16, 2012 at 3:05 AM, Tassos Chatzithomaoglou < achatz@forthnetgroup.gr> wrote: > > Generally i like the phased approach of this draft. > We have done similar phases in our own corporate network, although not all > sub-phases apply to us. > > Here are my general comments... > > 3.6 should be moved in the beginning. Project (not program) planning > should be the first thing to do. > > Security parts got me a little bit confused. There are things are are > repeated many times, although applicable at all of them. > Maybe put them under a general security section and just add differences > per phase. > Also it would be better if the security section was in the same position > at every phase (i.e. last or first). > > I didn't see any reference (or better warning) on operational costs vs > needs. Introduction includes 1-2 sentences, but i don't find them always > applicable. > This may be an easy job for some networks, but in same cases it will take > time and effort...without having a good reason. > I understand that this might push back the willing of an enterprise to > move to IPv6, but every case should be examined under a general umbrella. > An administrator might be considering IPv6 on his own, but this doesn't > necessarily apply to the whole enterprise. > > I got the impressions throughout the text that translation is preferred vs > tunneling, something i agree with in most cases, and especially in isp > environments. > But there are many enterprises, where the tunneling approach might be a > better/easier/cheaper solution. > > Lastly, until IPv6 is fully implemented into the enterprise, a > recommendation should be made about the expansion/maintenance of IPv4 > network/systems in such a way that the IPv6 deployment is taken into > account. > > > And some specific comments.... > > > The most common drivers are due > to the fact that when Internet service providers, including mobile > wireless carriers, run out of IPv4 addresses, they will provide > native IPv6 and non-native IPv4. > > I don't think most enterprises will fall under this type (non-native > IPv4) of connectivity. > ISPs are mostly facing issues with residential services in terms of > address availability. > > > The non-native IPv4 service may be > NAT64, NAT444, Dual-stack Lite, or other transition technology, but > whether tunneled or translated, the native traffic will be perform > better and more reliably than non-native. > > This assumption poses questions whether all those translation/tunneling > solutions by IETF are worth considering. > Maybe add a probability factor there. > > > A specific case of congruence is the IPv6 ULA [RFC4193 <http://tools.ietf.org/html/rfc4193>] and IPv4 > private addressing [RFC1918 <http://tools.ietf.org/html/rfc1918>] that do not provide any security by > 'magic'. In both case, the edge router must apply strict data plane > and routing policy to block those private addresses to leave and > enter the network. This filtering can be done by the enterprise or > by the ISP. > > IPv6 addresses can be spoofed as easily as IPv4 addresses and there > are packets with bogons IPv6 addresses (see [CYMRU <http://tools.ietf.org/html/draft-ietf-v6ops-enterprise-incremental-ipv6-01#ref-CYMRU>]). The anti-bogon > filtering must be done in the data and routing planes. It can be > done by the enterprise or by the ISP. > > > case = > cases > edge router => border routers > > Might want to rephrase "data" as "forwarding" or "routing" as "control" in > order to use common wording. > > Some recommendations are expressed like "can be done by the enterprise or > by the ISP". I think it should be noted that the enterprise should always > try to do these, regardless of the ISP. Ok, it might not be always easy for > the enterprise to do these (due to expertise, costs, etc), but i don't > think the enterprise should solely depend on the ISP doing these. > > An alternative is to try to prevent the use > of privacy extension addresses is to send the Router Advertisement > with the M-bit set (to force the use of DHCPv6 to get an address) and > with all advertized prefixes without the A-bit set (to prevent the > use of stateless auto-configuration); this technique requires that > all hosts support stateful DHCPv6. > > I think it's better to remove the M-bit reference and just refer DHCPv6. > If i remember right, there was a talk about the M/O bits being > controversial lately > > Another DoS > vulnerabilities are related to NDP cache exhaustion > ([I-D.gashinsky-v6ops-v6nd-problems <http://tools.ietf.org/html/draft-ietf-v6ops-enterprise-incremental-ipv6-01#ref-I-D.gashinsky-v6ops-v6nd-problems>]) and they can be mitigated by > careful tuning of the NDP cache. In 2012, there are already several > vendors offering those features on their switches. > > RFC 6583 proposes various options for mitigation of NDP issues; i think a > general reference should be made instead. > > > The enterprise administrator will want to evaluate whether the > enterprise will request address space from its ISP (or Local Internet > Registry (LIR)), or whether to request address space from the local > Internet Registry (whether a Regional Internet Registry such as > AfriNIC, APNIC, ARIN, LACNIC, or RIPE-NCC, or a National Internet > Registry, operated in some countries). > > > Probably it should be rewritten as > > The enterprise administrator will want to evaluate whether the > enterprise will request address space from a LIR (Local Internet > Registry, such as an ISP), a RIR (Regional Internet Registry, such as > AfriNIC, APNIC, ARIN, LACNIC, or RIPE-NCC) or a NIR (National Internet Registry, operated in some countries). > > > > Each location, no matter how small, should get at least a /48. > > Does this apply to every enterprise? > Maybe add a reference to RFC6177 & RFC 5375? > > > All user access networks MUST be a /64. Point-to-point links without > MAC addresses (this is where Neighbor Discovery Protocol does not > run) SHOULD be a /127 (see also [RFC6164 <http://tools.ietf.org/html/rfc6164>]). > > > Why a reference on mac-addresses? Can't ethernet p2p links use /127? > > > > Also, for any part of the network where > DNS (or reverse DNS) zones may be delegated, it is important to > delegate addresses on nibble boundaries (this is on a multiple of 4 > bits), to ensure propose name delegation. > > > propose => proposed? > Maybe want to explain this a little bit more? > > ** Add some comment about setting MTU to 1280 to avoid tunnel pMTUd > black holes? ** > > > Personally, i don't like the idea of setting the MTU to the minimum. It's > better to describe the issues and the importance of ICMP/pMTUd and leave > the MTU minimization as a last resort. > > The security policies must be congruent for IPv4 > and IPv6 (else the attacker will use the less protected protocol > stack) except that ICMPv6 messages must be allowed through and to the > filtering device (see [RFC4890 <http://tools.ietf.org/html/rfc4890>]): > > > except that ICMPv6 messages => except that some ICMPv6 messages > > The peering router must also implement anti-spoofing technique based > on [RFC2827 <http://tools.ietf.org/html/rfc2827>]. > > > What's a peering router in the enterprise? There is only a single > reference of it. Are you referring to border routers? > > > This includes the use of IP flow export > [RFC5102 <http://tools.ietf.org/html/rfc5102>] to detect abnormal traffic pattern (such as port scanning, > SYN-flooding) > > > IP flow export => IP Flow Information eXport (IPFIX) > > > > While > technology and process transformations are taking place is it > critical that people training takes place as well. > > > is it critical => it is critical > > malevolent person has now two attack vectors: IPv4 and IPv6. This > simply means that all routers and hosts operating in a dual-stack > environment with both protocol families enabled (even if by default) > must have a congruent security policy for both protocol version. > > > version => versions > > > There may be a registration > fee for requesting provider-independent (PI) space from and NIR/RIR, > > and => a > > In the case of PI, the organization will need to support BGP based > connectivity for the most part since the address space is assigned > direction from the Regional Registry to the local network. > > direction => directly > > Native IPv6 > connectivity is preferred since it provides the most rebuts form of > connectivity. > > > rebuts => robust ? > > > -- > Tassos > > > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops > >