Re: [v6ops] IPv6 LL-only as WG document - feedback requested
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 06 August 2012 10:52 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BBB821F8619; Mon, 6 Aug 2012 03:52:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.172
X-Spam-Level:
X-Spam-Status: No, score=-101.172 tagged_above=-999 required=5 tests=[AWL=-0.081, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uHdeFn-Qndsp; Mon, 6 Aug 2012 03:52:58 -0700 (PDT)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3267021F8602; Mon, 6 Aug 2012 03:52:58 -0700 (PDT)
Received: by eaai11 with SMTP id i11so710784eaa.31 for <multiple recipients>; Mon, 06 Aug 2012 03:52:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=sB7v0yztQMGVJuKGn+qC0C04JBFWnoaZj3kVbdvPb0U=; b=RcAnTffIBhwFj3e+K1niJ8GsNSe/RpOLxP8kiQ1Z9u/R4xXl6Y4uBFCYLc+lrSR+Y9 LZov8AIf8A4lCEGRSYUs/LPyo0SQ3sHCE7YUmFejVtA62SPKxIUtI19qAzsQV0STfDUo irwQ+M4HEDCqo8lhcc9RFj+NyxYbhX2TPg4SI+b+jCWdjznzWR5NP0v8yzTsa7VqFE+B TOUp2E2mEtJpaUKM/cMPHQnWSe/OjwXV9zOPhG4O4H8Ja+FwPpjZHyTW1vuo1xCqGGwO EujsGkvMaci7Uq31U1mT1QW2lNzkjp8TYIktI9TbnH65Rc+Ocnf7C9OEXr4pj7rcWXeS gPbw==
Received: by 10.14.206.200 with SMTP id l48mr12262978eeo.41.1344250377348; Mon, 06 Aug 2012 03:52:57 -0700 (PDT)
Received: from [192.168.1.65] (host-2-102-216-73.as13285.net. [2.102.216.73]) by mx.google.com with ESMTPS id j4sm46507358eeo.11.2012.08.06.03.52.54 (version=SSLv3 cipher=OTHER); Mon, 06 Aug 2012 03:52:55 -0700 (PDT)
Message-ID: <501FA205.1020203@gmail.com>
Date: Mon, 06 Aug 2012 11:52:53 +0100
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Gunter Van de Velde (gvandeve)" <gvandeve@cisco.com>
References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <67832B1175062E48926BF3CB27C49B2406858F@xmb-aln-x12.cisco.com> <501F90F8.1050409@gmail.com> <67832B1175062E48926BF3CB27C49B240685F6@xmb-aln-x12.cisco.com>
In-Reply-To: <67832B1175062E48926BF3CB27C49B240685F6@xmb-aln-x12.cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "opsec@ietf.org" <opsec@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "v6ops v6ops WG (v6ops@ietf.org)" <v6ops@ietf.org>, "'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla-only@tools.ietf.org)" <draft-behringer-lla-only@tools.ietf.org>
Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2012 10:52:59 -0000
On 06/08/2012 11:18, Gunter Van de Velde (gvandeve) wrote: > I am confused. Please correct my understanding if possible. > > 1) You are ok with the Behringer-LL draft being an informational draft? (not BCP) Yes. All I'm saying is that it should insist on a valid source address, which means that a LL source address is not allowed for packets that leave the local link. Section 2.5.6 of RFC 4291 makes this clear but people seem to ignore it: "Link-Local addresses are for use on a single link." Obviously, therefore, packets whose destination is not LL must not have a LL source address. > 2) Passive addresses is something that creates potential issues in your view? I said I have no problem with that. It doesn't affect the above point. Brian > > For (2) I would say... It is just as a normal address... no need at all to discard them on any other box then the receiving box as those boxes just see the address as being a normal IPv6 address. Nothing special about it. It is just a normal address. The behaviour of passive addresses is to do with the way the recipient device deals with this address. > > G/ > > > > > -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > Sent: 06 August 2012 11:40 > To: Gunter Van de Velde (gvandeve) > Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); opsec-chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla-only@tools.ietf.org) > Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested > > Hi Gunter, > > I have no problem with the passive address idea, but the immediate issue is that routers must not source ICMP packets that other routers must discard - hence no LL source addresses. > > Brian > > On 06/08/2012 10:36, Gunter Van de Velde (gvandeve) wrote: >> Answer as individual contributor. >> >> Fred B. and myself did a draft to exactly address the traceability of >> interfaces without increasing the attack vector on interfaces: Passive >> IPv6 addresses >> >> No new class of addresses at all... no new IANA allocation... just behaviour of the address: >> >> 1) it is configured as a normal address >> 2) just an extra keyword attached to the address identifying its >> behavior >> 3) It can only be used as a 'source' address >> 4) if it is used as destination address, then when reaching the router >> it will be directed to the Null0 interface >> >> This will help visibility of the trace-route in cases of LL-only... >> >> G/ >> >> >> -----Original Message----- >> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] >> Sent: 06 August 2012 11:25 >> To: Gunter Van de Velde (gvandeve) >> Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); >> opsec-chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' >> (draft-behringer-lla-only@tools.ietf.org) >> Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested >> >> Hi, >> >>> o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo >>> request ... can be addressed to loopback addresses of routers with >>> a global scope address. Router management can also be done over >>> out-of-band channels. >>> >>> o ICMP error message can also be sourced from the global scope >>> loopback address. >> These statements seem too weak. Using GUAs for ICMP in particular needs to have a normative MUST somewhere (preferably in a BCP). In the context of this Informational draft, the language needs to state a requirement ("must" not "can") even if you don't use RFC 2119 terminology. >> >> This matters because packets with a LL source address MUST NOT be forwarded, so a router that is misconfigured to send ICMP replies with a LL source address breaks both ping and traceroute. >> >> I think the rule is that any packet that is *not* sent to a LL address must have a GUA as the source address. That takes care of ICMP, and everything else as well. >> >> Furthermore, that GUA needs to be associated with a prefix that belongs to the organisation operating the router in question. Otherwise the traceroute results can be very confusing. We discussed that on v6ops back in March. >> >> Regards >> Brian Carpenter >> >> >> >> >> On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote: >>> (distributed to OPSEC WG and in cc v6ops) >>> >>> Dear all, >>> >>> During the OPSEC WG meeting last Wednesday there was consensus to adopt the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as working group document with Informational status. >>> >>> Please read the draft, and if there is no violent objection on the list, the document will be requested to be submitted as WG document in 7 days. >>> >>> Ciao, >>> G/, KK & Warren >>> >>> >>> >>> --------------------------------------------------------------------- >>> - >>> -- >>> >>> _______________________________________________ >>> v6ops mailing list >>> v6ops@ietf.org >>> https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] IPv6 LL-only as WG document - feedback re… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Gunter Van de Velde (gvandeve)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Michael Behringer (mbehring)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Carlos Pignataro (cpignata)
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Brian E Carpenter
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Mark ZZZ Smith
- Re: [v6ops] IPv6 LL-only as WG document - feedbac… Michael Behringer (mbehring)
- Re: [v6ops] [OPSEC] IPv6 LL-only as WG document -… Eric Vyncke (evyncke)