Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt

> On Oct 9, 2017, at 7:34 AM, Templin, Fred L <Fred.L.Templin@boeing.com> wrote:
> 
> Fred,
> 
>> -----Original Message-----
>> From: Fred Baker [mailto:fredbaker.ietf@gmail.com]
>> Sent: Monday, October 09, 2017 6:17 AM
>> To: Mudric, Dusan (Dusan) <dmudric@avaya.com>
>> Cc: Lorenzo Colitti <lorenzo@google.com>; Templin, Fred L <Fred.L.Templin@boeing.com>; v6ops@ietf.org; internet-drafts@ietf.org
>> Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
>> 
>> Unless someone wants to tell me I'm wrong, I don't think that consensus exists. What the document says is that when someone is
>> running a service such as described, traffic from the CPE router to which a prefix has been delegated should invariably travel through
> 
> 'draft-ietf-v6ops-unique-ipv6-prefix-per-host' is not about prefix delegation.

No, it's about a service (presumably operated by an ISP) in which prefixes are delegated to hosts. While the specification is clear that the ISP might *also* IPv4 service on the same network using the same equipment, what is specified is an IPv6, and potentially IPv6-only, service.

> 'draft-templin-v6ops-pdhost' is about prefix delegation.
> 
> Thanks - Fred
> 
>> the upstream router as opposed to directly to a router that might appear to be an immediate neighbor. It doesn't deprecate the use
>> of SLAAC/DHCPv6 or the use of neighbor-to-neighbor routing in LAN networks.
>> 
>>> On Oct 6, 2017, at 7:48 AM, Mudric, Dusan (Dusan) <dmudric@avaya.com> wrote:
>>> 
>>> Hi Fred,
>>> 
>>> Should it be mentioned that even though a ‘shared’ prefix with L=0 makes hosts send packets over the first hope router, the unique
>> prefix per host is preferred mechanism in the environments where security is of a concern?
>>> 
>>> Thanks,
>>> Dusan.
>>> 
>>> From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Lorenzo Colitti
>>> Sent: Wednesday, September 13, 2017 6:04 PM
>>> To: Templin, Fred L
>>> Cc: v6ops@ietf.org; internet-drafts@ietf.org
>>> Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
>>> 
>>> I would instead say the opposite, i.e., call attention to what is in fact one of the the main benefits of this document. Suggested text:
>>> 
>>> The practices described in this document make it very simple for networks to implement robust isolation between clients at layer 2.
>> The network can simply ensure that devices cannot send packets to each other except through the first-hop router. This will
>> automatically provide robust protection against attacks between devices that rely on link-local ICMPv6 packets, such as DAD reply
>> spoofing, ND cache exhaustion, malicious redirects, and rogue RAs. This form of protection is much more scalable and robust than
>> alternative mechanisms such as DAD proxying, forced forwarding, or ND snooping.
>>> 
>>> 
>>> 
>>> On Wed, Sep 13, 2017 at 2:12 PM, Templin, Fred L <Fred.L.Templin@boeing.com> wrote:
>>> Please add the following to Security Considerations:
>>> 
>>>  "While the practices described herein encourage L3 operations that would
>>>    forward all traffic through a provider managed First Hop Router, peer to peer
>>>    communications are still possible unless L2 mechanisms are also employed
>>>    in some fashion outside the scope of this document."
>>> 
>>> Thanks - Fred
>>> 
>>>> -----Original Message-----
>>>> From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of internet-drafts@ietf.org
>>>> Sent: Wednesday, September 13, 2017 7:04 AM
>>>> To: i-d-announce@ietf.org
>>>> Cc: v6ops@ietf.org
>>>> Subject: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
>>>> 
>>>> 
>>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>>> This draft is a work item of the IPv6 Operations WG of the IETF.
>>>> 
>>>>        Title           : Unique IPv6 Prefix Per Host
>>>>        Authors         : John Jason Brzozowski
>>>>                          Gunter Van De Velde
>>>>      Filename        : draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt
>>>>      Pages           : 9
>>>>      Date            : 2017-09-13
>>>> 
>>>> Abstract:
>>>>   This document outlines an approach utilising existing IPv6 protocols
>>>>   to allow hosts to be assigned a unique IPv6 prefix (instead of a
>>>>   unique IPv6 address from a shared IPv6 prefix).  Benefits of unique
>>>>   IPv6 prefix over a unique service provider IPv6 address include
>>>>   improved host isolation and enhanced subscriber management on shared
>>>>   network segments.
>>>> 
>>>> 
>>>> The IETF datatracker status page for this draft is:
>>>> https://datatracker.ietf.org/doc/draft-ietf-v6ops-unique-ipv6-prefix-per-host/
>>>> 
>>>> There are also htmlized versions available at:
>>>> https://tools.ietf.org/html/draft-ietf-v6ops-unique-ipv6-prefix-per-host-08
>>>> https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-unique-ipv6-prefix-per-host-08
>>>> 
>>>> A diff from the previous version is available at:
>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-v6ops-unique-ipv6-prefix-per-host-08
>>>> 
>>>> 
>>>> Please note that it may take a couple of minutes from the time of submission
>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>> 
>>>> Internet-Drafts are also available by anonymous FTP at:
>>>> ftp://ftp.ietf.org/internet-drafts/
>>>> 
>>>> _______________________________________________
>>>> v6ops mailing list
>>>> v6ops@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>> 
>>> 
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>> 
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
> 

Re: [v6ops] I-D Action: draft-ietf-v6ops-unique-ipv6-prefix-per-host-08.txt

Attachment: signature.asc