IETF Logo Mail Archive

Re: [v6ops] Google Alert - IPv6

Dave O'Reilly <rfc@daveor.com> Sun, 29 October 2017 16:39 UTC

Return-Path: <rfc@daveor.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 757DD13F57F for <v6ops@ietfa.amsl.com>; Sun, 29 Oct 2017 09:39:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=daveor.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5n3UI6glnW2K for <v6ops@ietfa.amsl.com>; Sun, 29 Oct 2017 09:39:30 -0700 (PDT)
Received: from vps.ftrsolutions.com (vps.ftrsolutions.com [5.77.39.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F70813F588 for <v6ops@ietf.org>; Sun, 29 Oct 2017 09:39:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=daveor.com; s=default; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type:Sender:Reply-To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=pKZsJVVkFaUSyMXX7MpRIy1Bnz8ISvv9xv332a+Xu/4=; b=UaspDxEfqIXczhKMesx7vVoC4n NUgorypFqw0HZhPPOjYr/3aEv+c3XJna9mOBXRe0iz5dpuShKLPCQvEhwmtDgJhtsWL6ZnzV2dbNz NFxGQ5ZDrHob5YeTHxfPKvLQybmn/wmCdpRu+lYz326P+sLQeGBiaOnmm6SbD5IREp28=;
Received: from 86-44-56-31-dynamic.agg7.bsn.cld-dbn.eircom.net ([86.44.56.31]:55075 helo=[192.168.1.25]) by vps.ftrsolutions.com with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from <rfc@daveor.com>) id 1e8qcR-0002J2-Gt; Sun, 29 Oct 2017 16:39:27 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Dave O'Reilly <rfc@daveor.com>
In-Reply-To: <CAKC-DJgou-wPuT9Xy-8ddp_5avnUj8mqApVJ3GWChLXQsqkeBA@mail.gmail.com>
Date: Sun, 29 Oct 2017 16:39:26 +0000
Cc: Lee Howard <lee@asgard.org>, Warren Kumari <warren@kumari.net>, "v6ops@ietf.org" <v6ops@ietf.org>, Tore Anderson <tore@fud.no>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BD2D37CB-7112-4471-A424-9CBE2D97272C@daveor.com>
References: <f403045ef57ac52962055bd88b84@google.com> <20395E98-DA55-447F-BEFE-CB581A88BB78@gmail.com> <alpine.DEB.2.20.1710190655260.31961@uplift.swm.pp.se> <20171019083506.6627a166@echo.ms.redpill-linpro.com> <alpine.DEB.2.20.1710190856530.31961@uplift.swm.pp.se> <787AE7BB302AE849A7480A190F8B93300A056EB5@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <CAHw9_iLWAMexrfXwsdB8duGa5ueJMofqVRqNck6DeOzA=KChqA@mail.gmail.com> <C4E37677-A2FB-49F8-B362-C29B28DFD570@daveor.com> <D618D79F.8AA1A%lee@asgard.org> <CAKC-DJgou-wPuT9Xy-8ddp_5avnUj8mqApVJ3GWChLXQsqkeBA@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
X-Mailer: Apple Mail (2.3124)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps.ftrsolutions.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - daveor.com
X-Get-Message-Sender-Via: vps.ftrsolutions.com: authenticated_id: dave@daveor.com
X-Authenticated-Sender: vps.ftrsolutions.com: dave@daveor.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/spFwmtVGy17X3NKgJGmFQ8y-aW0>
Subject: Re: [v6ops] Google Alert - IPv6
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Oct 2017 16:39:31 -0000

Hi Erik,

Thanks for the mail. Some comments inline below.

daveor

> On 27 Oct 2017, at 15:21, Erik Nygren <erik+ietf@nygren.org> wrote:
> 
> On Fri, Oct 27, 2017 at 4:51 AM, Lee Howard <lee@asgard.org> wrote:
> >
> >One possible solution frequently cited to the problem of CGNAT is
> >migration to IPv6.However, does migration to IPv6 ACTUALLY solve the
> >problem of crime attribution due to large-scale address sharing?
> 
> Only if content providers deploy IPv6, including logging.
> 
> I'll note that that one of the major limitations for content providers deploying IPv6 
> (perhaps the #1 limitation?) has been making sure all systems that handle IP addresses
> can handle IPv6 addresses well.  This includes for logging, storing in databases,
> client reputation, ip-geo, bot detection, fraud management, authentication cookies, 
> parsing to partially pseudonymize (eg, stripping off bottom N bits), and the like.
> Plumbing "port" through many of these systems (even just logging and storage)
> is a non-trivial effort in many places (perhaps larger in some places than supporting
> IPv6 as now there is a {timestamp,IP,port) tuple that must be transported and stored
> rather than just an IP.

I totally agree. Two comments:

1. I have seen in some organisations that security guidance involves disabling IPv6.
2. I address this issue to a certain extent in my document in the section on “breaking existing tooling” and also in the deployment maturity model under the category of “Manageable” which is intended to cover the fact that downstream tooling will need to be built or adapted to support source ports. Admittedly, I had envisioned the problem in terms of breaking log processing due to changing log format but I recognise from your email that there are additional downstream consequences. I recently presented on this issue and I recommended that additional work needs to be done to measure/assess the downstream consequences of logging source port.

> 
> It would be much better if we can get onto a path where IPv6 can be relied on
> enough of the time to avoid having to make a large push on source port logging.
> A worst case would be if content providers had internal budget/resources to chose between
> one of "log source port" and "enable IPv6 and support logging IPv6", especially since
> some might decide to pick just the former and then might say "I went through a big
> project to log IPv4 source port, why should I also go through the effort to support IPv6?"
> despite the other good reasons to do so...
> 
> Note that reading the report, it seems like there are two issues:  the ability to attribute,
> and the risk of misattribution.  IPv6 may not always help to attribute (especially if some
> requests still come over IPv4), but it can help reduce the risk of misattribution (at least
> for those requests coming over IPv6).  The report almost seemed more concerned about
> the former than the latter.  Regardless, there is still the inherent risk that IP addresses 
> can be spoofed or be multi-tenant even absent CGNAT and thus there is danger in soley
> relying on addresses in logs.
> 

Very well put (attribution vs. misattribution). 

Also agree that there is always a risk outside the scope of this discussion relating to misattribution/inability to attribute. I mentioned this point in a previous email response that I just wrote.

daveor

v2.23.0 | Report a Bug | By Email