IETF Logo Mail Archive

Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08

Mark Smith <markzzzsmith@gmail.com> Fri, 08 July 2016 09:35 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A04C712B044; Fri, 8 Jul 2016 02:35:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.198
X-Spam-Level:
X-Spam-Status: No, score=-2.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30HmYpcawSNr; Fri, 8 Jul 2016 02:35:00 -0700 (PDT)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94ADB127071; Fri, 8 Jul 2016 02:35:00 -0700 (PDT)
Received: by mail-vk0-x230.google.com with SMTP id v6so51486131vkb.2; Fri, 08 Jul 2016 02:35:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=N/Ohmy+71NGWRZtERmpSvJByQham7bdYghFIElf6D00=; b=ZZjF2zjw/sXgdKfW4wOYliooz+CzFeHpHLX3F9gVoEGqfxzPU1T20mOICwtXTvmmVE +gnqZ2YEoExmJIw3veD1rcIqiEM2HhuHZFTF6CBNDiu5yFq8g1DgQ2R9I/MWefDhb65u gv3ImKDLbt5/npsPy2aahJTtfUEMd4EOJgeFI82wm1ogqRpVMcCqFJC73U0rNQLL1d4c NDosXrQRm6Kau4K7ASf3cPUbVp7AXizky6/2geMDEeMnYDV8Ow0Prls3E7mesbtiyamO LfYqpdBIM6sF4yjFTyWeZkfJja1HvIHtyD5Q1otso1jSlsysz3j9itD/rszZPpU0IfQX 9j4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=N/Ohmy+71NGWRZtERmpSvJByQham7bdYghFIElf6D00=; b=KuioLKJl/YSy0ycFfB2NVbJb4D9epEahpZFfWtdU8FhsX0cQ8wydTLkI4ZbdOT3Z8Z tkTo2eCnbd1WhL3gninhPOI50fEYtZwhJHMfzleazwVw1Gv1YSFrzafKxM54qcISij5Q NynZ0qAbkx9eaL+5Y8Ar6MwL0oytYX+Nfqhi/7wjxzL4NmuFvvis2QO1TMhcWUamePVy Yy55RIP9TSrmwxNGAN+5wpOddCexaffXGnBYBfqZ2Yu/qBmLi5HXYNjL9RvAvAvDUsFP 5a+q//xMo6HkjRbaZEaMQGplBTJd/3w2yFwYThdLJDwVT5bP8MQREd4FVTJdxUjZDKAj vyGg==
X-Gm-Message-State: ALyK8tKRDJXBywj1f/S10DsBf9N7UFwpg5rDFF649Q+skpULFCbUNJuVS9ibv98rmr2CpHBnYie6Ddv+7e0E9Q==
X-Received: by 10.31.248.73 with SMTP id w70mr18994vkh.30.1467970499585; Fri, 08 Jul 2016 02:34:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.39.233 with HTTP; Fri, 8 Jul 2016 02:34:30 -0700 (PDT)
In-Reply-To: <20160708091823.GT79185@Space.Net>
References: <D386FF93.75916%evyncke@cisco.com> <CAAedzxqBr=ApvGTUrjNUnRmpcamkt4OH1CchcDEWgDcXRgo8Fw@mail.gmail.com> <D3A3D373.77252%evyncke@cisco.com> <CAAedzxpD4FXJLBgKg2tjGz5RNBp+iFe1M2M_upL1rYDXJA7SoA@mail.gmail.com> <CAO42Z2xh33jiuCJ=Ypi1HuXa_h86v6XqqRT7nnirqx6da4cOZg@mail.gmail.com> <20160708091823.GT79185@Space.Net>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Fri, 08 Jul 2016 19:34:30 +1000
Message-ID: <CAO42Z2ypdowSJ12DP8VNqrUWE+q-K25VxG_smV6fJsmMOaYDuA@mail.gmail.com>
To: Gert Doering <gert@space.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/t2oxNDDm0h84JKlSDpwVrUJnJfI>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "linkedin@xn--debrn-nva.de" <linkedin@xn--debrn-nva.de>, "fgont@si6networks.com" <fgont@si6networks.com>
Subject: Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2016 09:35:03 -0000

On 8 July 2016 at 19:18, Gert Doering <gert@space.net> wrote:
> Hi,
>
> On Fri, Jul 08, 2016 at 06:51:21PM +1000, Mark Smith wrote:
>> Depending on an experimental RFC for your security sounds like a
>> really bad idea to me!
>
> But NATs are good!  I've seen it on youtube, so it must be true!
>

That must be why ISPs are deploying carrier grade ones!


Actually, I think people advocating ULA+NPT for security are probably
assuming NPT is the IPv6 equivalent of IPv4 (stateful) NAPT.

It isn't, it's just stateless prefix swapping at the NPT domain
boundary. So no hiding of internal hosts' IIDs, internal hosts are
going to be reachable with unsolicited packets from outside because it
is stateless, and I think it would be common to deploy it with a 1:1
external to internal /64 prefix mapping, so no internal topology
hiding either in that case either.

ULA+NPT isn't going to be effective if your objective is to protect
hosts from unsolicited incoming connections and to hide their unique
parts of their IPv6 addresses.

Regards,
Mark.

> gert
>
> (And yes, it *is* Friday)
> --
> have you enabled IPv6 on something today...?
>
> SpaceNet AG                        Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279

v2.23.0 | Report a Bug | By Email