IETF Logo Mail Archive

Re: [v6ops] Fwd: New Version Notification for draft-collink-v6ops-ent64pd-01.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 21 December 2022 20:47 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32DEDC1516F0 for <v6ops@ietfa.amsl.com>; Wed, 21 Dec 2022 12:47:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lF-RL4_jdxrD for <v6ops@ietfa.amsl.com>; Wed, 21 Dec 2022 12:47:15 -0800 (PST)
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 766ACC14F72A for <v6ops@ietf.org>; Wed, 21 Dec 2022 12:47:15 -0800 (PST)
Received: by mail-pj1-x102e.google.com with SMTP id v13-20020a17090a6b0d00b00219c3be9830so3265199pjj.4 for <v6ops@ietf.org>; Wed, 21 Dec 2022 12:47:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=huNHc6j4lRP6554+9QKw38BC7OoJxrk5+SIa3nqm+m0=; b=XToM/t65BJL56VR1URFOexI9hkDThBuW5DyvYWjiUUJ+GoUUMdorNAguqh+wJ7LzWK sYFKjVtaUIK/jv/5GQqv3cnmMOzLty9gHKvJv2+RU6uhOhH02lMh5L7Iw2XoTVsJYWoH 1JOZNLFwf6ZtksVDfNVcbTdPMSlz1bEhx4qjAB1kQWdGlsLGXJU+xGHCzWPlLjuwZ3Wa bdlIqUHL5ZfymGQU4f4HAXkwkpQdnNtufn6ttc5UfH6/Hze5ydEnM2Cmkx47c6wBWwkC Onx4vqQItpUEgHFfiFRIPNTIPX5yujCHpKQXuTULNhF+1+h6L8njntRrwRkUvq0CcVWg NUcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=huNHc6j4lRP6554+9QKw38BC7OoJxrk5+SIa3nqm+m0=; b=UJLbZz/bvVDqUe8nYFfv2U1xSyr9MoBzy4FoxMWdkSyzAHE1qD9VRPjL43bD70Okae oFaHlwYBmgkXwDirL5SpvSFsVPBNKDpPQe5zHc1o+hy1/dnENOyn9xoD/qycATf7Q8xP d0PqJ4v2f4S9+hP7CNfS9B8XyzVTB8Gf2POWQ0OY8Vc3nc0o4FniKj1IYqx47RTlg5qr OKweuvPymi1Kgxe9Wgc9YcqKFiIG9/AEX4/uCFTfpm2xI3QOnYsLMf25d9YcCn/87yPe zCo2OITFBQC/wTtW6ZzHybgRDwOC+M/PDNBRM31g/7qGiBN6WYDS0nYog6kShQEoVKXS bWlg==
X-Gm-Message-State: AFqh2kr8cDyGA2ePTUndp9i1jZdgXXMOxnEtOrLMO+5fUXrXPO5Tnn+0 UmzVjawneNN0nTWoNbAjuUopUSEaeWxdFw==
X-Google-Smtp-Source: AMrXdXu/irkcBhEp6VQoy7fgyCiIj+anVw2ZF332DM/2T4t+xX6N0HlI10YD/U9G6uKhLcZCD1yJuQ==
X-Received: by 2002:a17:902:ce08:b0:189:81dd:6b8b with SMTP id k8-20020a170902ce0800b0018981dd6b8bmr4020828plg.63.1671655634889; Wed, 21 Dec 2022 12:47:14 -0800 (PST)
Received: from ?IPV6:2406:e003:10c2:2501:6969:5efe:7979:3937? ([2406:e003:10c2:2501:6969:5efe:7979:3937]) by smtp.gmail.com with ESMTPSA id l18-20020a170903245200b00177e5d83d3esm11930650pls.88.2022.12.21.12.47.13 for <v6ops@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 21 Dec 2022 12:47:14 -0800 (PST)
Message-ID: <10accf2c-89ca-7a09-bad4-25f9966564b2@gmail.com>
Date: Thu, 22 Dec 2022 09:47:09 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: v6ops@ietf.org
References: <167107554671.48477.568330207202509840@ietfa.amsl.com> <CAFU7BATp=gEB3S8AzhCYDMN3fzLQrYY9pzcWJ=LQnrjC9bRKEA@mail.gmail.com> <Y5sy2ikgQEWSnCsM@Space.Net> <CAKD1Yr0EchmQ11eKCB4AfEJaG7_aFDDv_bavYJY4Zb3iDmhALg@mail.gmail.com> <4277d4e5a962400f8438e8f01c884654@huawei.com> <CAO42Z2y_SWybfLQE3g5a-kVieY05XSxaKTv-UG8kvfbYzJLH6w@mail.gmail.com> <517779B7-2C83-4456-93C0-654ED8AAD6A6@cisco.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <517779B7-2C83-4456-93C0-654ED8AAD6A6@cisco.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/uhqp6DwPC8L8E5tyLsZMcgYmpGI>
Subject: Re: [v6ops] Fwd: New Version Notification for draft-collink-v6ops-ent64pd-01.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2022 20:47:19 -0000

Thinking about it, what counts for privacy is the unpredictable part of the whole address, not the unpredictable part of the IID as such. If an attacker sees

2001:db8:4006:80b:a1b3:6d7a:3f65:dd13

it really doesn't matter whether a1b3:6d7a is part of a randomly assigned prefix or of a randomly assigned IID. It's equally unguessable.

Admittedly, if an attacker sees numerous addresses that match 2001:db8:4006:80b:a1b3:6d7a::/96 they might deduce something, but that is the case for a /64 prefix anyway.

So what matters is using a pseudo-random value for everything possible, whether it's a subnet ID or an interface ID.

Regards
    Brian

On 21-Dec-22 21:48, Pascal Thubert (pthubert) wrote:
> Hello Mark
>>
>> Why do you think a /96 is a good prefix length?
>>
> 
> Depends what you use it for. For allocating as many addresses as you like 32 is enough. For embedding IPv4 that is enough. For encoding semantic addresses 64 is not enough. There’s no absolute value across all use cases.
> 
> 
>> Have you considered the privacy address implications of only having 32 bits to work with instead of 64?
> 
>   Illusion ! As soon as it is known that a /48 delegates /64s, privacy is all gone: you may rotate all you want, all addresses in the 64 are the same host.
> How long can that remain a secret?
> 
>   Arguably variable size is a big better but that’s a thin layer of obfuscation.
> 
> If you want to hide your tree in the forest you must allocate a few longer prefixes.
> 
>>
>> What about address discovery via unsolicited address probing? Sending 4 billion packets is much, much easier than sending 4 billion times 4 billion packets to try to discover live addresses within a /64.
>>
> 
> But then the attacker would need to know which /32 to probe in. So no not such a big deal.
> 
> The real issue is that the router will not shield the host any more. Since the router has only a prefix route all the ddos goes straight to the host. Be prepared !
> 
> The only protection against those attacks is the address registration.
> 
> Regard,
> 
> Pascal
> 
> 
>> Are you worried about IPv6 address space running out?
>>
>> The early designs of IPv6 only had 64 bit addresses. RFC1710:
>>
>> "SIPP supports addresses which are twice the number of bits as IPv4
>>    addresses.  These addresses support an address space which is four
>>    billion (2^^32) times the size of IPv4 addresses (2^^32).  Another
>>    way to say this is that SIPP supports four billion internets each the
>>    size of the maximum IPv4 internet.  That is enough to allow each
>>    person on the planet to have their own internet.  Even with several
>>    layers of hierarchy (with assignment utilization similar to IPv4)
>>    this would allow for each person on the planet to have their own
>>    internet each holding several thousand hosts."
>>
>> IPv6 today with 128 bit addresses is equivalent to the first designs of IPv6 with 64 bit addresses, except that a host can have 2^64 bits for itself, instead of only a single address.
>>
>> Regards,
>> Mark.
>>
>>
>>     ____
>>
>>     Ed/____
>>
>>     __ __
>>
>>     *From:*v6ops [mailto:v6ops-bounces@ietf.org <mailto:v6ops-bounces@ietf.org>] *On Behalf Of *Lorenzo Colitti
>>     *Sent:* Tuesday, December 20, 2022 10:00 AM
>>     *To:* Gert Doering <gert@space.net <mailto:gert@space.net>>
>>     *Cc:* V6 Ops List <v6ops@ietf.org <mailto:v6ops@ietf.org>>; xiaom@google.com <mailto:xiaom@google.com>; draft-collink-v6ops-ent64pd@ietf.org <mailto:draft-collink-v6ops-ent64pd@ietf.org>
>>     *Subject:* Re: [v6ops] Fwd: New Version Notification for draft-collink-v6ops-ent64pd-01.txt____
>>
>>     __ __
>>
>>     On Thu, Dec 15, 2022 at 11:44 PM Gert Doering <gert@space.net <mailto:gert@space.net>> wrote:____
>>
>>         Something like a /96 per host - so "limitless amounts of host would
>>         fit into a single /64" would avoid that, and still fulfill the
>>         stated necessity of having many many many addresses per hosts.____
>>
>>     __ __
>>
>>     The reason the draft mentions /64 is:____
>>
>>       * A /64 provides "infinite" addresses.____
>>       * In practice, /64 is the only prefix length that supports SLAAC.____
>>       * SLAAC is the only address assignment mechanism required to be supported by all hosts.____
>>
>>     That means that a node that gets a /64 is guaranteed to be able to extend the network indefinitely to all IPv6 nodes while maintaining end-to-end connectivity to all of them. That's a major improvement over IPv4's current capabilities. It's true that a /64 is relatively expensive in terms of address space. That said, this proposal is targeted towards larger networks. Fortunately, smaller networks tend to be less tightly managed, and for many of those networks, directly using SLAAC is fine.____
>>
>>     __ __
>>
>>     That said - based on past experience I fear that there is no single number that will get consensus in this group. For example, I definitely wouldn't want to *recommend* /96, because /96 would lose the above advantages. So, how about we just state the facts? Something like:____
>>
>>     __ __
>>
>>     =====____
>>
>>     Delegating a /64 prefix to the client allows the client to provide limitless addresses to IPv6 nodes connected to it (e.g., virtual machines, tethered devices), because all IPv6 nodes are required to support SLAAC.____
>>
>>     =====____
>>
>>     _______________________________________________
>>     v6ops mailing list
>>     v6ops@ietf.org <mailto:v6ops@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email