Re: [v6ops] I-D Action: draft-colitti-v6ops-host-addr-availability-01.txt

Mark Smith <markzzzsmith@gmail.com> Wed, 29 July 2015 01:44 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B968A1B34B7 for <v6ops@ietfa.amsl.com>; Tue, 28 Jul 2015 18:44:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4gEN0jz3Ht1k for <v6ops@ietfa.amsl.com>; Tue, 28 Jul 2015 18:44:38 -0700 (PDT)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70A751B3364 for <v6ops@ietf.org>; Tue, 28 Jul 2015 18:44:38 -0700 (PDT)
Received: by ioii16 with SMTP id i16so6479451ioi.0 for <v6ops@ietf.org>; Tue, 28 Jul 2015 18:44:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=021Up6XNaItYgo7dRg/r1n/YT12F1krY9707KGbnxMo=; b=gIYLmjLu5AFQ1BZMuCmihm+MLAYJH0pyjAq4E2JxpBJLkR2bpIkuJWghKn+7DVxUrC Npm1MF+U3+FVo78QpXARv4XzlDVEKf0R+2JVYznkrCHbFpuecCQmbK6eOp1kIe2hPxPt CEd0HSo6sz9xlQw1JA6e15N+5DHDUZQzZJKVVeS3JQ6BLAmFLsCnBP+qDzdfzIfDywty 0vnJF0SbSSQrGHSkYxwdajMAQ/rkLi7Dsr28oTdAAzmqNKMtHJyuq13nmLbUmRurKHzs RqC6UY1lVnzdDYgfMbyDtVvpn5x8V+J98eZF0lPrv24amFyUX/n5wi0H/p/QT9mImM0v 2dkQ==
X-Received: by 10.107.18.28 with SMTP id a28mr64241368ioj.106.1438134277857; Tue, 28 Jul 2015 18:44:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.169.143 with HTTP; Tue, 28 Jul 2015 18:44:08 -0700 (PDT)
In-Reply-To: <BE811683-3BBA-40F0-B047-282DA7E774AA@nominum.com>
References: <20150723130715.12113.47480.idtracker@ietfa.amsl.com> <55B1ED14.6030501@gmail.com> <m1ZIZ4w-0000CbC@stereo.hq.phicoh.net> <CAKD1Yr2z6T86gmQMPZwbgFB4mdt7=xWNuei5jaQg=vpG7-zLVg@mail.gmail.com> <m1ZJdjZ-0000CcC@stereo.hq.phicoh.net> <20150727091241.GL84167@Space.Net> <m1ZJfOr-0000CgC@stereo.hq.phicoh.net> <C9C3FBC4-44F3-45D2-B8C4-3725396E5D40@nominum.com> <CAPi140Mx96dBgeaCkrsDD+-J85OZDo5Di+gHTBiaGDzYK2us4w@mail.gmail.com> <20150728115944.GZ84167@Space.Net> <CAPi140PKh64L=nr96pv3dn7FO_Y9pW162YzBT8kZHSMsedGYtQ@mail.gmail.com> <BE811683-3BBA-40F0-B047-282DA7E774AA@nominum.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Wed, 29 Jul 2015 11:44:08 +1000
Message-ID: <CAO42Z2w1apjSJTHhBGZqFN99+2Y1yDHUzH75B6WtY_oe2svizw@mail.gmail.com>
To: Ted Lemon <ted.lemon@nominum.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/xIaVnpcFGY-xiSwQTe6L_PrT1uY>
Cc: IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] I-D Action: draft-colitti-v6ops-host-addr-availability-01.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 01:44:39 -0000

Hi Ted,

On 29 July 2015 at 00:27, Ted Lemon <ted.lemon@nominum.com> wrote:
> Having read the document, it seems a bit pie in the sky.   The idea that subdividing a prefix will give users privacy is nonsensical: if it is well known that ISP X provides a /48 to every home, then people will assume that all hosts in any given /48 in that ISP’s allocation will belong to the same person or same household.
>
> Given that, then if there is some performance reason for clustering multiple address assignments to the same host, the way to do it is to delegate a /120 to that host, and have a route to that /120 that points to that host.   If the host needs more than 256 addresses, delegate something bigger, or delegate multiple /120s.
>
> This is really easy to do.   It doesn’t give you a ton of privacy, but I don’t think it gives you less privacy than delegating a /64, and in some sense it gives you more because now you can do multiple allocations and still get the efficiency of address clustering, and the snooper doesn’t have as much information about address allocation patterns.
>
> And if you don’t want to do DHCPv6-PD, then SLAAC is actually ideal for this application, because you can in principle use a random number generator to produce the host part of the address, and just generate a bunch of random numbers with entropy so that a snooper can’t predict which addresses will be held in common by the same host.
>
> But I still really don’t see the point of this.
>

I think to avoid recommendations like this IPv6 setup for containers,
e.g. specifying to use Neighbor Discovery Proxying and /80 prefix
lengths.

https://docs.docker.com/articles/networking/#ipv6

(As a side note, some discussion in the ID about whether containers
should be treated as hosts, and whether containers should then be
assigned /64s might be useful. I think an argument could be made that
containers are hosts, however given how light weight they are, and
therefore how many people might have, a /64 for each one might be
excessive.)

Regards,
Mark.