IETF Logo Mail Archive

Re: [v6ops] Are we competitive?

Ted Lemon <mellon@fugue.com> Mon, 15 August 2022 15:29 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E34A9C1524CB for <v6ops@ietfa.amsl.com>; Mon, 15 Aug 2022 08:29:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IE_BFJ1bgoVu for <v6ops@ietfa.amsl.com>; Mon, 15 Aug 2022 08:28:59 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 200ECC1524C6 for <v6ops@ietf.org>; Mon, 15 Aug 2022 08:28:45 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id l5so5699406qtv.4 for <v6ops@ietf.org>; Mon, 15 Aug 2022 08:28:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc; bh=WSsrxslQwfqXnhI9+imu62IBgkMWA4VyRX6XWZ8FmlQ=; b=IMYnazySDmLtnicKvzR11Bw+tw4je0WdOgil2+eNPnNrUP+gxd4YWj7BZhkOFoyCs7 p4i/UQ44UTJrey4hA45uBR0k/RIdADusLLRJTqNayhYGvctZ/7KvU2HCbXTKjvjAk6Nv kkQs8QczDoQ+TuJnQeNeDskQIxFwLD2Ba/K24t32yTrrLJYcUHSSt7KmHl6hb10ZckHl 62+6BjAOexQ2rPaq3lqvwVvBiUJc7EQvq8KUYIXCwtay9HVlUzwx216v8bLZX2VaTaiQ TdJ1E895wVPfPv2IC0ZrObYEjVR3z7VlGSeb2MG16uEuhBXGzJRw2ssG6gZspnCK0Wgf GzQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc; bh=WSsrxslQwfqXnhI9+imu62IBgkMWA4VyRX6XWZ8FmlQ=; b=0603ApnenhA++WU/irmxhnQsJvCcuK/9bLNBn4aGS3G4o2/FagtL6FVhrO4Iw0ORvN a3/ynyJLG6uFlDtKpTMoET2ilNsP+8pr24FiV6F44o4q8d7GI/795xcDZhlsndET/fX8 f4HOC7aulMh8+dgPSRodI0NmJhG83yqB9zIvCRquXs0qcalK1yk/sT3gtWXU+PA6oDxO QHlW0bdBSQ8py9WgOCoHh6WvoHz4qlMaAW42ICzvdcH2OoPeMV9ZeXjZJvBerS4BEZn1 QukUPZ0bAZlDMdaY3M/awo6D6IJMfXQmXn0gH+HQauDbDEoI+ZIfg4u2K4F5OW093eJy sX2Q==
X-Gm-Message-State: ACgBeo0w4tdTRlPfT2ujULp5i0to3Krvq2C+PJqEadO6kQd7LdAyW8sM 1xFkGjN66lp13HrIsyR+EbhkPGwexatriA==
X-Google-Smtp-Source: AA6agR6bYf4jEwVLwlW4OSPUJ+wGYseyjewg8yL9KxjwvjNXmCoZvUlu1eJ0X2wYcTmHFsnH/2YPkQ==
X-Received: by 2002:a05:622a:54:b0:343:27f:499f with SMTP id y20-20020a05622a005400b00343027f499fmr13632396qtw.193.1660577324406; Mon, 15 Aug 2022 08:28:44 -0700 (PDT)
Received: from smtpclient.apple ([2601:18b:300:3380:7463:c3e9:af1f:efff]) by smtp.gmail.com with ESMTPSA id r22-20020ac84256000000b0031e9ab4e4cesm7999020qtm.26.2022.08.15.08.28.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 15 Aug 2022 08:28:44 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 15 Aug 2022 11:28:43 -0400
Message-Id: <A33291B6-A2A6-4531-A225-82E03F8A73EB@fugue.com>
References: <2a1a99bb-df97-8215-0588-f52112b6d2b0@si6networks.com>
Cc: v6ops@ietf.org
In-Reply-To: <2a1a99bb-df97-8215-0588-f52112b6d2b0@si6networks.com>
To: Fernando Gont <fgont@si6networks.com>
X-Mailer: iPad Mail (19F77)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/yWYsS58c4VApdZhAval-dsb4B_c>
Subject: Re: [v6ops] Are we competitive?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2022 15:29:02 -0000

Sorry, what I mean by “block incoming UDP packets” is “block any UDP packet with a source IP address that is not internal, and with a destination IP address that is internal.” I don’t mean “look at UDP packets and figure out whether they are replies, and block them if they are not.” But you’re right—my thinking about QUIC was muddled. It would definitely require a stateful firewall.

Sent from my iPad

> On Aug 15, 2022, at 11:21 AM, Fernando Gont <fgont@si6networks.com> wrote:
> 
> Hi, Ted,
> 
>> On 15/8/22 12:03, Ted Lemon wrote:
>> I think the thread model for which you’d want to conceal IIDs is that
>> you want to prevent callbacks: if a host on the protected network
>> makes a connection to a host on the Internet, you don’t want that
>> host (or some other host) to be able to attempt to connect back to
>> that IP address on a different port looking for a vulnerability.
> 
> Yes, that's the obvious case you want to tackle.
> 
> 
>> If that’s the case, then you can accomplish this with a firewall. All
>> you have to do is default-block incoming SYN packets and incoming UDP
>> packets, and you’re done.
> 
> Few obvious questions:
> 
> 1) How do you do this automagically?
> 
> 2) How do you block "incoming UDP packets" without keeping state?
> 
> 3) How is the above super different/better than the NAT66 case?
> 
> FWIW, we discuss this topic in: https://datatracker.ietf.org/doc/html/draft-gont-v6ops-ipv6-addressing-considerations
> 
> 
>> This is a lot cheaper than maintaining
>> per-connection state. The only problem is that it breaks QUIC. I
>> think it might be possible to do the same thing with QUIC, but I
>> don’t actually know how the initial handshake works for QUIC, so
>> that’s an open question in my mind.
> 
> For UDP, the rule of thumb is that you keep state, and if you get a packet from the external realm, it's considered an "incoming packet" unless you have previously seen a packet with the corresponding (local socket, remote socket) in the opposite direction.
> 
> Thanks,
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

v2.23.0 | Report a Bug | By Email