I had thought of doing something where the device could send a profile to the router/DHCP server that says “here’s the ports, dns names, etc.. that I will be using”.
This would then permit only those related bits to flow. - Jared > On Apr 24, 2024, at 4:23 PM, Hubert W <[email protected]> wrote: > > > > On Wed, Apr 24, 2024, 07:46 Mark Andrews <[email protected]> wrote: > > > > On 23 Apr 2024, at 16:51, Hubert W <[email protected]> wrote: > > > > Dear WG, > > > > > > I woke up with one idea and I would like to challenge it. > > In IPv6, every device receives a routable address. To protect endpoints > > effectively, we require firewalls to filter unwanted traffic. > > Apart from packet volume this is a false assertion. No device should require > a firewall. > > > But what if we could stop such traffic at the source? Could this approach > > convince more people toward adopting IPv6? > > > > According to RFC 7381: “In a /48 assignment, typical for a site, there are > > then still 65,535 /64 blocks.” and “All user access networks should be a > > /64.” > > /64 is typical not required. > > > Can we use then bit 63 to convey a message: “I don’t want any incoming > > traffic initiated towards me!!!”? Of course a response would be accepted. > > > > We could divide the /64 allocations into two groups: one for servers, and > > these accept incoming traffic (bit 63 = 0): > > > > for example 2001:0db8:0000:0000::/64 > > > > And the second group: endpoints, these never accept incoming traffic (bit > > 63 = 1): > > > > for example 2001:0db8:0000:0001::/64 > > > > We only need all systems to understand the message. If a router or firewall > > sees such a packet, then drops it. > > Every TCP packet with flag SYN, where destination address (IPv6) has bit 63 > > equal 1, must be dropped. > > All the world is not TCP. Additionally for TCP the filtering device would > need to track state and that implies symmetric routing. > > > Would it be theoretically possible? > > No. > > > Best regards > > > > Hubert Wisniewski > > > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > [email protected] > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > -------------------------------------------------------------------- > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] > I think there would be no issue with asymmetric traffic if we only check SYN > flag, but I understand that is not a good idea. Thank you for your opinion. > > Hubert Wisniewski > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [email protected] > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- _______________________________________________ 6lo mailing list [email protected] https://www.ietf.org/mailman/listinfo/6lo
