Sounds a lot like PCP… Op wo 24 apr 2024 om 16:26 schreef Jared Mauch <[email protected]>
> I had thought of doing something where the device could send a profile to > the router/DHCP server that says “here’s the ports, dns names, etc.. that I > will be using”. > > This would then permit only those related bits to flow. > > - Jared > > > On Apr 24, 2024, at 4:23 PM, Hubert W <[email protected]> > wrote: > > > > > > > > On Wed, Apr 24, 2024, 07:46 Mark Andrews <[email protected]> wrote: > > > > > > > On 23 Apr 2024, at 16:51, Hubert W <[email protected]> > wrote: > > > > > > Dear WG, > > > > > > > > > I woke up with one idea and I would like to challenge it. > > > In IPv6, every device receives a routable address. To protect > endpoints effectively, we require firewalls to filter unwanted traffic. > > > > Apart from packet volume this is a false assertion. No device should > require a firewall. > > > > > But what if we could stop such traffic at the source? Could this > approach convince more people toward adopting IPv6? > > > > > > According to RFC 7381: “In a /48 assignment, typical for a site, there > are then still 65,535 /64 blocks.” and “All user access networks should be > a /64.” > > > > /64 is typical not required. > > > > > Can we use then bit 63 to convey a message: “I don’t want any incoming > traffic initiated towards me!!!”? Of course a response would be accepted. > > > > > > We could divide the /64 allocations into two groups: one for servers, > and these accept incoming traffic (bit 63 = 0): > > > > > > for example 2001:0db8:0000:0000::/64 > > > > > > And the second group: endpoints, these never accept incoming traffic > (bit 63 = 1): > > > > > > for example 2001:0db8:0000:0001::/64 > > > > > > We only need all systems to understand the message. If a router or > firewall sees such a packet, then drops it. > > > Every TCP packet with flag SYN, where destination address (IPv6) has > bit 63 equal 1, must be dropped. > > > > All the world is not TCP. Additionally for TCP the filtering device > would need to track state and that implies symmetric routing. > > > > > Would it be theoretically possible? > > > > No. > > > > > Best regards > > > > > > Hubert Wisniewski > > > > > > -------------------------------------------------------------------- > > > IETF IPv6 working group mailing list > > > [email protected] > > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > > -------------------------------------------------------------------- > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: [email protected] > > I think there would be no issue with asymmetric traffic if we only check > SYN flag, but I understand that is not a good idea. Thank you for your > opinion. > > > > Hubert Wisniewski > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > [email protected] > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > -------------------------------------------------------------------- > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [email protected] > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
_______________________________________________ 6lo mailing list [email protected] https://www.ietf.org/mailman/listinfo/6lo
