subject:"Mac OS X 10.7, still no DHCPv6"


On Feb 28, 2011, at 9:23 PM, Mark Newton wrote:

> 
> On 01/03/2011, at 1:23 AM, Brian Johnson wrote:
> 
>> Can someone explain what exactly the security threat is?
> 
> 
> If I see two IPv6 addresses which share the same 64 bit suffix,
> I can be reasonably certain that they both correspond to the same
> device because they'll both be generated by the same MAC address.
> 
> Your IPv6 address has thereby become a token I can use to track
> your whereabouts, which is the kind of thing that privacy advocates
> often find upsetting.
> 
Correct.

> RFC4941 should be (but generally isn't) enabled by default.
> 
Incorrect.

> Having said that, implementation of RFC4941 is lossy.  On MacOS,
> long-held TCP sessions time-out when a new privacy suffix is 
> generated and the old one ages out.  I'd have thought that a
> better outcome would be for old addresses to continue working
> until their refcount drops to zero.
> 
I'm not sure addresses maintain a refcount in that way and it might
not be so easy for the thing cleaning the address off the interface
to find the open connections at the time. Also, since this probably
happens in protected sections of the kernel, you probably want it
to happen pretty quickly and adding baggage is anathema to
speed.
> 
> The new attack vector which SLAAC with EUI64 creates is one of
> "trackability."  I can't passively accumulate IPv4 logs which tell me
> which ISPs you've used, which cities you're in, which WiFi hotspots
> you've used, which companies you've worked at, which websites you've
> visited, etc.
> 
True, you have to use a cookie or a Javascript that reports the Mac
Address to do that. :p

> I can accumulate logs which tell me which IP addresses have done those
> things, but I can't (for example) correlate them to your personal 
> smartphone.
> 
Unless...

> I can with IPv6.
> 
More accurate to say "It's easier with IPv6 and SLAAC."

> That's new, and (to my mind) threatening.  We've not even begun to 
> consider the attack vectors that'll open up.
> 
It's not new. It's not all that threatening. It's just easier.

We've begun to consider it. That's why paranoid people do things like
turning off cookies. I suspect you probably think browsers should ship
with a default of "don't accept cookies", too.

Privacy addresses create quite a bit of ugliness and are a miscreants
wet dream. They're a MAC forwarding table DOS looking for a place
to happen. They're probably a necessary evil for a limited subgroup
of users, but, not something which should, generally, be enabled by
default.

Of course, because that's the case, Micr0$0ft has seen fit to do exactly
that.

Owen

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Joel Jaeggli

On 2/28/11 9:34 PM, Dobbins, Roland wrote:
> 
> On Mar 1, 2011, at 12:23 PM, Mark Newton wrote:
> 
>> That's new, and (to my mind) threatening.  We've not even begun to
>> consider the attack vectors that'll open up.

given that rfc 3041 had it's 10th birthday in january there's nothing
new about any of this.

> 
> I don't think it's new at all, given the amount of information
> available today that you already cite, down to and including sniffing
> on toxic hotel networks and the like.
> 
> Folks are already easily pwn3d to extremes - look at HB Gary.  This
> doesn't constitute some huge new attack surface or information
> leakage - especially given the existence of VPNs/proxies, the
> tendency to store more and more data/apps on servers/in 'the cloud',
> and so forth.
> 
> In fact, the device one is actually using at any given moment and
> where one is located when using said device is becoming less and less
> relevant.
> 
>> From a physical-security standpoint, leaky IM, SMTP headers, et.
>> al. already give the game away.
> 
> We've been living in this situation for years.  Nothing about EUI-64
> changes this fact, IMHO.  I dislike it immensely, but it isn't a
> game-changer, IMHO.
> 
> ---
>
> 
Roland Dobbins  // 
> 
> The basis of optimism is sheer terror.
> 
> -- Oscar Wilde
> 
> 
>

Re: Mac OS X 10.7, still no DHCPv6

On Mar 1, 2011, at 12:23 PM, Mark Newton wrote:

> That's new, and (to my mind) threatening.  We've not even begun to consider 
> the attack vectors that'll open up.

I don't think it's new at all, given the amount of information available today 
that you already cite, down to and including sniffing on toxic hotel networks 
and the like. 

Folks are already easily pwn3d to extremes - look at HB Gary.  This doesn't 
constitute some huge new attack surface or information leakage - especially 
given the existence of VPNs/proxies, the tendency to store more and more 
data/apps on servers/in 'the cloud', and so forth.

In fact, the device one is actually using at any given moment and where one is 
located when using said device is becoming less and less relevant.

>From a physical-security standpoint, leaky IM, SMTP headers, et. al. already 
>give the game away.

We've been living in this situation for years.  Nothing about EUI-64 changes 
this fact, IMHO.  I dislike it immensely, but it isn't a game-changer, IMHO.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Mark Newton

On 01/03/2011, at 1:23 AM, Brian Johnson wrote:

> Can someone explain what exactly the security threat is?

If I see two IPv6 addresses which share the same 64 bit suffix,
I can be reasonably certain that they both correspond to the same
device because they'll both be generated by the same MAC address.

Your IPv6 address has thereby become a token I can use to track
your whereabouts, which is the kind of thing that privacy advocates
often find upsetting.

RFC4941 should be (but generally isn't) enabled by default.

Having said that, implementation of RFC4941 is lossy.  On MacOS,
long-held TCP sessions time-out when a new privacy suffix is 
generated and the old one ages out.  I'd have thought that a
better outcome would be for old addresses to continue working
until their refcount drops to zero.

> If you are going to say that knowing the MAC address of the end device allows 
> the "bad guy" to know what type of equipment you have and as such to attempt 
> known compromises for said equipment, then please just don't reply. :)

It's not about that;  there are already plenty of other attack vectors
that can be used to find out someone's IP address, such as web-bugs, 
logfiles behind phishing and malware distribution websites, etc.

The new attack vector which SLAAC with EUI64 creates is one of
"trackability."  I can't passively accumulate IPv4 logs which tell me
which ISPs you've used, which cities you're in, which WiFi hotspots
you've used, which companies you've worked at, which websites you've
visited, etc.

I can accumulate logs which tell me which IP addresses have done those
things, but I can't (for example) correlate them to your personal 
smartphone.

I can with IPv6.

That's new, and (to my mind) threatening.  We've not even begun to 
consider the attack vectors that'll open up.

  - mark

--
Mark Newton   Email:  new...@internode.com.au (W)
Network Engineer  Email:  new...@atdot.dotat.org  (H)
Internode Pty Ltd Desk:   +61-8-82282999
"Network Man" - Anagram of "Mark Newton"  Mobile: +61-416-202-223

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Joel Jaeggli

On 2/28/11 6:51 AM, Nick Hilliard wrote:
> I will be a lot more sympathetic about listening to arguments /
> explanations about this insanity the day that the IETF filters out arp
> and ipv4 packets from the conference network and depends entirely on
> ipv6 for connectivity for the entire conference.

Oddly enough the meeting NOC is in the business of providing services to
customers and we generally assume that to be with the highest
availability and minimum breakage feasible under the circumstances...   

> "But we couldn't do that??!?!", I hear you say.

I would direct your attention to the ietf-v6ONLY SSID present during the
meeting and ask you to ponder what purpose it serves.

> I understand completely.

I am mystified.

> Nick
>

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Joel Jaeggli

On 2/28/11 6:48 AM, Jeff Kell wrote:
> On 2/28/2011 8:44 AM, Dobbins, Roland wrote:
>> On Feb 28, 2011, at 8:40 PM, Jim Gettys wrote:
>>> Again, having a permanently known identifier being broadcast all the time 
>>> is a potentially a serious security/safety issue. 
>> We already have this with MAC addresses, unless folks bother to periodically 
>> change them, do we not?
> 
> Not globally, no.

As is, present in layer-3...

> Jeff
> 
>

Re: Mac OS X 10.7, still no DHCPv6


On Feb 28, 2011, at 5:35 PM, Dobbins, Roland wrote:

> 
> On Mar 1, 2011, at 7:00 AM, Owen DeLong wrote:
> 
>> In five years we should be just about ready to start deprecating IPv4, if 
>> not already beginning to do so.
> 
> 
> That's been said about so many things, from various legacy OSes to other 
> protocols such as SNA and SMB/CIFS.  
> 
> None of those things are as prevalent as IPv4 is today.  And yet, they're 
> still around to haunt us.
> 
I said beginning to turn it off, not done with it.

> I think we're going to be dealing with IPv4 for a long, long time - far 
> longer than two years.
> 
Oh, I agree. However, I think in 5 years we'll start seeing a few residential 
providers announcing
things like IPv4 is now a $20/month optional service.

Owen

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Richard Barnes

>>       Anyone care to start the IPv4 dead pool, Price is Right
>> style, for when the last v4 NLRI is removed from the DFZ?
>
> That's funny, I don't care what galaxy you're from :)

So that puts your bet at more than 25,000 years?

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Brett Watson


On Feb 28, 2011, at 6:38 PM, Majdi S. Abbas wrote:

>   Anyone care to start the IPv4 dead pool, Price is Right
> style, for when the last v4 NLRI is removed from the DFZ?

That's funny, I don't care what galaxy you're from :)

-b

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Majdi S. Abbas

On Mon, Feb 28, 2011 at 04:00:16PM -0800, Owen DeLong wrote:
> Ready or not, IPv6-only (or reasonably IPv6-only) residential 
> customers are less than 2 years out, so, well within
> your 5-year planning horizon, whether those ISPs see that or 
> not. Denial is an impressive human phenomenon.

Denial is indeed impressive:

v6 only is not the only option for residential customers
already used to functioning behind NAT.

I, for one, welcome our new CGN overlords...

> In five years we should be just about ready to start deprecating IPv4, 
> if not already beginning to do so.

Considering it's taken us 15 years to get this far... I think
that's pretty optimistic.

Anyone care to start the IPv4 dead pool, Price is Right
style, for when the last v4 NLRI is removed from the DFZ?

--msa

Re: Mac OS X 10.7, still no DHCPv6

On Mar 1, 2011, at 7:00 AM, Owen DeLong wrote:

> In five years we should be just about ready to start deprecating IPv4, if not 
> already beginning to do so.

That's been said about so many things, from various legacy OSes to other 
protocols such as SNA and SMB/CIFS.  

None of those things are as prevalent as IPv4 is today.  And yet, they're still 
around to haunt us.

I think we're going to be dealing with IPv4 for a long, long time - far longer 
than two years.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6


On Feb 28, 2011, at 9:16 PM, Leo Bicknell wrote:

> Those who designed IPv6 appear to have ignored the problem space.


This is true of many, many aspects of IPv6.  And those of us who didn't get 
involved in the process to try and address (pardon the pun, heh) those problems 
bear a burden of the responsibility for the current state of affairs.

So, it's very obvious that there's a lot of work to be done in order to make 
pure IPv6 viable for a non-isignificant proportion of the user base (including 
spimes and such in that population).  Dual-stack is an appropriate transitional 
mechanism to make some steps towards that goal in some circumstances, and so it 
shouldn't be summarily dismissed, that's all.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6

> Small (say, under 50,000 customer) ISPs in my experience have a planning 
> horizon which is less than five years from now. Anything further out than 
> that is not "foreseeable" in the sense that I meant it. I have much less 
> first-hand experience with large, carrier-sized ISPs and what I have is a 
> decade old, so perhaps the small ISP experience is not universal, but I'd be 
> somewhat surprised giving the velocity of the target and what I perceive as 
> substantial inertia in carrier-sized ISPs whether there's much practical 
> difference.
> 
Ready or not, IPv6-only (or reasonably IPv6-only) residential customers are 
less than 2 years out, so, well within
your 5-year planning horizon, whether those ISPs see that or not. Denial is an 
impressive human phenomenon.

> So, what's a reasonable target for the next five years?
> 
In five years we should be just about ready to start deprecating IPv4, if not 
already beginning to do so.

> 1. Deployed dual-stack access which interact nicely with consumer CPEs and 
> electronics, the IPv4 side of the stack deployed through increased use of NAT 
> when ISPs run out of numbers.
> 
Icky, but, probably necessary for some fraction of users. Ideally, we try to 
avoid these multi-NAT areas being
done in such a way that the end user in question doesn't also have reasonably 
clean IPv6 connectivity.

> 2. IPv6-only access, CPE and hosts, with some kind of transition mechanism to 
> deliver v4-only content (from content providers and v4-only peers) to the 
> v6-only customers.
> 
This is, IMHO, preferable to option 1.

> Perhaps it's because I've never seen a NAT-PT replacement that was any 
> prettier than NAT-PT, but I don't see (2) being anything that a residential 
> customer would buy before 2016. Perhaps I'm wrong, but I don't hear a lot of 
> people shouting about their success.
> 
Personally, I think DS-Lite is the cleanest solution, but, it isn't without its 
issues. The reality is that post-runout
IPv4 is going to be ugly, regardless of whether it's NAT64 ugliness, LSN 
ugliness, or DS-LITE ugliness.

IPv4 is all about which flavor of bitter you prefer at this point. The 
sweetness is all on IPv6.

> Note, I'm not talking about the ISPs who have already invested time, capex 
> and opex in deploying dual-stack environments. I'm talking about what I see 
> as the majority of the problem space, namely ISPs who have not.
> 
The majority of the problem space IMHO is end-user-space at ISPs that have put 
at least some dual-stack
research effort in, but, haven't come to solutions for end-users.

However, we're less than 2 years away from seeing what happens in those 
environments without IPv4.

Owen

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Cameron Byrne

On Feb 28, 2011 12:28 PM, "Randy Bush"  wrote:
>
> > It's hard to see v6-only networks as a viable, general-purpose
> > solution to anything in the foreseeable future. I'm not sure why
> > people keep fixating on that as an end goal. The future we ought to be
> > working towards is a consistent, reliable, dual-stack
> > environment. There's no point worrying about v6-only operations if we
> > can't get dual-stack working reliably.
>
> facile but fallacious fanboyism
>
>  o if ipv6 can not operate as the only protocol, and we will be out
>of ipv4 space and have to deploy 6-only networks, it damned well
>better be able to stand on its own.
>
>  o if ipv6 can not stand on its own, then dual-stack is a joke that
>will be very un-funny very shortly, as one partner in the marriage
>is a dummy.

+1
Well said. V6 needs to stand on its own.

Cb
>
> randy
>

Re: Mac OS X 10.7, still no DHCPv6

On 2011-02-28, at 17:04, Owen DeLong wrote:

> On Feb 28, 2011, at 12:34 PM, Joe Abley wrote:
> 
>> On 2011-02-28, at 15:27, Randy Bush wrote:
>> 
>>> o if ipv6 can not operate as the only protocol, and we will be out
>>>  of ipv4 space and have to deploy 6-only networks, it damned well
>>>  better be able to stand on its own.
>> 
>> Do you think I was suggesting that IPv6 as a protocol doesn't need to be 
>> able to stand on its own two feet? Because I wasn't; that's patently absurd.
>> 
> 
> It is both absurd and pretty much exactly what you said.

Well, you misunderstood what I meant, which I'm sure is my own fault. I'm sure 
my view of the world is warped and unnatural, too, but most of you know that 
already. :-)

To me, delivering IPv6 to residential Internet users is the largest missing 
piece of the puzzle today. Those users generally have no technical support 
beyond what they can get from the helpdesk, and the race to the bottom has 
ensured that (a) the helpdesk isn't of a scale to deal with pervasive 
connectivity problems and (b) any user that spends more than an hour on the 
phone has probably burnt any profit he/she might have generated for the ISP 
that year, and hence anything that is likely to trigger that kind of support 
burden is either going to result in customers leaving, bankruptcy or both.

Small (say, under 50,000 customer) ISPs in my experience have a planning 
horizon which is less than five years from now. Anything further out than that 
is not "foreseeable" in the sense that I meant it. I have much less first-hand 
experience with large, carrier-sized ISPs and what I have is a decade old, so 
perhaps the small ISP experience is not universal, but I'd be somewhat 
surprised giving the velocity of the target and what I perceive as substantial 
inertia in carrier-sized ISPs whether there's much practical difference.

So, what's a reasonable target for the next five years?

1. Deployed dual-stack access which interact nicely with consumer CPEs and 
electronics, the IPv4 side of the stack deployed through increased use of NAT 
when ISPs run out of numbers.

2. IPv6-only access, CPE and hosts, with some kind of transition mechanism to 
deliver v4-only content (from content providers and v4-only peers) to the 
v6-only customers.

Perhaps it's because I've never seen a NAT-PT replacement that was any prettier 
than NAT-PT, but I don't see (2) being anything that a residential customer 
would buy before 2016. Perhaps I'm wrong, but I don't hear a lot of people 
shouting about their success.

Note, I'm not talking about the ISPs who have already invested time, capex and 
opex in deploying dual-stack environments. I'm talking about what I see as the 
majority of the problem space, namely ISPs who have not.

Joe

Re: Mac OS X 10.7, still no DHCPv6

On Feb 28, 2011, at 12:34 PM, Joe Abley wrote:

> 
> On 2011-02-28, at 15:27, Randy Bush wrote:
> 
>> o if ipv6 can not operate as the only protocol, and we will be out
>>   of ipv4 space and have to deploy 6-only networks, it damned well
>>   better be able to stand on its own.
> 
> Do you think I was suggesting that IPv6 as a protocol doesn't need to be able 
> to stand on its own two feet? Because I wasn't; that's patently absurd.
> 
It is both absurd and pretty much exactly what you said.

> However, a fixation on v6-only operation makes no sense for general-purpose 
> deployment when most content and peers are only reachable via IPv4.
> 
I guess this is a matter of perspective. For some of us that already have 
complete dual stack deployments,
focusing on the issues present in IPv6-only operation is just the next logical 
step.

In some cases, I would say that the v6-only considerations are well worth 
considering as you prepare
to deploy dual-stack so that you don't deploy dual-stack in such a way as to 
create unnecessary
inter-protocol dependencies that will hurt you later.

The reality is that IPv6-only networks are not likely in the foreseeable future 
is only a true statement
if your foreseeable future ends in the past. There are already a certain number 
of functional operating
deployed IPv6-only networks. Further, it's not going to be more than a few 
months before we start
seeing networks that have very limited or degraded IPv4 capabilities, if any, 
due to the inability to
grant addresses to new networks in some areas.

> I appreciate that there are walled gardens, captive mobile applications, 
> telemetry networks and other niche applications for which v6-only networks 
> make sense today. I'm not talking about them. I'm talking about the network 
> that supports what the average user thinks of as the Internet.
> 
And how do you think the average residential end user is going to see the IPv4 
internet next year?

> The immediate task at hand is a transition from IPv4-only to dual stack, 
> regardless of how many NATs or other transition mechanisms the IPv4 half of 
> the dual stack is provisioned through.
> 
Yes, but, given the nearly immediate runout of IPv4, I would say that doing so 
in a way that best
facilitates IPv6-only hosts being functional is very much worthy of 
consideration in this process.

Owen

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Mark Andrews


In message <28d10d13-988b-4c7d-833b-eba6e1bc1...@hopcount.ca>, Joe Abley writes
:
> 
> On 2011-02-28, at 09:51, Nick Hilliard wrote:
> 
> > I will be a lot more sympathetic about listening to arguments / =
> explanations about this insanity the day that the IETF filters out arp =
> and ipv4 packets from the conference network and depends entirely on =
> ipv6 for connectivity for the entire conference.
> 
> It's hard to see v6-only networks as a viable, general-purpose solution =
> to anything in the foreseeable future. I'm not sure why people keep =
> fixating on that as an end goal. The future we ought to be working =
> towards is a consistent, reliable, dual-stack environment. There's no =
> point worrying about v6-only operations if we can't get dual-stack =
> working reliably.
> 
> [I also find the knee-jerk "it's different from IPv4, the IETF is =
> stupid" memes to be tiring. Identifying questionable design decisions =
> with hindsight is hardly the exclusive domain of IPv6; there are =
> tremendously more crufty workarounds in IPv4, and far more available =
> hindsight. Complaining about IPv6 because it's different from IPv4 =
> doesn't get us anywhere.]

Because the machines we deploy today may still be running in 10 years and
we don't want them stopping the network going IPv6 only then.

> Joe=
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Leo Bicknell

In a message written on Mon, Feb 28, 2011 at 06:49:36PM +1100, Karl Auer wrote:
> I do think though, that assuming DHCP is the way to get some of these
> things might be shooting from the hip. Perhaps there is a better way,
> with IPv6?

DHCP is a terrible protocol for 2011, and will be an old school
throwback by 2040.  The fact that it's the option on the table for
IPv6 is a shame.

> The difficulty is that now everyone is in a tearing hurry; they just
> want everything to work the exact same way, and they want it NOW. There
> is "suddenly" no time to work out better ways. And goodness knows there
> must be a better way to boot a remote image than delivering an address
> via DHCP!

Those who designed IPv6 appear to have ignored the problem space.
They could have offered a better solution, but did not.  There
seemed to be this idea that most of what DHCP did was deliver an
address, which is a very naive way of looking at it.  So they came
up with a new method to get an address and ignored the rest of the
usage models.

Bootp nee DHCP was designed in an era where a TCP stack in an
embedded device was a costly addition.  Now a full TCP/IP stack
comes for free with a $0.50 micro-controller.  If RA's could give
out a "configuration IP address" hosts could tftp/http/whatever
down a config file, text, xml, some new format.  There could have
been innovation in the space, and the time to sell people that it
was the right thing to do.

For some reason though we all went head in the sand.  And I mean
all, operators ignored the IETF until it was too late, the IETF
decided the operators didn't know what they were talking about
and/or were stuck in an IPv4 world.  So now we have a gap, a very
short time frame, and only one half done solution on the table.
We'll likely have to run with it as starting over now would take
too much time.

It's really a gigantic missed opportunity that probably will only
come along every few decades.  Maybe the next time around we'll do
better.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/

pgp2jW5w0TAkB.pgp
Description: PGP signature

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Randy Bush

> Dual stack isn't always the best approach.  For networks that pass a
> large amount of traffic to a relatively small number of destinations,
> NAT64/DNS64 on a native v6 platform might be a better migration
> approach.  If 90% of your traffic is v6, it is probably less trouble to
> use NAT64/DNS64 to reach that 10% than it is to dual-stack.  

the scenario i think of here is the enterprise which wishes not to use
private space so deploys v6-only internally, and nat64 at the border to
a dual-stack provider.

randy

RE: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread George Bonser

> From: Randy Bush 
> Sent: Monday, February 28, 2011 12:27 PM
> To: Joe Abley
> Cc: NANOG Operators' Group
> Subject: Re: Mac OS X 10.7, still no DHCPv6
> 
> > It's hard to see v6-only networks as a viable, general-purpose
> > solution to anything in the foreseeable future. I'm not sure why
> > people keep fixating on that as an end goal. The future we ought to
> be
> > working towards is a consistent, reliable, dual-stack
> > environment. There's no point worrying about v6-only operations if
we
> > can't get dual-stack working reliably.
> 
> facile but fallacious fanboyism
> 
>   o if ipv6 can not operate as the only protocol, and we will be out
> of ipv4 space and have to deploy 6-only networks, it damned well
> better be able to stand on its own.
> 
>   o if ipv6 can not stand on its own, then dual-stack is a joke that
> will be very un-funny very shortly, as one partner in the marriage
> is a dummy.
> 
> randy

Dual stack isn't always the best approach.  For networks that pass a
large amount of traffic to a relatively small number of destinations,
NAT64/DNS64 on a native v6 platform might be a better migration
approach.  If 90% of your traffic is v6, it is probably less trouble to
use NAT64/DNS64 to reach that 10% than it is to dual-stack.  

Networks such as the sort described above would be expected to see the
majority of their traffic migrate very quickly to v6 once only a few
remote networks are v6 capable.  This is a case where the pain is
front-loaded.  The amount of NAT64/DNS64 required to support such a
topology is great at first, then quickly steps down as the destinations
exchanging the most traffic become v6 capable, and then gradually tails
off as the outliers catch up.

G

Re: Mac OS X 10.7, still no DHCPv6


On 2011-02-28, at 15:38, Randy Bush wrote:

> you may want to read your words and the thread which followed.

The phrase you apparently missed (or which was not sufficient for me to explain 
myself clearly) was "viable, general-purpose solution".


Joe

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Jeff Kell

On 2/27/2011 11:53 PM, Franck Martin wrote:
> No, when I first played with IPv6 only network, I found out that RD was 
> silly, it gives an IP adddress but no DNS, and you have to rely on IPv4 to do 
> that. silly, so my understanding is then people saw the mistake, and added 
> some DNS resolution... Because the only option was to get DHCPv6 to get the 
> DNS, but then why create RD in the first place?

Well, for the malware authors, it really is an awful lot of trouble to go 
broadcasting
gratuitous ARPs claiming to be the default gateway, and then blasting those 
spoofed
gratuitous ARPs at the gateway claiming to be the clients, and having to do all 
that
packet-forwarding foo just to get to be the man-in-the-middle...  when you can 
just
generate an RA and you don't even have to set the evil bit!!

And why bother with all those silly DNS-changer malware pointing the resolvers 
off to
Inhoster-land so you can provide your own interesting answers for interesting 
names
you'd like to phish, when you can just sit there and listen on the DNS anycast 
address
and answer the ones you want!!

And why bother parsing out the Facebook friends or AOL buddies or MSN contacts 
list to
spew out those phishing URLs to everybody we know, when we can just sit back 
and let
Bonjour/Rendezvous/iChat do all the work for us?

Plug and Play malware is the future :-)

Jeff

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Randy Bush

>>  o if ipv6 can not operate as the only protocol, and we will be out
>>of ipv4 space and have to deploy 6-only networks, it damned well
>>better be able to stand on its own.
> 
> Do you think I was suggesting that IPv6 as a protocol doesn't need to
> be able to stand on its own two feet?

you may want to read your words and the thread which followed.

randy

Re: Mac OS X 10.7, still no DHCPv6

On 2011-02-28, at 15:27, Randy Bush wrote:

>  o if ipv6 can not operate as the only protocol, and we will be out
>of ipv4 space and have to deploy 6-only networks, it damned well
>better be able to stand on its own.

Do you think I was suggesting that IPv6 as a protocol doesn't need to be able 
to stand on its own two feet? Because I wasn't; that's patently absurd.

However, a fixation on v6-only operation makes no sense for general-purpose 
deployment when most content and peers are only reachable via IPv4.

I appreciate that there are walled gardens, captive mobile applications, 
telemetry networks and other niche applications for which v6-only networks make 
sense today. I'm not talking about them. I'm talking about the network that 
supports what the average user thinks of as the Internet.

The immediate task at hand is a transition from IPv4-only to dual stack, 
regardless of how many NATs or other transition mechanisms the IPv4 half of the 
dual stack is provisioned through.

Joe

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Randy Bush

> It's hard to see v6-only networks as a viable, general-purpose
> solution to anything in the foreseeable future. I'm not sure why
> people keep fixating on that as an end goal. The future we ought to be
> working towards is a consistent, reliable, dual-stack
> environment. There's no point worrying about v6-only operations if we
> can't get dual-stack working reliably.

facile but fallacious fanboyism

  o if ipv6 can not operate as the only protocol, and we will be out
of ipv4 space and have to deploy 6-only networks, it damned well
better be able to stand on its own.

  o if ipv6 can not stand on its own, then dual-stack is a joke that
will be very un-funny very shortly, as one partner in the marriage
is a dummy.

randy

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Cameron Byrne

On Feb 28, 2011 8:45 AM, "Owen DeLong"  wrote:
>
>
> On Feb 28, 2011, at 7:34 AM, Joe Abley wrote:
>
> >
> > On 2011-02-28, at 10:27, Nick Hilliard wrote:
> >
> >> On 28/02/2011 14:59, Joe Abley wrote:
> >>> I'm not sure why people keep
> >>> fixating on that as an end goal. The future we ought to be working
> >>> towards is a consistent, reliable, dual-stack environment. There's no
> >>> point worrying about v6-only operations if we can't get dual-stack
> >>> working reliably.
> >>
> >> That's "dual-stack" as in
"dual-stack-except-one-of-the-stacks-really-doesn't-work-properly-so-we'll-fudge-around-it"?
:-)
> >
> > You're describing where we are. I'm talking about where I think we
should be planning to arrive.
> >
> Your description sounds more like where we should be making a plane
change.
> The eventual destination is IPv6-only. Dual-stack is a temporary stopover
along the way.
> However, you are partially right in that we should be focusing on arriving
at the first
> stop-over until we arrive there. Then we can start navigating from there
to the final
> destination.
>
> >> Look, my original point is that RA is a brilliant solution for a
problem which never really existed.  Now, can we all just ignore RA and work
towards DHCPv6 because that's what's actually needed in the real world?
> >
> > RA and DHCPv6 work together. It's different from DHCP in IPv4. Run with
it. Sending people back to the drawing board at this late stage in the game
(a) isn't going to happen and (b) isn't going to help anybody.
> >
> And the model breaks badly at layers 8-10 in most enterprises and many
other organizations.
>
> >> We haven't got there because I can't plug in my laptop into any
arbitrary ipv6-only network and expect to be able to load up ipv6.google.com
.
> >>
> >> Is that too high a standard to work towards? :-)
> >
> > As I thought I mentioned, yes. Forget v6-only right now. Dual-stack is
an operationally-harder problem, and it's a necessary prerequisite.
> >
> For some situations at this point, that may not actually be true. It will
be soon enough that it won't even be possible.
>

Owen is right. Ipv6-only is a very near term reality for networks with very
fast growing edges like mobile phones and wireless machine to machine
communications. It is not prudent to install an electricity meter today with
a 30 year expected life span ... and include ipv4.  These systems are being
deployed today as ipv6 only, not in the future.  Also, you can expect many
types of mobile phones to be ipv6-only soon. Ipv4 is not going away, dual
stack fell short of being the universal transition mechanism but is still
useful in many palaces -especially content hosts, and ipv6-only will pop up
soon in as many places as it possibly makes sense.  Remember, from a network
planner / designer / architect perspective, ipv4 is not a resource for
future network growth.

> Owen
>
>

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Leigh Porter

On 28 Feb 2011, at 16:57, valdis.kletni...@vt.edu wrote:

> On Mon, 28 Feb 2011 10:04:23 EST, Joe Abley said:
>> I don't think this has ever been cited as a global, general threat that
>> must be eliminated (just as people are generally happy to use the same
>> credit card as they move around the planet and don't generally stress
>> about the implications).
> 
> It's not a global threat.  However, it *is* a *specific* threat to some 
> people.
> 
> We support the ability of students to restrict "directory information" to
> various levels, from "don't list home address" to  "we won't admit they are a
> student without a court order or other authorization". I happen to know that
> 299 students (out of roughly 7,000) in our graduating class currently have
> their privacy set high enough to exclude them from being listed in the program
> for the 2011 graduation ceremony.  Sure would be a shame if the network itself
> insisted on making them trackable...
> 
> (Some of these students are just privacy minded, but we have a fair number 
> that
> are children of diplomats/etc, or are literally in hiding from ex'es or
> non-custodial parents and have restraining orders out - these people *really*
> don't want to be tracked/found...)
> 
> 

But you still need to know who they are so that when the court order pops 
through your door and it turns out they have been brewing up anthrax in the 
biology lab you'll want to be able to identify the IP address that was 
responsible for the nick binladen on the \terrorists channel on EFnet, yeah?

I really do not care less if people are tracked/found/whatever externally, so 
long as internally I can identify with some fair degree of certainty who had 
that address at any one time.

And so in order to fix this we have people writing perl scripts to hoover up 
tidbits of information from snoop ports or routers. At least with DHCP you 
actually get a log on a box who who had what.

--
Leigh Porter

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Valdis . Kletnieks

On Mon, 28 Feb 2011 10:04:23 EST, Joe Abley said:
> I don't think this has ever been cited as a global, general threat that
> must be eliminated (just as people are generally happy to use the same
> credit card as they move around the planet and don't generally stress
> about the implications).

It's not a global threat.  However, it *is* a *specific* threat to some people.

We support the ability of students to restrict "directory information" to
various levels, from "don't list home address" to  "we won't admit they are a
student without a court order or other authorization". I happen to know that
299 students (out of roughly 7,000) in our graduating class currently have
their privacy set high enough to exclude them from being listed in the program
for the 2011 graduation ceremony.  Sure would be a shame if the network itself
insisted on making them trackable...

(Some of these students are just privacy minded, but we have a fair number that
are children of diplomats/etc, or are literally in hiding from ex'es or
non-custodial parents and have restraining orders out - these people *really*
don't want to be tracked/found...)




pgpKebaVWF0qI.pgp
Description: PGP signature

Re: Mac OS X 10.7, still no DHCPv6


On Feb 28, 2011, at 7:34 AM, Joe Abley wrote:

> 
> On 2011-02-28, at 10:27, Nick Hilliard wrote:
> 
>> On 28/02/2011 14:59, Joe Abley wrote:
>>> I'm not sure why people keep
>>> fixating on that as an end goal. The future we ought to be working
>>> towards is a consistent, reliable, dual-stack environment. There's no
>>> point worrying about v6-only operations if we can't get dual-stack
>>> working reliably.
>> 
>> That's "dual-stack" as in 
>> "dual-stack-except-one-of-the-stacks-really-doesn't-work-properly-so-we'll-fudge-around-it"?
>>  :-)
> 
> You're describing where we are. I'm talking about where I think we should be 
> planning to arrive.
> 
Your description sounds more like where we should be making a plane change.
The eventual destination is IPv6-only. Dual-stack is a temporary stopover along 
the way.
However, you are partially right in that we should be focusing on arriving at 
the first
stop-over until we arrive there. Then we can start navigating from there to the 
final
destination.

>> Look, my original point is that RA is a brilliant solution for a problem 
>> which never really existed.  Now, can we all just ignore RA and work towards 
>> DHCPv6 because that's what's actually needed in the real world?
> 
> RA and DHCPv6 work together. It's different from DHCP in IPv4. Run with it. 
> Sending people back to the drawing board at this late stage in the game (a) 
> isn't going to happen and (b) isn't going to help anybody.
> 
And the model breaks badly at layers 8-10 in most enterprises and many other 
organizations.

>> We haven't got there because I can't plug in my laptop into any arbitrary 
>> ipv6-only network and expect to be able to load up ipv6.google.com.
>> 
>> Is that too high a standard to work towards? :-)
> 
> As I thought I mentioned, yes. Forget v6-only right now. Dual-stack is an 
> operationally-harder problem, and it's a necessary prerequisite.
> 
For some situations at this point, that may not actually be true. It will be 
soon enough that it won't even be possible.

Owen

Re: Mac OS X 10.7, still no DHCPv6


On Feb 28, 2011, at 11:15 PM, Nick Hilliard wrote:

> At that moment, Dobbins and Abley were enlightened.

hahaha

;>

Hey, I think dual-stack is pretty ugly - just that it's less ugly than getting 
no operational experience with IPv6 at all on production networks until some 
point in the indeterminate future.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6

On Feb 28, 2011, at 11:14 PM, Owen DeLong wrote:

>  IPv6-only viability is the real goal.  This is, in the long run, a 
> transition from v4 to v6. Dual-stack is an interim stop-gap, not an end
> solution.

I think most everyone agrees with this.  However, getting experience with 
dual-stack is better than no experience with IPv6 at all.

This doesn't mean that dual-stack should be rolled out everywhere; just that 
doing so may in fact make sense in some situations, and will often result in 
folks getting some operational experience with IPv6 vs. none at all until some 
time in the distant future.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Ray Soucy

   1.  Multiple subnets on the same media that are intended for
   different hosts and have different routers are no longer
   feasible. (Yes, you can argue they're less than desirable
   in IPv4 and I would agree, but, they exist in the real world
   for a variety of layer 8-10 reasons and re-engineering an
   organization to make it fit into IPv6 is non-trivial).

Owen, you seem to be fixated around the idea that you can't have
multiple prefixes on the same subnet.

Set the routers to disable SLAAC,

Setup DHCPv6 to only respond with address information for the specific
hosts you want to control for each prefix (this DHCPv6 server can be
run by someone different than the person configuring routers).

Hosts will use the gateway for the prefix they've been assigned.

I'm not sure why you insist otherwise.

I've actually been working on such a setup for web-based host
registration and using a "shadow" ULA prefix until registered, then
they get a real DHCPv6 response.

And yes, you're correct, it would be much better to keep different
hosts on different VLANs, this is just a possible solution to your
problem statement.

I wouldn't be opposed to DHCPv6 options to deliver routes to hosts
(e.g. prefix, prefix-length, gateway, and metric) not just default
route information.  But I'm not sure that anything is really "lost" in
terms of functionality under the current implementation, you just have
to approach it in a slightly different way.

RDNSS encourages people not to implement functional DHCPv6 clients, so
I'm not sure how you find it to be a good thing for the problem
statement above.

On Mon, Feb 28, 2011 at 11:01 AM, Owen DeLong  wrote:
>> Really, if you look back at the archives of this list these arguments
>> are starting to get "silly" as you put it.
>>
> Yes and no...
>
>> It seems that every few months, as people discover that IPv6 isn't
>> going away and they should brush up on it, people go through this
>> process of debating the way IPv6 was designed as if it were 1998, and
>> ultimately make posts like this.
>>
> This may apply to some fraction of posters, but, I think many of the
> posters in this thread are actually fairly knowledgeable on IPv6.
>
>> IPv6 is simple, elegant, and flexible.
>>
> Parts of it are. Other parts are rigid, inflexible, and represent design
> decisions only theorists could love.
>
>> DHCPv6 was always a core component of IPv6 (just like ICMPv6 is a core
>> components of IPv6, or should we throw ping and traceroute into RA as
>> well...)
>>
> The intertwining of RA/DHCPv6 as it currently stands in IPv6 is an example
> of a design decision only theorists could love.
>
> In the real world, you have organizations where the people that manage
> hosts and host policy are not the people that run routers. In such
> environments, creating this kind of cross-organizational dependency
> that requires a constant coordination of even trivial changes on either
> side is far from optimal.
>
>> This is why we have flags in RA to signal how addressing is done on a
>> network for a prefix:
>>
>> A - Autonomous Flag, allows hosts to perform stateless addressing for a 
>> prefix.
>> O - Other Flag, signals that additional configuration information is
>> available (such as DNS) and DHCPv6 should be used.
>> M - Managed Flag, signals that hosts should request a stateful address
>> using DHCPv6.
>>
> That's all well and good, but, when you consider the real world implications,
> it starts to break down in most organizations...
>
> Now, the people that run the routers have full control over the selection
> of addressing schemes for the network. The people who set host policy
> have no control short of statically configuring the hosts or getting buy-in
> from the people that run the routers for their particular preference
> in address selection methods.
>
> Yes, in a theoretical world, everyone gets along and cooperates easily
> and stuff just works out with whatever decision is agreed upon. In the
> real world, this becomes a constant source of tension between the
> two groups and increases workload on both sides of the equation
> unnecessarily.
>
>> The real point, initially at least, for stateless addressing was to
>> make the Link-Local scope work.  It's brilliantly elegant.  It allows
>> all IPv6 configuration to be made over IPv6 (and thus use sane
>> constructs like multicast to do it).
>>
> All well and good, but...
>
>> Router Advertisements shift gateway and prefix configuration to the
>> routers (which are the devices that actually know if they're available
>> or not) rather than a DHCP server.  If you set things up right, making
>> a change to your RA will be seen by hosts almost instantly, and you
>> won't need to go through the headache of waiting for DHCP leases to
>> expire before hosts see that a network isn't available and let go of
>> that route.
>>
> Which also means:
>        1.      Multiple subnets on the s

Re: Mac OS X 10.7, still no DHCPv6

On Feb 28, 2011, at 6:59 AM, Joe Abley wrote:

> 
> On 2011-02-28, at 09:51, Nick Hilliard wrote:
> 
>> I will be a lot more sympathetic about listening to arguments / explanations 
>> about this insanity the day that the IETF filters out arp and ipv4 packets 
>> from the conference network and depends entirely on ipv6 for connectivity 
>> for the entire conference.
> 
> It's hard to see v6-only networks as a viable, general-purpose solution to 
> anything in the foreseeable future. I'm not sure why people keep fixating on 
> that as an end goal. The future we ought to be working towards is a 
> consistent, reliable, dual-stack environment. There's no point worrying about 
> v6-only operations if we can't get dual-stack working reliably.
> 
I disagree.

Those of us who know what it costs to do double maintenance on a continuing 
basis would like to
drive a stake through the heart of IPv4 sooner rather than later. IPv6-only 
viability is the real goal.
This is, in the long run, a transition from v4 to v6. Dual-stack is an interim 
stop-gap, not an end
solution.

Dual stack is mostly working reliably at this point. There are some 
improvements needed in IPv6
for enterprises and they are needed for both dual stack and for IPv6 only, so, 
I'm not sure why
that becomes particularly relevant to this thread.

However, we should always keep our eye on the prize as it were. That's the 
eventuality of
realizing huge cost savings (lower CAM utilization, better scaling, etc.) of a 
v6-only
world.

> [I also find the knee-jerk "it's different from IPv4, the IETF is stupid" 
> memes to be tiring. Identifying questionable design decisions with hindsight 
> is hardly the exclusive domain of IPv6; there are tremendously more crufty 
> workarounds in IPv4, and far more available hindsight. Complaining about IPv6 
> because it's different from IPv4 doesn't get us anywhere.]
> 
How about attempting to point out the areas where IPv6 could be improved, 
which, is how
I regard most of this thread.

Owen

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Nick Hilliard


On 28/02/2011 15:45, Dobbins, Roland wrote:

At that moment, the master was enlightened.


One day a master from another monastery came upon Dobbins and Abley as they 
were watching a 14 year-old cripple learning how to fly.


"I do not believe we should waste time teaching children to walk", said 
Abley.  "Indeed not", agreed Dobbins, "a waste of time and a distraction 
from the long term goal of flight.  We have kept the child restrained from 
birth so that he can concentrate on the loftier ideal".


The sojourner then seized the book from the child, flung it at Abley and 
Dobbins, called social services to lodge a complaint about child neglect, 
then stalked off in disgust, rolling his eyes and muttering under his 
breath about the rank stupidity of humanity.


At that moment, Dobbins and Abley were enlightened.

Nick

Re: Mac OS X 10.7, still no DHCPv6

> Really, if you look back at the archives of this list these arguments
> are starting to get "silly" as you put it.
> 
Yes and no...

> It seems that every few months, as people discover that IPv6 isn't
> going away and they should brush up on it, people go through this
> process of debating the way IPv6 was designed as if it were 1998, and
> ultimately make posts like this.
> 
This may apply to some fraction of posters, but, I think many of the
posters in this thread are actually fairly knowledgeable on IPv6.

> IPv6 is simple, elegant, and flexible.
> 
Parts of it are. Other parts are rigid, inflexible, and represent design
decisions only theorists could love.

> DHCPv6 was always a core component of IPv6 (just like ICMPv6 is a core
> components of IPv6, or should we throw ping and traceroute into RA as
> well...)
> 
The intertwining of RA/DHCPv6 as it currently stands in IPv6 is an example
of a design decision only theorists could love.

In the real world, you have organizations where the people that manage
hosts and host policy are not the people that run routers. In such
environments, creating this kind of cross-organizational dependency
that requires a constant coordination of even trivial changes on either
side is far from optimal.

> This is why we have flags in RA to signal how addressing is done on a
> network for a prefix:
> 
> A - Autonomous Flag, allows hosts to perform stateless addressing for a 
> prefix.
> O - Other Flag, signals that additional configuration information is
> available (such as DNS) and DHCPv6 should be used.
> M - Managed Flag, signals that hosts should request a stateful address
> using DHCPv6.
> 
That's all well and good, but, when you consider the real world implications,
it starts to break down in most organizations...

Now, the people that run the routers have full control over the selection
of addressing schemes for the network. The people who set host policy
have no control short of statically configuring the hosts or getting buy-in
from the people that run the routers for their particular preference
in address selection methods.

Yes, in a theoretical world, everyone gets along and cooperates easily
and stuff just works out with whatever decision is agreed upon. In the
real world, this becomes a constant source of tension between the
two groups and increases workload on both sides of the equation
unnecessarily.

> The real point, initially at least, for stateless addressing was to
> make the Link-Local scope work.  It's brilliantly elegant.  It allows
> all IPv6 configuration to be made over IPv6 (and thus use sane
> constructs like multicast to do it).
> 
All well and good, but...

> Router Advertisements shift gateway and prefix configuration to the
> routers (which are the devices that actually know if they're available
> or not) rather than a DHCP server.  If you set things up right, making
> a change to your RA will be seen by hosts almost instantly, and you
> won't need to go through the headache of waiting for DHCP leases to
> expire before hosts see that a network isn't available and let go of
> that route.
> 
Which also means:
1.  Multiple subnets on the same media that are intended for
different hosts and have different routers are no longer
feasible. (Yes, you can argue they're less than desirable
in IPv4 and I would agree, but, they exist in the real world
for a variety of layer 8-10 reasons and re-engineering an
organization to make it fit into IPv6 is non-trivial).

2.  RA has the problem of treating all routers claiming to
have the same priority are of equal value to all hosts.
Routers are considered fully interchangeable units
and it is assumed that all routers are a viable path
to everything. DHCPv4 actually provides facilities
for dealing with more complex topologies where
different destinations may be in different directions
from different hosts. It also allows for providing
different default gateways to different hosts based on
policy decisions.

Yes, in the most basic cases, RA can be superior to getting routing
information from DHCP. However, in the real world, there are many
cases where it simply breaks things and is a step backwards from
capabilities in use in IPv4.

> One thing to keep in mind is that even though DHCPv6 and DHCP have a
> similar name, they're still pretty different.  DHCPv6 was designed as
> part of IPv6.  DHCP was an afterthought.  Like many things in IPv6,
> they have been re-designed and included as a core component of IPv6.
> Don't go making assumptions that DHCPv6 was "added" to IPv6 to turn
> IPv6 into IPv4, and don't try to modify DHCPv6 to make that the case,
> please.  What is needed now is protocol stability, and implementation
> of the current standards, not the re-wri

Re: Mac OS X 10.7, still no DHCPv6


On Feb 28, 2011, at 10:27 PM, Nick Hilliard wrote:

> We haven't got there because I can't plug in my laptop into any arbitrary 
> ipv6-only network and expect to be able to load up ipv6.google.com.

-

One day a master from another monastery came upon Abley as he was watching a 
young child sounding out letters from a spelling primer.

"I do not believe we should waste time trying to get IPv6 working in a 
dual-stack environment, said the sojourner, "we should instead discuss what is 
wrong with IPv6, and how to fix it through the standards process and detailed 
vendor implementation guidelines."

Abley then seized the book from the child and flung it into a nearby rubbish 
bin, saying, "I wish this child to learn how to write sonnets in iambic 
pentameter."

At that moment, the master was enlightened.

-

;>

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6

On Feb 28, 2011, at 10:27 PM, Owen DeLong wrote:

> Having a MAC address as a permanent identifier is a very different problem 
> from having that MAC address go into a layer 3 protocol field.

Given the plethora of identifiable information already frothing around in our 
data wakes, I'm unsure this is as big a deal as it might initially seem, 
especially given the existence of VPNs and proxy servers.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6

On 2011-02-28, at 10:27, Nick Hilliard wrote:

> On 28/02/2011 14:59, Joe Abley wrote:
>> I'm not sure why people keep
>> fixating on that as an end goal. The future we ought to be working
>> towards is a consistent, reliable, dual-stack environment. There's no
>> point worrying about v6-only operations if we can't get dual-stack
>> working reliably.
> 
> That's "dual-stack" as in 
> "dual-stack-except-one-of-the-stacks-really-doesn't-work-properly-so-we'll-fudge-around-it"?
>  :-)

You're describing where we are. I'm talking about where I think we should be 
planning to arrive.

> Look, my original point is that RA is a brilliant solution for a problem 
> which never really existed.  Now, can we all just ignore RA and work towards 
> DHCPv6 because that's what's actually needed in the real world?

RA and DHCPv6 work together. It's different from DHCP in IPv4. Run with it. 
Sending people back to the drawing board at this late stage in the game (a) 
isn't going to happen and (b) isn't going to help anybody.

> We haven't got there because I can't plug in my laptop into any arbitrary 
> ipv6-only network and expect to be able to load up ipv6.google.com.
> 
> Is that too high a standard to work towards? :-)

As I thought I mentioned, yes. Forget v6-only right now. Dual-stack is an 
operationally-harder problem, and it's a necessary prerequisite.

Joe

Re: Mac OS X 10.7, still no DHCPv6

On Feb 28, 2011, at 5:44 AM, Dobbins, Roland wrote:

> 
> On Feb 28, 2011, at 8:40 PM, Jim Gettys wrote:
> 
>> Again, having a permanently known identifier being broadcast all the time is 
>> a potentially a serious security/safety issue. 
> 
> 
> We already have this with MAC addresses, unless folks bother to periodically 
> change them, do we not?
> 
MAC addresses don't generally leave the local broadcast domain.

Having a MAC address as a permanent identifier is a very different problem from 
having that
MAC address go into a layer 3 protocol field.

Owen

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Nick Hilliard

On 28/02/2011 14:59, Joe Abley wrote:

I'm not sure why people keep
fixating on that as an end goal. The future we ought to be working
towards is a consistent, reliable, dual-stack environment. There's no
point worrying about v6-only operations if we can't get dual-stack
working reliably.

That's "dual-stack" as in
"dual-stack-except-one-of-the-stacks-really-doesn't-work-properly-so-we'll-fudge-around-it"?
:-)

Look, my original point is that RA is a brilliant solution for a problem
which never really existed. Now, can we all just ignore RA and work
towards DHCPv6 because that's what's actually needed in the real world?

[I also find the knee-jerk "it's different from IPv4, the IETF is
stupid" memes to be tiring. Identifying questionable design decisions
with hindsight is hardly the exclusive domain of IPv6; there are
tremendously more crufty workarounds in IPv4, and far more available
hindsight. Complaining about IPv6 because it's different from IPv4
doesn't get us anywhere.]

Sure. We had lots of hindsight with ipv4, which should have indicated to
people that we had just the sort of functionality that we needed from dhcp,
even if dhcpv4 was badly implemented.

But instead of sorting out DHCPv6 and making it do what we needed, we ended
up with two protocols which ought to complement each other, but don't
quite, and also can't quite operate independently because of historical
turf wars in the IETF (now ended, thankfully).

Complaining about knee-jerk reactions would have been fine in the early
days, but it is 14 years, 3 weeks, 0 days, 2 hours and 8 minutes since I
sent my first ipv6 ping, and we still haven't got there for basic ipv6 LAN
connectivity.

We haven't got there because I can't plug in my laptop into any arbitrary
ipv6-only network and expect to be able to load up ipv6.google.com.

Is that too high a standard to work towards? :-)

Nick

Re: Mac OS X 10.7, still no DHCPv6

On Feb 28, 2011, at 9:59 PM, Joe Abley wrote:

>  There's no point worrying about v6-only operations if we can't get 
> dual-stack working reliably.

I think this is the most insightful, cogent, and pertinent comment made 
regarding IPv6 in just about any medium at any time.

[Yes, I know that dual-stack brings its own additional complexities to the 
table, but there really isn't any other choice, is there?]

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6


On 2011-02-28, at 09:53, Brian Johnson wrote:

> Can someone explain what exactly the security threat is?

The threat model relates to the ability for a third party to be able to 
identify what subnets a single device has moved between, which is possible with 
MAC-embedded IPv6 addresses but not possible with addresses without embedded 
local identifiers. It's analogous to someone tracking credit card use and being 
able to infer from the vendor crumbs where an individual has been.

I don't think this has ever been cited as a global, general threat that must be 
eliminated (just as people are generally happy to use the same credit card as 
they move around the planet and don't generally stress about the implications). 
However, I think it's reasonable that it's a concern for some. There is no 
global, fixed value of "acceptable" when it comes to privacy.


Joe

Re: Mac OS X 10.7, still no DHCPv6

On 2011-02-28, at 09:51, Nick Hilliard wrote:

> I will be a lot more sympathetic about listening to arguments / explanations 
> about this insanity the day that the IETF filters out arp and ipv4 packets 
> from the conference network and depends entirely on ipv6 for connectivity for 
> the entire conference.

It's hard to see v6-only networks as a viable, general-purpose solution to 
anything in the foreseeable future. I'm not sure why people keep fixating on 
that as an end goal. The future we ought to be working towards is a consistent, 
reliable, dual-stack environment. There's no point worrying about v6-only 
operations if we can't get dual-stack working reliably.

[I also find the knee-jerk "it's different from IPv4, the IETF is stupid" memes 
to be tiring. Identifying questionable design decisions with hindsight is 
hardly the exclusive domain of IPv6; there are tremendously more crufty 
workarounds in IPv4, and far more available hindsight. Complaining about IPv6 
because it's different from IPv4 doesn't get us anywhere.]

Joe

RE: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Brian Johnson

>-Original Message-
>From: Jeff Kell [mailto:jeff-k...@utc.edu]
>Sent: Monday, February 28, 2011 8:49 AM
>To: Dobbins, Roland
>Cc: nanog group
>Subject: Re: Mac OS X 10.7, still no DHCPv6
>
>On 2/28/2011 8:44 AM, Dobbins, Roland wrote:
>> On Feb 28, 2011, at 8:40 PM, Jim Gettys wrote:
>>> Again, having a permanently known identifier being broadcast all the time
>is a potentially a serious security/safety issue.
>> We already have this with MAC addresses, unless folks bother to
>periodically change them, do we not?
>
>Not globally, no.
>
>Jeff
>

Can someone explain what exactly the security threat is?

If you are going to say that knowing the MAC address of the end device allows 
the "bad guy" to know what type of equipment you have and as such to attempt 
known compromises for said equipment, then please just don't reply. :)

- Brian

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Nick Hilliard


On 28/02/2011 13:52, Ray Soucy wrote:

The real point, initially at least, for stateless addressing was to
make the Link-Local scope work.  It's brilliantly elegant.  It allows
all IPv6 configuration to be made over IPv6 (and thus use sane
constructs like multicast to do it).


Wonderful, brilliant design.


Router Advertisements shift gateway and prefix configuration to the
routers (which are the devices that actually know if they're available
or not) rather than a DHCP server.  If you set things up right, making
a change to your RA will be seen by hosts almost instantly, and you
won't need to go through the headache of waiting for DHCP leases to
expire before hosts see that a network isn't available and let go of
that route.


Yes, it's all brilliant, wonderful.  Elegant too, this idea of having two 
sets of protocols, because two is always better than one.  It provides balance.


I will be a lot more sympathetic about listening to arguments / 
explanations about this insanity the day that the IETF filters out arp and 
ipv4 packets from the conference network and depends entirely on ipv6 for 
connectivity for the entire conference.


"But we couldn't do that??!?!", I hear you say.

I understand completely.

Nick

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Jeff Kell

On 2/28/2011 8:44 AM, Dobbins, Roland wrote:
> On Feb 28, 2011, at 8:40 PM, Jim Gettys wrote:
>> Again, having a permanently known identifier being broadcast all the time is 
>> a potentially a serious security/safety issue. 
> We already have this with MAC addresses, unless folks bother to periodically 
> change them, do we not?

Not globally, no.

Jeff

Re: Mac OS X 10.7, still no DHCPv6

On Feb 28, 2011, at 9:01 PM, Joe Abley wrote:

> By embedding the MAC into the layer-3 address, the concern is that the 
> information becomes accessible Internet-wide.

Given the the toxicity of hotel networks alone, my guess is that it already is 
pretty much available Internet-wide, at least to those who stand to illicitly 
profit by it the most.

;>

And let's not get started on IMEIs, ESNs, and MEIDs, heh.

SMTP headers and various IM client sessions are also quite revealing, for that 
matter - and in near- or real-time, in many cases.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6

On 2011-02-28, at 08:44, Dobbins, Roland wrote:

> On Feb 28, 2011, at 8:40 PM, Jim Gettys wrote:
> 
>> Again, having a permanently known identifier being broadcast all the time is 
>> a potentially a serious security/safety issue. 
> 
> We already have this with MAC addresses, unless folks bother to periodically 
> change them, do we not?

Only between hosts that are in the same layer-2 broadcast domain.

By embedding the MAC into the layer-3 address, the concern is that the 
information becomes accessible Internet-wide.

Joe

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Jim Gettys


On 02/28/2011 08:44 AM, Dobbins, Roland wrote:


On Feb 28, 2011, at 8:40 PM, Jim Gettys wrote:


Again, having a permanently known identifier being broadcast all the time is a 
potentially a serious security/safety issue.



We already have this with MAC addresses, unless folks bother to periodically 
change them, do we not?



And we certainly discussed randomising MAC addresses, for exactly the 
reasons stated.

- Jim

Re: Mac OS X 10.7, still no DHCPv6


On Feb 28, 2011, at 8:52 PM, Ray Soucy wrote:

> IPv6 is simple, elegant, and flexible.


This is the first time I've ever seen 'IPv6' in the same sentence with 
'simple', 'elegant', or 'flexible', unless preceded by 'not'.

;>

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Ray Soucy

implement DHCPv6 is more work" is "silly" for these same reasons.
"Well I'm not going to support address scope because that's more
work."

Thankfully, with Apple seemingly supporting DHCPv6, that means
Windows, Linux, Mac, and BSD will all have full IPv6 implementations,
and if you don't want to use DHCPv6 for addressing you don't have to.

If the goal was really to keep DNS simple for IPv6, rather than RDNSS,
they should have written an autonomous anycast or multicast DNS spec
rather than cluttering up RA with DNS server messages.  RDNSS is a
cancer IMHO and I hope we don't see it implemented.

Just replace RDNSS with "DHCPv6 Light" and you get the same thing
without breaking IPv6.  Most of the people who want RDNSS wanted to
avoid implementing DHCPv6, but its already been implemented, so I'm
not sure what all the extra effort bought us, except that now we're
seeing confused companies like Apple implement both RDNSS and DHCPv6
because they don't know which one will be needed.  So what I'm saying
here is that RDNSS is successful is doing the opposite of its goal:
Instead of making IPv6 implementation more simple, they've made it
more complex.

DHCPv6 has nothing to do with "wanting to do things the way we always
have".  It has everything to do with "we might not always do things
the same way we do today, so lets split this from being in RA".  When
it comes down to it, for hosts that provide content (servers) you'll
always need a way of knowing that address.  I'm sure manual IPv6
configuration works fine for you, but in something significant, say a
VM cluster, I for one would rather not go back to the dark ages of
manually configuring IPv6 addresses on each host.

Privacy addressing is more to mask the MAC address of a host than to
provide "privacy".  This is because some systems are easily
identifiable by their MAC address, such as Apple computers, and
embedding that into the source IP provides potential attackers with a
guess as to what the device is.  That said, host that use both DHCPv6
and Stateless addresses will use their stateless address for new
outgoing requests, by the way, effectively making the stateful address
an alias.  So I'm not sure what the issue is here.

Apple is probably cringing at this thread going on for so long and not
getting berried because of the inaccurate topic. :-)

On Sun, Feb 27, 2011 at 11:53 PM, Franck Martin  wrote:
> Oh... did not know about the heavy baggage...
>
> No, when I first played with IPv6 only network, I found out that RD was 
> silly, it gives an IP adddress but no DNS, and you have to rely on IPv4 to do 
> that. silly, so my understanding is then people saw the mistake, and added 
> some DNS resolution... Because the only option was to get DHCPv6 to get the 
> DNS, but then why create RD in the first place?
>
> So I found this whole saga, to put it mildly "stupid", like when people were 
> talking about migrating to IPv6 but the root servers did not even have an 
> IPv6 address: silly!
>
> So I really don't care between RD and DHCPv6, what I care, is that they 
> should be able to do their job correctly on their own.
>
> - Original Message -
> From: "Owen DeLong" 
> To: "Franck Martin" 
> Cc: "Matthew Palmer" , nanog@nanog.org
> Sent: Sunday, 27 February, 2011 6:08:28 PM
> Subject: Re: Mac OS X 10.7, still no DHCPv6
>
> Look, can we stop arguing about whether someone needs DHCP or not,
> whether they need SLAAC or not. Let's just get both solutions to a mature
> and useful state where a network administrator can pick the one that works
> best for their environment and move on.
>
> Devices, routers, OSs, etc. should support both. The IETF should stop letting
> the two working groups focus on damaging the other protocol and we should
> stop treating this as a competition or a battle and start treating it as 
> options
> to accomplish a task.
>
> Owen
>
> On Feb 27, 2011, at 1:25 PM, Franck Martin wrote:
>
>> Yes I don't understand why we need DHCPv6, true RD did not have DNS 
>> information to pass, but that is fixed, no?
>>
>> - Original Message -
>> From: "Matthew Palmer" 
>> To: nanog@nanog.org
>> Sent: Sunday, 27 February, 2011 4:06:29 PM
>> Subject: Re: Mac OS X 10.7, still no DHCPv6
>>
>> On Sun, Feb 27, 2011 at 08:56:33AM -0500, Ray Soucy wrote:
>>> Mac OS X 10.7 does support RDNSS (RFC 5001) so it is able to get DNS
>>> server information in an IPv6-only environment.  Of course nobody else
>>> has implemented that yet, making Apple a "special case" host once
>>> again (I don't even think Cisco supports the option in their T series
>>> yet).
>>
>> radvd and rdnssd work together on Linux nicely to provide RDNSS support.
>> Works a treat.
>>
>> - Matt
>>
>
>
>

-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

Re: Mac OS X 10.7, still no DHCPv6

On Feb 28, 2011, at 8:40 PM, Jim Gettys wrote:

> Again, having a permanently known identifier being broadcast all the time is 
> a potentially a serious security/safety issue. 

We already have this with MAC addresses, unless folks bother to periodically 
change them, do we not?

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Jim Gettys


On 02/28/2011 08:25 AM, Steven Bellovin wrote:


On Feb 28, 2011, at 1:10 21AM, Randy Bush wrote:


I'm not saying there are no uses for DHCPv6, though I suspect
that some of the reasons proposed are more people wanting to do
things the way they always do, rather than making small changes
and ending up with equivalent effort.


add noc and doc costs of all changes, please


Sure.  How do they compare to the total cost of the IPv6 conversion
excluding SLAAC?  (Btw, for the folks who said that enterprises may
not want privacy-enhanced addresses -- that isn't clear to me.  While
they may want it turned off internally, or even when roaming internally,
I suspect that many companies would really want to avoid having their
employees tracked when they're traveling.  Imagine -- you know the CEO's
laptop's MAC address from looking at Received: lines in headers.  (Some
CEOs do send email to random outsiders -- think of the Steve Jobs-grams
that some people have gotten.)  You then see the same MAC address with
a prefix belonging to some potential merger or joint venture target.  You
may turn on DHCPv6 to avoid that, but his/her home ISP or takeover target
may not.)




One of the items we worried about at OLPC (not that I remember if we 
ended up doing anything about it), is that in some countries, kidnapping 
is a very serious problem.


Again, having a permanently known identifier being broadcast all the 
time is a potentially a serious security/safety issue.  It must be 
*possible* to be anonymous, even if some environments by policy won't 
provide service if you choose to be anonymous.

- Jim

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Steven Bellovin


On Feb 28, 2011, at 1:10 21AM, Randy Bush wrote:

>> I'm not saying there are no uses for DHCPv6, though I suspect
>> that some of the reasons proposed are more people wanting to do
>> things the way they always do, rather than making small changes
>> and ending up with equivalent effort.
> 
> add noc and doc costs of all changes, please
> 
Sure.  How do they compare to the total cost of the IPv6 conversion
excluding SLAAC?  (Btw, for the folks who said that enterprises may
not want privacy-enhanced addresses -- that isn't clear to me.  While
they may want it turned off internally, or even when roaming internally,
I suspect that many companies would really want to avoid having their
employees tracked when they're traveling.  Imagine -- you know the CEO's
laptop's MAC address from looking at Received: lines in headers.  (Some
CEOs do send email to random outsiders -- think of the Steve Jobs-grams
that some people have gotten.)  You then see the same MAC address with
a prefix belonging to some potential merger or joint venture target.  You
may turn on DHCPv6 to avoid that, but his/her home ISP or takeover target
may not.)


--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Mac OS X 10.7, still no DHCPv6

On Feb 28, 2011, at 7:35 PM, Tony Finch wrote:

> It ought to be possible to look at SMB or mDNS messages to get more 
> information about what the host claims to be...

We can't trust those, they're easily manipulated and/or 
situationally-irrelevant.  

Or not present at all, if the endpoint customer is security-conscious.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Tony Finch

On Sun, 27 Feb 2011, Owen DeLong wrote:

> But the ND messages don't tell you anything other than the Mac
> address about which host it actually is. In theory, at least, snooping
> the DHCP messages might include a hostname or some other
> useful identifier.

It ought to be possible to look at SMB or mDNS messages to get more
information about what the host claims to be...

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Trafalgar: North 5 to 7, occasionally gale 8 in Biscay. Moderate or rough.
Squally showers. Good.

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Mark Andrews


In message <1298850835.2109.33.camel@karl>, Karl Auer writes:
> On Mon, 2011-02-28 at 09:39 +1100, Mark Andrews wrote:
> > DHCP kills privacy addresses.
> > DHCP kills CGAs.
> 
> For temporary addresses couldn't a client clamp the upper limits of its
> received lifetimes to the desired lifetimes, then rebind instead of
> renew, sending a DECLINE if it gets the same address (as it presumably
> will)?

Not quite the same.  With privacy addresses you still have a stable
address.
 
> The "temporaryness" would then be pretty much in the hands of the client
> (arguably where it belongs). That does kill the privacy aspect of
> temporary addresses, at least locally. Perhaps that is only a partial
> loss, as the addresses would still be "private" as far as the wider
> world was concerned.
> 
> How does ISC DHCPv6 allocate addresses? Random, sequential...?
> 
> Regards, K.
> 
> --=20
> ~~~
> Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
> http://www.biplane.com.au/kauer/   +61-428-957160 (mob)
> 
> GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
> Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
> 
> --=-tH4fLyHaqQtSrebFpt31
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: This is a digitally signed message part
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iEYEABECAAYFAk1q5BMACgkQMAcU7Vc29oeHIQCfcFAeUYv13rGhF4ViACJe8xHI
> QZIAoNAfG744pfSZSM3p4fGNpzyXg6It
> =hxri
> -END PGP SIGNATURE-
> 
> --=-tH4fLyHaqQtSrebFpt31--
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Daniel Roesen

On Sun, Feb 27, 2011 at 05:55:53PM -0800, Owen DeLong wrote:
> The lack of NTP and certain other options in SLAAC is still a
> disappointment and I would argue that a fully matured SLAAC process
> would include a mechanism for specifying extensible choices of things.

That's O=1 and stateless DHCPv6.

Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0

Re: Mac OS X 10.7, still no DHCPv6

2011-02-28 Thread Mohacsi Janos




On Sun, 27 Feb 2011, Ray Soucy wrote:


(I'm just waiting for Apple's lawyers to try an get names out of me...)

But yes, it does appear that Apple is addressing the issue:

8<
cat /etc/ip6addrctl.conf
# default policy table based on RFC 3484.
# usage: ip6addrctl install path_to_this_file
#
# $FreeBSD$
#
#Format:
#Prefix   Precedence Label
::1/128   50 0
::/0  40 1
2002::/16 30 2
::/96 20 3
:::0:0/96 10 4
8<



Awesome!
Best Regards,

Re: Mac OS X 10.7, still no DHCPv6

On Mon, 2011-02-28 at 12:57 +1100, Mark Andrews wrote:
> Except in the senarios being described they are also blocking the
> other addresses.  I would also think setting the "M" bit would
> prelude the host from generating such addresses as they are unmanaged.

I think the M flag says "you can get an address via DHCP" - it doesn't
say "and don't get an address via any other means".

From RFC 4861:

M  1-bit "Managed address configuration" flag.  When
   set, it indicates that addresses are available via
   Dynamic Host Configuration Protocol [DHCPv6].

If you want to disable SLAAC, you instead use the AdvAutonomousFlag in
the Prefix Information option included for the given prefix in the
link's Prefix List.

> > DHCP has a couple of hundred defined options.  Vendors have tried
> > adding ONE to the RA protocol (DNS servers) as replacement
> > functionality.  That leaves them a few hundred options short, in
> > my book.
> 
> Which is what the O bit was for.

Welll - the number of options defined so far for DHCPv6 is very small
compared to the number of options defined for DHCPv4. I think that's
what Leo meant. The "O" bit will avail you naught if you want, for
example, a boot server address.

I do think though, that assuming DHCP is the way to get some of these
things might be shooting from the hip. Perhaps there is a better way,
with IPv6?

The difficulty is that now everyone is in a tearing hurry; they just
want everything to work the exact same way, and they want it NOW. There
is "suddenly" no time to work out better ways. And goodness knows there
must be a better way to boot a remote image than delivering an address
via DHCP!

With apologies to the musical "Keating":

   "Give us back our comfy little network
Take us back to safer days of yore
Nothing alien or scary, la-di-da or airy-fairy
Just put it back the way it was before..."

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156

signature.asc
Description: This is a digitally signed message part

Re: Mac OS X 10.7, still no DHCPv6

On Mon, 2011-02-28 at 09:39 +1100, Mark Andrews wrote:
> DHCP kills privacy addresses.
> DHCP kills CGAs.

For temporary addresses couldn't a client clamp the upper limits of its
received lifetimes to the desired lifetimes, then rebind instead of
renew, sending a DECLINE if it gets the same address (as it presumably
will)?

The "temporaryness" would then be pretty much in the hands of the client
(arguably where it belongs). That does kill the privacy aspect of
temporary addresses, at least locally. Perhaps that is only a partial
loss, as the addresses would still be "private" as far as the wider
world was concerned.

How does ISC DHCPv6 allocate addresses? Random, sequential...?

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156

signature.asc
Description: This is a digitally signed message part

Re: Mac OS X 10.7, still no DHCPv6

On Sun, 2011-02-27 at 12:30 -1000, Antonio Querubin wrote:
> On Mon, 28 Feb 2011, Karl Auer wrote:
> 
> > Well - that draft very recently (i.e., only a few months, if that)
> > became standards track, so it'll be a while before it's built into
> > everything as a matter of course, but yes, it's "fixed". RFC 6109.
>^
> Maybe you mean RFC 6106?

Er - yes. Thanks :-)

It comes from being south of the equator - we have to concentrate really
hard on the 6 vs 9 thing.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Randy Bush

> I'm not saying there are no uses for DHCPv6, though I suspect
> that some of the reasons proposed are more people wanting to do
> things the way they always do, rather than making small changes
> and ending up with equivalent effort.

add noc and doc costs of all changes, please

randy

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Paul Vixie

there are two replies here.

---

Christopher Morrow  writes:

> ..., what's the harm in dhcpv6? (different strokes and all that)

only the egos and reputations of those who said that stateless autoconf
was all ipv6 needed.  (which is a small price to pay, according to me.)

---

"Dobbins, Roland"  writes:

> On Feb 28, 2011, at 10:47 AM, Steven Bellovin wrote:
>
>> Also don't forget privacy-enhanced addresses.
>
> Yes, which have extremely negative opsec connotations in terms of
> complicating traceback.

/64 csma subnets with low order 64 bits controlled by infectable pc's means
we'll be blackholing by /64 when we blackhole in ipv6.  it's no big deal.
-- 
Paul Vixie
KI6YSY

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Franck Martin

Oh... did not know about the heavy baggage...

No, when I first played with IPv6 only network, I found out that RD was silly, 
it gives an IP adddress but no DNS, and you have to rely on IPv4 to do that. 
silly, so my understanding is then people saw the mistake, and added some DNS 
resolution... Because the only option was to get DHCPv6 to get the DNS, but 
then why create RD in the first place?

So I found this whole saga, to put it mildly "stupid", like when people were 
talking about migrating to IPv6 but the root servers did not even have an IPv6 
address: silly!

So I really don't care between RD and DHCPv6, what I care, is that they should 
be able to do their job correctly on their own.

- Original Message -
From: "Owen DeLong" 
To: "Franck Martin" 
Cc: "Matthew Palmer" , nanog@nanog.org
Sent: Sunday, 27 February, 2011 6:08:28 PM
Subject: Re: Mac OS X 10.7, still no DHCPv6

Look, can we stop arguing about whether someone needs DHCP or not,
whether they need SLAAC or not. Let's just get both solutions to a mature
and useful state where a network administrator can pick the one that works
best for their environment and move on.

Devices, routers, OSs, etc. should support both. The IETF should stop letting
the two working groups focus on damaging the other protocol and we should
stop treating this as a competition or a battle and start treating it as options
to accomplish a task.

Owen

On Feb 27, 2011, at 1:25 PM, Franck Martin wrote:

> Yes I don't understand why we need DHCPv6, true RD did not have DNS 
> information to pass, but that is fixed, no?
> 
> - Original Message -
> From: "Matthew Palmer" 
> To: nanog@nanog.org
> Sent: Sunday, 27 February, 2011 4:06:29 PM
> Subject: Re: Mac OS X 10.7, still no DHCPv6
> 
> On Sun, Feb 27, 2011 at 08:56:33AM -0500, Ray Soucy wrote:
>> Mac OS X 10.7 does support RDNSS (RFC 5001) so it is able to get DNS
>> server information in an IPv6-only environment.  Of course nobody else
>> has implemented that yet, making Apple a "special case" host once
>> again (I don't even think Cisco supports the option in their T series
>> yet).
> 
> radvd and rdnssd work together on Linux nicely to provide RDNSS support. 
> Works a treat.
> 
> - Matt
>

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Dobbins, Roland

On Feb 28, 2011, at 10:47 AM, Steven Bellovin wrote:

> You really need to look at switch logs for that, even with IPv4: 
> http://www.cs.columbia.edu/~smb/talks/arp-attack.pdf

And flow telemetry, and so forth, yes.  With BCP deployment in terms of 
anti-ARP-spoofing and DCHP snooping/source guard, traceback becomes whole lot 
easier.

> Also don't forget privacy-enhanced addresses.

Yes, which have extremely negative opsec connotations in terms of complicating 
traceback.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Mikael Abrahamsson


On Sun, 27 Feb 2011, Steven Bellovin wrote:

I'm not saying there are no uses for DHCPv6, though I suspect that some 
of the reasons proposed are more people wanting to do things the way 
they always do, rather than making small changes and ending up with 
equivalent effort.  I am saying that security is not a strong argument.


Well, rest assurend that you have plenty of people disagreeing with you.

The again your views are shared by a lot of people for IPv4 as well, thus 
meaning it took until now before the IETF even hade a SAVI like working 
group to handle the security issues that has been around since forever but 
that was solved for IPv4 outside of IETF around 10 years ago but stil has 
no widespread implementation for IPv6 (but it's getting there).


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Jeff Wheeler

On Sun, Feb 27, 2011 at 5:16 PM, Ray Soucy  wrote:
> This seems to have upset at least one Apple engineer who dropped the
> NDA bomb on me; while he didn't confirm it was there, he did imply it,
> and it did make me have people give a second look. (I tried to get him
> to admit it but he's obviously been through Apple secret keeping
> training).

If work on DHCPv6 or other common tools are obscured by NDA, and thus
information is not available to potential customers, and IT
departments who must plan to support those customers, Apple is at
fault, not Ray or anyone else.

There is a lesson for Apple here.  Secrets are cool and there is often
a legitimate need to keep new features under wraps until you are
actually ready to ship them (competition, delays, whatever.)  Somehow,
I don't think Steve Jobs is going to give a presentation on DHCPv6,
and I doubt Apple's decision to ship it with their OS is going to
cause Microsoft or other "competitors" to .. do anything differently.

Obscuring some things behind NDA is good for business.  IPv6 matters
(specific to DHCPv6 or otherwise) are not among those things, and
Apple ought to take notice of this very discussion and make their
intentions and progress more public, so IT departments know what to
expect.

Secrecy is good for business, except when it's not.

-- 
Jeff S Wheeler 
Sr Network Operator  /  Innovative Network Concepts

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Steven Bellovin

On Feb 27, 2011, at 10:25 25AM, Dobbins, Roland wrote:

> 
> On Feb 27, 2011, at 10:22 PM, Mikael Abrahamsson wrote:
> 
>> Which is one of the reasons why some of us want DHCPv6 support in hosts.
> 
> Also for traceback when hunting down compromised/abusive hosts.
> 
You really need to look at switch logs for that, even with IPv4:
http://www.cs.columbia.edu/~smb/talks/arp-attack.pdf
Also don't forget privacy-enhanced addresses.

We all know that bad guys make up addresses whenever it suits their
needs.  (I'm part of an ongoing discussion about a currently-active
series of incidents, all relying on spoofed source addresses.)
DHCP logs or configurations are not going to help against the
folks we really care about.  For the ankle-biters -- well, SLAAC
is better in many ways, since the IP address itself tells you
the MAC address, which makes applying filters so much easier...

I'm not saying there are no uses for DHCPv6, though I suspect
that some of the reasons proposed are more people wanting to do
things the way they always do, rather than making small changes
and ending up with equivalent effort.  I am saying that security
is not a strong argument.

--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Mac OS X 10.7, still no DHCPv6


On Feb 27, 2011, at 3:41 PM, Tore Anderson wrote:

> * Owen DeLong
> 
>> On Feb 27, 2011, at 4:21 AM, Randy Bush wrote:
>> 
>>> NOC: are you running a macintosh?
>>> User: yes, how did you guess?
>>> NOC: because it is broken.  get vista.
>> 
>> While I'm as big a fan of IPv6 as anybody, I think in a comparison of
>> relative brokenness, Mac comes out quite favorably compared to
>> Vista in spite of their DHCPv6 deficiencies.
> 
> Absolutely not. Mac OS X does not do proper source address selection
> according to RFC 3484. That makes it do things like preferring the use
> of link-local IPv6 addresses when connecting to global dual-stacked
> destinations, which of course won't work - as a result a 75 second long
> timeout is incurred for every single outgoing TCP connection. Versions
> earlier than 10.6.5, still in use by a considerable amount of users,
> will also prefer the use of 6to4 to IPv4, again something which is
> causing lots of brokenness. (Windows ICS is responsible for causing lots
> of OS X hosts to have 6to4 addresses in the first place, though.)
> 
> OS X also has a bug that will make it interpret a router lifetime of 0
> in a RA as infinite, causing more troubles when found behind IPv6 CE
> routers using ULAs in compliance with I-D.ietf-v6ops-ipv6-cpe-router,
> one example of which is the AVM FritzBox as far as I understand.
> 
You're talking about IPv6-specific brokenness. I'm talking about overall
OS brokenness.

On IPv6, yes, Micr0$0ft actually (finally) got something mostly right.

On just about everything else... Windows... Nah, can't say I miss it at all.

Owen

Re: Mac OS X 10.7, still no DHCPv6

The documents are done, but, I would argue that neither provides a mature
set of features.

Yes, they've (sort of) resolved the DNS server issue for SLAAC, but, that's
recent and getting it into vendor support will be nice. The lack of NTP and
certain other options in SLAAC is still a disappointment and I would
argue that a fully matured SLAAC process would include a mechanism
for specifying extensible choices of things.

For DHCP, the lack of ability to deliver routing policies or recommendations
through DHCP is a roadblock for some deployments which is still in place
in the documents and should be fixed to produce a mature implementation.

Owen

On Feb 27, 2011, at 3:23 PM, Joel Jaeggli wrote:

> On 2/27/11 3:08 PM, Owen DeLong wrote:
>> Look, can we stop arguing about whether someone needs DHCP or not,
>> whether they need SLAAC or not. Let's just get both solutions to a mature
>> and useful state where a network administrator can pick the one that works
>> best for their environment and move on.
>> 
>> Devices, routers, OSs, etc. should support both. The IETF should stop letting
>> the two working groups focus on damaging the other protocol and we should
>> stop treating this as a competition or a battle and start treating it as 
>> options
>> to accomplish a task.
> 
> The documents are done at least for sufficient pieces to make it work.
> it's in the hands of vendors and has been for a while. The simple fact
> is that if you want to do it a particular way and you have an installed
> base that doesn't support doing it that way, then you're not doing it
> that way.
> 
>> Owen
>> 
>> On Feb 27, 2011, at 1:25 PM, Franck Martin wrote:
>> 
>>> Yes I don't understand why we need DHCPv6, true RD did not have DNS 
>>> information to pass, but that is fixed, no?
>>> 
>>> - Original Message -
>>> From: "Matthew Palmer" 
>>> To: nanog@nanog.org
>>> Sent: Sunday, 27 February, 2011 4:06:29 PM
>>> Subject: Re: Mac OS X 10.7, still no DHCPv6
>>> 
>>> On Sun, Feb 27, 2011 at 08:56:33AM -0500, Ray Soucy wrote:
>>>> Mac OS X 10.7 does support RDNSS (RFC 5001) so it is able to get DNS
>>>> server information in an IPv6-only environment.  Of course nobody else
>>>> has implemented that yet, making Apple a "special case" host once
>>>> again (I don't even think Cisco supports the option in their T series
>>>> yet).
>>> 
>>> radvd and rdnssd work together on Linux nicely to provide RDNSS support. 
>>> Works a treat.
>>> 
>>> - Matt
>>> 
>> 
>> 
>>

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Mark Andrews


In message <20110228013421.ga32...@ussenterprise.ufp.org>, Leo Bicknell writes:
> In a message written on Mon, Feb 28, 2011 at 09:39:24AM +1100, Mark Andrews=
>  wrote:
> > Have you *asked* your vendors for a alternate solution?
> >=20
> > DHCP kills privacy addresses.
> > DHCP kills CGAs.
> 
> Not true.
> 
> Some would like to use DHCPv6 to hand a host things like DNS servers,
> NTP servers, PXE boot information, domain name search paths, and
> the like.

And you can do most of that without requiring DHCP for addresses.
PXE boot may be the exception.

>  There's no reason once the host gets a DHCP address and
> that information it can't also generate and use a privacy address
> or CGA.

Except in the senarios being described they are also blocking the
other addresses.  I would also think setting the "M" bit would
prelude the host from generating such addresses as they are unmanaged.

> While this thread has focused on folks who want to use DHCPv6 to
> preclude these items by for instance having switches and routers
> filtered to only the "allowed" address (assigned via DHCP) there's
> no requirement a network operator do that.
> 
> DHCP has a couple of hundred defined options.  Vendors have tried
> adding ONE to the RA protocol (DNS servers) as replacement
> functionality.  That leaves them a few hundred options short, in
> my book.

Which is what the O bit was for.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Christopher Morrow

On Sun, Feb 27, 2011 at 4:25 PM, Franck Martin  wrote:
> Yes I don't understand why we need DHCPv6, true RD did not have DNS 
> information to pass, but that is fixed, no?
>

where's my tftp-boot image location?
 root nfs mount?
  pick lots of other features used in enterprises today...

to flip the coin the other way, what's the harm in dhcpv6? (different
strokes and all that)
-chris

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Leo Bicknell

In a message written on Mon, Feb 28, 2011 at 09:39:24AM +1100, Mark Andrews 
wrote:
> Have you *asked* your vendors for a alternate solution?
> 
> DHCP kills privacy addresses.
> DHCP kills CGAs.

Not true.

Some would like to use DHCPv6 to hand a host things like DNS servers,
NTP servers, PXE boot information, domain name search paths, and
the like.  There's no reason once the host gets a DHCP address and
that information it can't also generate and use a privacy address
or CGA.

While this thread has focused on folks who want to use DHCPv6 to
preclude these items by for instance having switches and routers
filtered to only the "allowed" address (assigned via DHCP) there's
no requirement a network operator do that.

DHCP has a couple of hundred defined options.  Vendors have tried
adding ONE to the RA protocol (DNS servers) as replacement
functionality.  That leaves them a few hundred options short, in
my book.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/

pgppR4vU5BWda.pgp
Description: PGP signature

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Ray Soucy

(I'm just waiting for Apple's lawyers to try an get names out of me...)

But yes, it does appear that Apple is addressing the issue:

8<
cat /etc/ip6addrctl.conf
# default policy table based on RFC 3484.
# usage: ip6addrctl install path_to_this_file
#
# $FreeBSD$
#
#Format:
#Prefix   Precedence Label
::1/128   50 0
::/0  40 1
2002::/16 30 2
::/96 20 3
:::0:0/96 10 4
8<

On Sun, Feb 27, 2011 at 6:41 PM, Tore Anderson
 wrote:
> * Owen DeLong
>
>> On Feb 27, 2011, at 4:21 AM, Randy Bush wrote:
>>
>>> NOC: are you running a macintosh?
>>> User: yes, how did you guess?
>>> NOC: because it is broken.  get vista.
>>
>> While I'm as big a fan of IPv6 as anybody, I think in a comparison of
>> relative brokenness, Mac comes out quite favorably compared to
>> Vista in spite of their DHCPv6 deficiencies.
>
> Absolutely not. Mac OS X does not do proper source address selection
> according to RFC 3484. That makes it do things like preferring the use
> of link-local IPv6 addresses when connecting to global dual-stacked
> destinations, which of course won't work - as a result a 75 second long
> timeout is incurred for every single outgoing TCP connection. Versions
> earlier than 10.6.5, still in use by a considerable amount of users,
> will also prefer the use of 6to4 to IPv4, again something which is
> causing lots of brokenness. (Windows ICS is responsible for causing lots
> of OS X hosts to have 6to4 addresses in the first place, though.)
>
> OS X also has a bug that will make it interpret a router lifetime of 0
> in a RA as infinite, causing more troubles when found behind IPv6 CE
> routers using ULAs in compliance with I-D.ietf-v6ops-ipv6-cpe-router,
> one example of which is the AVM FritzBox as far as I understand.
>
> See also:
>
> http://getipv6.info/index.php/Customer_problems_that_could_occur
> http://fud.no/ipv6/snapshot-20101221/gnuplot/noosx-t10-historic.png
>
> My guess is that about 70-80% of the users calling Randy and others to
> report problems on «World IPv6 Day» will be running Mac OS X.
>
> Ray: Do you know if RFC 3484 has been implemented in OS X 10.7?
>
> --
> Tore Anderson
> Redpill Linpro AS - http://www.redpill-linpro.com/
> Tel: +47 21 54 41 27
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

World IPv6 Day (was: Mac OS X 10.7, still no DHCPv6)

2011-02-27 Thread Randy Bush

Me:
>>> NOC: are you running a macintosh?
>>> User: yes, how did you guess?
>>> NOC: because it is broken.  get vista.

btw, i run macosx 10.6.6

Some Clueless Mac Fanchild:
>> While I'm as big a fan of IPv6 as anybody, I think in a comparison of
>> relative brokenness, Mac comes out quite favorably compared to Vista
>> in spite of their DHCPv6 deficiencies.

Tore:
> Absolutely not. Mac OS X does not do proper source address selection
> according to RFC 3484. That makes it do things like preferring the use
> of link-local IPv6 addresses when connecting to global dual-stacked
> destinations, which of course won't work - as a result a 75 second
> long timeout is incurred for every single outgoing TCP connection.

i have hope for lion, and maybe even a patch for 10.6.  this stuff just
has to be fixed before world ipv6 day.

> My guess is that about 70-80% of the users calling Randy and others to
> report problems on «World IPv6 Day» will be running Mac OS X.

sad to say, probably not.  the biggest problem here in japan is ntt [0].
they provide no global v6 [1], but an ipv6 walled garden against which
users will bang heads when they get a quad-a.  they own the last km,
provide the cpe, and own the government.  so we have to use them for
transport.  our customers will hit their broken implementation and call
us.  sweet!

the isps, in cooperation with ntt, are trying to sort this problem
before it occurs.  but it is not pretty and there is no good solution.

randy

---

[0] - not the ntt which provides layers three and above, and even ipv6
  in the states and much of asia except japan.  this is ntt the
  telco semi-monopoly local bearer provider in japan and their ngn
  implementation.

[1] - apocrypha of japan being ipv6 rich are utter bs.

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Tore Anderson

* Owen DeLong

> On Feb 27, 2011, at 4:21 AM, Randy Bush wrote:
> 
>> NOC: are you running a macintosh?
>> User: yes, how did you guess?
>> NOC: because it is broken.  get vista.
> 
> While I'm as big a fan of IPv6 as anybody, I think in a comparison of
> relative brokenness, Mac comes out quite favorably compared to
> Vista in spite of their DHCPv6 deficiencies.

Absolutely not. Mac OS X does not do proper source address selection
according to RFC 3484. That makes it do things like preferring the use
of link-local IPv6 addresses when connecting to global dual-stacked
destinations, which of course won't work - as a result a 75 second long
timeout is incurred for every single outgoing TCP connection. Versions
earlier than 10.6.5, still in use by a considerable amount of users,
will also prefer the use of 6to4 to IPv4, again something which is
causing lots of brokenness. (Windows ICS is responsible for causing lots
of OS X hosts to have 6to4 addresses in the first place, though.)

OS X also has a bug that will make it interpret a router lifetime of 0
in a RA as infinite, causing more troubles when found behind IPv6 CE
routers using ULAs in compliance with I-D.ietf-v6ops-ipv6-cpe-router,
one example of which is the AVM FritzBox as far as I understand.

See also:

http://getipv6.info/index.php/Customer_problems_that_could_occur
http://fud.no/ipv6/snapshot-20101221/gnuplot/noosx-t10-historic.png

My guess is that about 70-80% of the users calling Randy and others to
report problems on «World IPv6 Day» will be running Mac OS X.

Ray: Do you know if RFC 3484 has been implemented in OS X 10.7?

-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Mark Andrews


In message , Owen DeLong 
writes:
> 
> On Feb 27, 2011, at 2:39 PM, Mark Andrews wrote:
> 
> >=20
> > In message <20110227204511.gm27...@virtual.bogons.net>, Simon Lockhart =
> writes:
> >> On Mon Feb 28, 2011 at 07:22:08AM +1100, Mark Andrews wrote:
>  This is often required for legislation compliance. DHCP does this =
> well.
> >>>=20
> >>> Does it really matter what address a customer has as long as it =
> comes from
> >>> the /64, /56 or /48 assigned to them?
> >>=20
> >> You are assuming an access technology that lends itself to =
> subnet-per-custome
> >> r.
> >>=20
> >> I run a network with 50,000+ end users using ethernet-based access to =
> the
> >> user's room. In IPv4, I run 1 or more subnets per building (depending =
> on the=20
> >> number of rooms in the build). I use DHCP to assign IPs, and record =
> the=20
> >> DHCP assignments allow me to trace users in the event of abuse =
> complaints. I
> >> use DHCP Option82 to allow me to correlate multiple devices in a =
> user's room.
> >> I feed the DHCP information into my bandwidth management platform to =
> enforce
> >> different levels (i.e. speeds) of service per user depending on what =
> they've
> >> purchased.
> >>=20
> >> I have yet to come up with a viable solution to do all of the above =
> in IPv6
> >> without using DHCPv6. At the moment, that means that OSX users are =
> not going
> >> to get IPv6.
> >=20
> > Have you *asked* your vendors for a alternate solution?
> >=20
> > DHCP kills privacy addresses.
> 
> In many environments, this is a feature, not a bug.
> 
> > DHCP kills CGAs.
> >=20
> In many environments, this is a feature, not a bug.
> 
> I would, in fact, posit that some of the people complaining about the =
> lack of
> DHCP are doing so precisely because of a desire to kill these things in =
> their
> environment.
> 
> Owen

Sure there are some envionments where it is a feature.  But in many
you really don't care what address the machine gets.  You are
actually looking for to tie the address(mac) to a accounting record
and DHCP is the only currently available solution and rather than
look for a better solution DHCP is being used.

One could have the machine generate its own addresses and register
them using DHCP.  You get the accounting without throwing out the
ability to do things like privacy addresses and CGA.  The DHCP
server can also prevent the machine using a reserved address for
the few things on the net that need it.  You also get IPv6 reverse
maintenance thrown in for free.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Doug Barton


On 02/27/2011 15:08, Owen DeLong wrote:

Look, can we stop arguing about whether someone needs DHCP or not,
whether they need SLAAC or not. Let's just get both solutions to a mature
and useful state where a network administrator can pick the one that works
best for their environment and move on.


Speaking as an OS implementor, no, please don't do that. :)  Let SLAAC 
be what it is, and give DHCPv6 feature parity with DHCPv4. Having all 
options supported in both methods is N-squared complexity for OS 
developers, never mind how difficult it's going to make actually using 
the stuff.



Doug

--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Joel Jaeggli

On 2/27/11 3:17 PM, Owen DeLong wrote:
> 
> On Feb 27, 2011, at 2:39 PM, Mark Andrews wrote:
> 
>>
>> In message <20110227204511.gm27...@virtual.bogons.net>, Simon Lockhart 
>> writes:
>>> On Mon Feb 28, 2011 at 07:22:08AM +1100, Mark Andrews wrote:
> This is often required for legislation compliance. DHCP does this well.

 Does it really matter what address a customer has as long as it comes from
 the /64, /56 or /48 assigned to them?
>>>
>>> You are assuming an access technology that lends itself to 
>>> subnet-per-custome
>>> r.
>>>
>>> I run a network with 50,000+ end users using ethernet-based access to the
>>> user's room. In IPv4, I run 1 or more subnets per building (depending on 
>>> the 
>>> number of rooms in the build). I use DHCP to assign IPs, and record the 
>>> DHCP assignments allow me to trace users in the event of abuse complaints. I
>>> use DHCP Option82 to allow me to correlate multiple devices in a user's 
>>> room.
>>> I feed the DHCP information into my bandwidth management platform to enforce
>>> different levels (i.e. speeds) of service per user depending on what they've
>>> purchased.
>>>
>>> I have yet to come up with a viable solution to do all of the above in IPv6
>>> without using DHCPv6. At the moment, that means that OSX users are not going
>>> to get IPv6.
>>
>> Have you *asked* your vendors for a alternate solution?
>>
>> DHCP kills privacy addresses.
> 
> In many environments, this is a feature, not a bug.
> 
>> DHCP kills CGAs.
>>
> In many environments, this is a feature, not a bug.
> 
> I would, in fact, posit that some of the people complaining about the lack of
> DHCP are doing so precisely because of a desire to kill these things in their
> environment.

which is fine they just have to kill of their legacy software
deployments while they're at it.

> Owen
> 
> 
>

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Joel Jaeggli

On 2/27/11 3:08 PM, Owen DeLong wrote:
> Look, can we stop arguing about whether someone needs DHCP or not,
> whether they need SLAAC or not. Let's just get both solutions to a mature
> and useful state where a network administrator can pick the one that works
> best for their environment and move on.
> 
> Devices, routers, OSs, etc. should support both. The IETF should stop letting
> the two working groups focus on damaging the other protocol and we should
> stop treating this as a competition or a battle and start treating it as 
> options
> to accomplish a task.

The documents are done at least for sufficient pieces to make it work.
it's in the hands of vendors and has been for a while. The simple fact
is that if you want to do it a particular way and you have an installed
base that doesn't support doing it that way, then you're not doing it
that way.

> Owen
> 
> On Feb 27, 2011, at 1:25 PM, Franck Martin wrote:
> 
>> Yes I don't understand why we need DHCPv6, true RD did not have DNS 
>> information to pass, but that is fixed, no?
>>
>> - Original Message -
>> From: "Matthew Palmer" 
>> To: nanog@nanog.org
>> Sent: Sunday, 27 February, 2011 4:06:29 PM
>> Subject: Re: Mac OS X 10.7, still no DHCPv6
>>
>> On Sun, Feb 27, 2011 at 08:56:33AM -0500, Ray Soucy wrote:
>>> Mac OS X 10.7 does support RDNSS (RFC 5001) so it is able to get DNS
>>> server information in an IPv6-only environment.  Of course nobody else
>>> has implemented that yet, making Apple a "special case" host once
>>> again (I don't even think Cisco supports the option in their T series
>>> yet).
>>
>> radvd and rdnssd work together on Linux nicely to provide RDNSS support. 
>> Works a treat.
>>
>> - Matt
>>
> 
> 
>

Re: Mac OS X 10.7, still no DHCPv6


On Feb 27, 2011, at 2:39 PM, Mark Andrews wrote:

> 
> In message <20110227204511.gm27...@virtual.bogons.net>, Simon Lockhart writes:
>> On Mon Feb 28, 2011 at 07:22:08AM +1100, Mark Andrews wrote:
 This is often required for legislation compliance. DHCP does this well.
>>> 
>>> Does it really matter what address a customer has as long as it comes from
>>> the /64, /56 or /48 assigned to them?
>> 
>> You are assuming an access technology that lends itself to subnet-per-custome
>> r.
>> 
>> I run a network with 50,000+ end users using ethernet-based access to the
>> user's room. In IPv4, I run 1 or more subnets per building (depending on the 
>> number of rooms in the build). I use DHCP to assign IPs, and record the 
>> DHCP assignments allow me to trace users in the event of abuse complaints. I
>> use DHCP Option82 to allow me to correlate multiple devices in a user's room.
>> I feed the DHCP information into my bandwidth management platform to enforce
>> different levels (i.e. speeds) of service per user depending on what they've
>> purchased.
>> 
>> I have yet to come up with a viable solution to do all of the above in IPv6
>> without using DHCPv6. At the moment, that means that OSX users are not going
>> to get IPv6.
> 
> Have you *asked* your vendors for a alternate solution?
> 
> DHCP kills privacy addresses.

In many environments, this is a feature, not a bug.

> DHCP kills CGAs.
> 
In many environments, this is a feature, not a bug.

I would, in fact, posit that some of the people complaining about the lack of
DHCP are doing so precisely because of a desire to kill these things in their
environment.

Owen

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Doug Barton


On 02/27/2011 14:39, Mark Andrews wrote:

DHCP kills privacy addresses.
DHCP kills CGAs.


In some environments that's a feature. :)

Also, I think people forget the original motivation behind privacy 
addresses. If you use RA/SLAAC on every different network that you use 
IPv6 (say, with your laptop) then the bottom 64 bits are always going to 
be the same. The theory was that this could provide a way to track the 
same user across multiple networks, thus the desire to have the ability 
to generate host identifiers that are "unique-but-temporary."


If you're on your home network (where the network prefix is always going 
to be the same) privacy addresses have limited (although non-zero) 
utility. If you're at work you're subject to the policies there, and if 
they say "dhcpv6 + no privacy addresses" then that's that.



hth,

Doug

--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/

Re: Mac OS X 10.7, still no DHCPv6

Look, can we stop arguing about whether someone needs DHCP or not,
whether they need SLAAC or not. Let's just get both solutions to a mature
and useful state where a network administrator can pick the one that works
best for their environment and move on.

Devices, routers, OSs, etc. should support both. The IETF should stop letting
the two working groups focus on damaging the other protocol and we should
stop treating this as a competition or a battle and start treating it as options
to accomplish a task.

Owen

On Feb 27, 2011, at 1:25 PM, Franck Martin wrote:

> Yes I don't understand why we need DHCPv6, true RD did not have DNS 
> information to pass, but that is fixed, no?
> 
> - Original Message -
> From: "Matthew Palmer" 
> To: nanog@nanog.org
> Sent: Sunday, 27 February, 2011 4:06:29 PM
> Subject: Re: Mac OS X 10.7, still no DHCPv6
> 
> On Sun, Feb 27, 2011 at 08:56:33AM -0500, Ray Soucy wrote:
>> Mac OS X 10.7 does support RDNSS (RFC 5001) so it is able to get DNS
>> server information in an IPv6-only environment.  Of course nobody else
>> has implemented that yet, making Apple a "special case" host once
>> again (I don't even think Cisco supports the option in their T series
>> yet).
> 
> radvd and rdnssd work together on Linux nicely to provide RDNSS support. 
> Works a treat.
> 
> - Matt
>

Re: Mac OS X 10.7, still no DHCPv6

But the ND messages don't tell you anything other than the Mac
address about which host it actually is. In theory, at least, snooping
the DHCP messages might include a hostname or some other
useful identifier.

Owen

On Feb 27, 2011, at 11:53 AM, Richard Barnes wrote:

> In fairness, said device can do the same sort of inspection of SLAAC
> traffic.  It just looks at neighbor discovery messages instead of DHCP
> messages.
> 
> 
> 
> 
> On Sun, Feb 27, 2011 at 2:17 PM, Leigh Porter
>  wrote:
>> 
>> 
>> On 27 Feb 2011, at 19:07, Antonio Querubin wrote:
>> 
>>> On Sun, 27 Feb 2011, Mikael Abrahamsson wrote:
>>> 
 On Sun, 27 Feb 2011, Leigh Porter wrote:
 
> Does anybody have anything neat to keep logs of what host gets what ipv6 
> address in an SLAAC environment?
 
 You'd have to correlate ND information in the router to some kind of 
 record of who has what MAC address at any given time. With SLAAC the host 
 doesn't "get" an IPv6 address, it "takes" one.
 
> This is often required for legislation compliance. DHCP does this well.
 
 Which is one of the reasons why some of us want DHCPv6 support in hosts.
>>> 
>>> So how does DHCP prevent a host from just taking or hijacking an IP address?
>>> 
>>> Antonio Querubin
>>> e-mail/xmpp:  t...@lava.net
>>> 
>> 
>> You can have devices that peek at the DHCP messages and then open filters so 
>> that you at least know that any host that pops up on the network has used 
>> DHCP to obtain an IP address.
>> 
>> Now you cannot usually prevent somebody from later hijacking that IP address 
>> using a fake MAC unless you do something else as well but at least you have 
>> something of a statefull relationship between an host and the IP address it 
>> uses.
>> 
>> 
>> --
>> Leigh Porter
>>

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Ray Soucy

You can write script to poll routers for IPv6 neighbors, and store
those in a database.  That will get you the IPv6 to MAC association.
Then poll L2 devices for MAC address tables for the MAC to port
association.

We've had such a system in place for a few years now to map addresses
to ports, etc., it also checks for rogue RA.  It's messy (and I don't
like the extra load it causes on routers).

If we had things like DHCPv6 snooping, RA guard (which you can
implement with PACLs), and IPv6 source verification we wouldn't need
it.

Thankfully most of these are all in the pipeline.

On Sun, Feb 27, 2011 at 5:32 PM, Karl Auer  wrote:
> On Sun, 2011-02-27 at 14:47 +, Leigh Porter wrote:
>> Does anybody have anything neat to keep logs of what host gets what
>> ipv6 address in an SLAAC environment?
>
> How do you define "what host"? If it's by MAC address (and you are not
> using temporary, cryptographic or random addresses), then the MAC is in
> the address the host ends up using.
>
> Also, as someone else said, hosts don't "get" addresses via SLAAC - they
> generate them. That means that while you may be able to predict what
> they *will* use, you would need to snoop NDP to find out what they *are*
> using, and even more so for temporary, cryptographic and random
> addresses.
>
> I have no experience of anything that actually does this, but it would
> be fairly simple to do. NDP will end up snooped in routers and switches
> for lots of reasons, so expect to see such features in real kit pretty
> soon. Make sure you let your vendor know what you want/need...
>
> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)                   +61-2-64957160 (h)
> http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)
>
> GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
> Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Mark Andrews


In message <20110227204511.gm27...@virtual.bogons.net>, Simon Lockhart writes:
> On Mon Feb 28, 2011 at 07:22:08AM +1100, Mark Andrews wrote:
> > > This is often required for legislation compliance. DHCP does this well.
> > 
> > Does it really matter what address a customer has as long as it comes from
> > the /64, /56 or /48 assigned to them?
> 
> You are assuming an access technology that lends itself to subnet-per-custome
> r.
> 
> I run a network with 50,000+ end users using ethernet-based access to the
> user's room. In IPv4, I run 1 or more subnets per building (depending on the 
> number of rooms in the build). I use DHCP to assign IPs, and record the 
> DHCP assignments allow me to trace users in the event of abuse complaints. I
> use DHCP Option82 to allow me to correlate multiple devices in a user's room.
> I feed the DHCP information into my bandwidth management platform to enforce
> different levels (i.e. speeds) of service per user depending on what they've
> purchased.
> 
> I have yet to come up with a viable solution to do all of the above in IPv6
> without using DHCPv6. At the moment, that means that OSX users are not going
> to get IPv6.

Have you *asked* your vendors for a alternate solution?

DHCP kills privacy addresses.
DHCP kills CGAs.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

RE: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread George Bonser



> From: Leigh Porter 
> Sent: Sunday, February 27, 2011 6:48 AM
> To: Chuck Anderson
> Cc: nanog@nanog.org; I2 IPv6 working group
> Subject: Re: Mac OS X 10.7, still no DHCPv6
> 
> 
> 
> Does anybody have anything neat to keep logs of what host gets what
> ipv6 address in an SLAAC environment?
> 
> This is often required for legislation compliance. DHCP does this
well.
> 
> --
> Leigh Porter

Do the hosts register themselves in DNS?  You might be able to look at
your DNS logs.

Re: Mac OS X 10.7, still no DHCPv6


On Feb 27, 2011, at 4:21 AM, Randy Bush wrote:

>>> You're going to have to perform stateless autconfiguration in ipv6
>>> and provide an ipv4 nameserver at the very minimum for a long time
>> apple is gonna look very very st00pid on world ipv6 day.  and a bunch
>> of folk are considering not turning things off after that day.
> 
> on second thought, guess where the support calls are gonna go.  our
> customer support lines, because we deliver zipless ipv6.
> 
> NOC: are you running a macintosh?
> User: yes, how did you guess?
> NOC: because it is broken.  get vista.
> 
> randy

While I'm as big a fan of IPv6 as anybody, I think in a comparison of
relative brokenness, Mac comes out quite favorably compared to
Vista in spite of their DHCPv6 deficiencies.

Owen

Re: Mac OS X 10.7, still no DHCPv6

2011-02-27 Thread Antonio Querubin


On Mon, 28 Feb 2011, Karl Auer wrote:


Well - that draft very recently (i.e., only a few months, if that)
became standards track, so it'll be a while before it's built into
everything as a matter of course, but yes, it's "fixed". RFC 6109.

  ^
Maybe you mean RFC 6106?

Antonio Querubin
e-mail/xmpp:  t...@lava.net

Re: Mac OS X 10.7, still no DHCPv6

On Sun, 2011-02-27 at 14:47 +, Leigh Porter wrote:
> Does anybody have anything neat to keep logs of what host gets what
> ipv6 address in an SLAAC environment?

How do you define "what host"? If it's by MAC address (and you are not
using temporary, cryptographic or random addresses), then the MAC is in
the address the host ends up using.

Also, as someone else said, hosts don't "get" addresses via SLAAC - they
generate them. That means that while you may be able to predict what
they *will* use, you would need to snoop NDP to find out what they *are*
using, and even more so for temporary, cryptographic and random
addresses.

I have no experience of anything that actually does this, but it would
be fairly simple to do. NDP will end up snooped in routers and switches
for lots of reasons, so expect to see such features in real kit pretty
soon. Make sure you let your vendor know what you want/need...

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156

signature.asc
Description: This is a digitally signed message part

Re: Mac OS X 10.7, still no DHCPv6