Re: Link-local and ACLs

2017-07-26 Thread Nick Hilliard 
Brian E Carpenter wrote:
> On 25/07/2017 19:07, Gert Doering wrote:
> > So, to stay with Tore's example, if you want to make NDP work on an IXP,
> > you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends
> > up needing quite a number of lines to cover all cases
> 
> Fair enough. IXPs are a bit of a special case, though.

sorta and sorta not.  An ACL appropriate for an IXP would provide a
template to cover pretty much most use cases, which would then be
directly relevant to other specific cases like having a point-to-point
connection between router A and router B and so forth.

Nick

Re: Link-local and ACLs

2017-07-26 Thread Gert Doering 
Hi,

On Wed, Jul 26, 2017 at 08:48:43AM +1200, Brian E Carpenter wrote:
> >> And why would ACLs be relevant for on-link traffic?
> > 
> > Interface ACLs are relevant for all packets leaving or entering an
> > interface, generally...
> 
> Yes, but why are they relevant except for routers? I didn't see
> anything in the original message that limited its scope to routers.
> Most nodes aren't routers. I don't expect to see ACLs on normal
> hosts.

All my hosts that are in some way Internet exposed have ACLs of
some sort - call it "Windows firewall" or "FreeBSD pf(4)".

Usually these implicitly understand what is needed to make ND work,
but I've heard more than once about cases where Linux people blocked
"everything on input except tcp/80" with ip6tables, killing ND in the 
process -> bam, machine fell of the net, IPv6 gone.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: Link-local and ACLs

2017-07-26 Thread S.P.Zeidler 
Hi,

Thus wrote David Farmer (far...@umn.edu):

> In practice Neighbor Discovery, and other critical protocols, need
> link-local addresses to talk to other link-local addresses and some
> multicast addresses.
> 
> Also, in theory a link-local address could talk to a GUA or ULA address on
> the same link. However, in practices does this really happen? If it does
> happen in practice what are circumstances?

a) be logged in to a system only having a link-local address
b) access a service you know to be on-link by DNS name

I expect that to work. I'm not sure what you win by preventing it from
working.

I usually try to have "same link, same administration", so we may have
differing expectations on the trustworthiness of what is reachable via
link-local. Also, "if it doesn't have a routable address its attack
surface is drastically smaller".

regards,
spz
-- 
s...@serpens.de (S.P.Zeidler)

Re: Link-local and ACLs

2017-07-25 Thread Brian E Carpenter 
On 25/07/2017 19:07, Gert Doering wrote:
> Hi,
> 
> On Tue, Jul 25, 2017 at 10:41:06AM +1200, Brian E Carpenter wrote:
>> Why would you ever do it for normal traffic? 
> 
> I'm not sure that was a question asked in this thread :-)
> 
>> And why would ACLs be relevant for on-link traffic?
> 
> Interface ACLs are relevant for all packets leaving or entering an
> interface, generally...

Yes, but why are they relevant except for routers? I didn't see
anything in the original message that limited its scope to routers.
Most nodes aren't routers. I don't expect to see ACLs on normal
hosts.

> So, to stay with Tore's example, if you want to make NDP work on an IXP,
> you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends
> up needing quite a number of lines to cover all cases

Fair enough. IXPs are a bit of a special case, though.

   Brian

> 
> #sh access-lists ipv6 internet-ipv6-in | inc icmp
>  20 permit icmpv6 fe80::/64 2001:7f8::/64 135 0
>  30 permit icmpv6 2001:7f8::/64 2001:7f8::/64 135 0 ttl eq 255
>  40 permit icmpv6 2001:7f8::/64 2001:7f8::/64 136 0 ttl eq 255
>  50 permit icmpv6 any ff02::/64 135 0
>  60 permit icmpv6 fe80::/64 fe80::/64 135 0
>  70 permit icmpv6 any fe80::/64 135 0
>  80 permit icmpv6 any fe80::/64 136 0
>  90 permit icmpv6 any host ff02::1 136 0
>  100 deny icmpv6 any any 135 log
>  110 deny icmpv6 any any 136 log
> 
> (Example for DECIX which uses 2001:7f8::/64 on-link)
> 
> Gert Doering
> -- NetMaster
>

Re: Link-local and ACLs

2017-07-24 Thread Brian E Carpenter 
On 25/07/2017 09:10, Tore Anderson wrote:
> * Brian E Carpenter
> 
>> So, I'm not aware of any realistic case where this happens, or any
>> reason for it.
> 
> As Gert already pointed out: Neighbour Discovery.

Well yes, like ARP. But that's the exception that proves the
rule - you do it when that is really what you mean *and*
the target address is within an on-link prefix.

I can do it too, even from Windows:

ping -n 100 -S fe80::c0de:dead:beef:768e%11 2001:df0:0:2006:c0de:beef:dead:be83

Those addresses are obfuscated, but you get the idea, and
I see the ICMPv6 packets with Wireshark, but get no replies.

Why would you ever do it for normal traffic? And why
would ACLs be relevant for on-link traffic?

   Brian

> 
> A few examples from an IX near me:
> 
> 23:06:11.020045  In IP6 fe80::8678:acff:fe66:80db > 2001:7f8:12:1::3:9029: 
> ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
> 23:06:11.563763  In IP6 fe80::aa0c:dff:fe71:5768 > 2001:7f8:12:1::3:9029: 
> ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
> 23:06:29.958824  In IP6 fe80::92e2:baff:fe3f:7665 > 2001:7f8:12:1::3:9029: 
> ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
> 23:06:34.239488  In IP6 fe80::523d:e5ff:fe89:4ec4 > 2001:7f8:12:1::3:9029: 
> ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
> 23:06:45.177659  In IP6 fe80::2c1:64ff:fe60:380 > 2001:7f8:12:1::3:9029: 
> ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
> 
> Tore
> .
>

Re: Link-local and ACLs

2017-07-24 Thread Tore Anderson 
* Brian E Carpenter

> So, I'm not aware of any realistic case where this happens, or any
> reason for it.

As Gert already pointed out: Neighbour Discovery.

A few examples from an IX near me:

23:06:11.020045  In IP6 fe80::8678:acff:fe66:80db > 2001:7f8:12:1::3:9029: 
ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
23:06:11.563763  In IP6 fe80::aa0c:dff:fe71:5768 > 2001:7f8:12:1::3:9029: 
ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
23:06:29.958824  In IP6 fe80::92e2:baff:fe3f:7665 > 2001:7f8:12:1::3:9029: 
ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
23:06:34.239488  In IP6 fe80::523d:e5ff:fe89:4ec4 > 2001:7f8:12:1::3:9029: 
ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32
23:06:45.177659  In IP6 fe80::2c1:64ff:fe60:380 > 2001:7f8:12:1::3:9029: ICMP6, 
neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32

Tore

Re: Link-local and ACLs

2017-07-24 Thread Gert Doering 
Hi,

On Mon, Jul 24, 2017 at 08:56:41PM +0100, Nick Hilliard wrote:
> Gert Doering wrote:
> > "on the same link"?
> 
> return traffic.  Not much good in having unidirectional data flow.

Even return traffic "on the same link" shouldn't be subject to "packets
with fe80 sources MUST NOT be routed"...

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: Link-local and ACLs

2017-07-24 Thread Nick Hilliard 
Gert Doering wrote:
> "on the same link"?

return traffic.  Not much good in having unidirectional data flow.

Nick

Re: Link-local and ACLs

2017-07-24 Thread Theodore Baschak 
On Mon, Jul 24, 2017 at 12:46 PM, David Farmer  wrote:

> In practice Neighbor Discovery, and other critical protocols, need
> link-local addresses to talk to other link-local addresses and some
> multicast addresses.
>
> Also, in theory a link-local address could talk to a GUA or ULA address on
> the same link. However, in practices does this really happen? If it does
> happen in practice what are circumstances?
>
> Thanks
>
> --
> ===
> David Farmer   Email:far...@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SEPhone: 612-626-0815 <(612)%20626-0815>
> Minneapolis, MN 55414-3029   Cell: 612-812-9952 <(612)%20812-9952>
> ===
>


Not quite 100% related, but I had an upstream provider put an artisanal
handcrafted IPv6 BCP38 ACL that didn't allow link-locals to talk to the
multicast range (or to the GUA on-link address possibly) on a port, and it
caused problems after a reboot I believe only. Things were able to keep
working for quite a while if I recall.


Theodore Baschak - AS395089 - Hextet Systems
https://bgp.guru/ - https://hextet.net/
http://mbix.ca/ - http://mbnog.ca/

Re: Link-local and ACLs

2017-07-24 Thread Daniel Roesen 
On Mon, Jul 24, 2017 at 05:51:37PM +, Goddess: Primal Chaos wrote:
> ### Do not reply below this line ###
> 
> -
> Goddess: Primal Chaos | July 24, 2017 | 18:51 +0100
> -
> 
> Dear player, 

This has been remedied. You should see no further auto-replies from
them.


Best regards,
Daniel (list admin)

Re: Link-local and ACLs

2017-07-24 Thread Gert Doering 
Hi,

On Mon, Jul 24, 2017 at 06:50:57PM +0100, Nick Hilliard wrote:
> David Farmer wrote:
> > Also, in theory a link-local address could talk to a GUA or ULA address
> > on the same link. However, in practices does this really happen? If it
> > does happen in practice what are circumstances?
> 
> will that packet not be dropped because a LL ipv6 packet won't be
> routed? (MUST NOT in whatever rfc).

"on the same link"?

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279

Re: Link-local and ACLs

2017-07-24 Thread Goddess: Primal Chaos 
### Do not reply below this line ###

-
Goddess: Primal Chaos | July 24, 2017 | 18:51 +0100
-

Dear player, 
Thank you very much for contacting us by mail. As the language or region of 
your email can’t be automatically identified, we have to manually sort through 
each and every issue then send these on to the relevant GM. 
- If you are able to log in to the game, we recommend you send a message to us 
in-game via Settings-Account-Help. 
- If you can’t find your account, usually it means you’re using the wrong login 
method or server. Please confirm you’re using the same login method as before 
and have selected the correct server.
Please note that even if have bound to your Facebook or Google account, if you 
are using "Sign In" to login, please login exactly as previously since data is 
not exchanged between the three different login methods.
Please leave your correct server and character name (if you’re using any 
special symbols in your name, please ensure you’re continuing to do so) and 
we’ll check your login method as soon as possible for you to.
Thanks for your support and cooperation!


-
Goddess: Primal Chaos | July 24, 2017 | 18:51 +0100
-

Hi, thanks for contacting Customer Service. This is an automated reply, hope to 
help you solve common problems. Please tell me your server and character's 
name. Manual service will contact you as soon as possible! Thank you very much 
for the support and patience.  

If you have a problem with recharge, please leave us the necessary information.
  1. the name of the character(IGN)
  2. the server
  3. the number of your order
# via Google, we need the GPA.---X
#via Apple, we need the number from the receipt and also a screenshot 
that you take from the Itunes of your computer.
   #other ways, please let us know the exact way of recharging and the 
number of it
  4. the UID of this character (which you can see in the game, but if you 
cannot find it that will be fine )
We are really hope that we could help!

If you want to report a BUG, please try to tell us more details, such as 
related character names and servers. The most important is the exact time 
(better with hour and minute), so that we locate and check the problem more 
quickly. Thank you in advance.


-
Nick Hilliard | July 24, 2017 | 18:51 +0100
-

Link-local and ACLsDavid Farmer wrote:
> Also, in theory a link-local address could talk to a GUA or ULA address
> on the same link. However, in practices does this really happen? If it
> does happen in practice what are circumstances?

will that packet not be dropped because a LL ipv6 packet won't be
routed? (MUST NOT in whatever rfc).

Nick

Re: Link-local and ACLs

2017-07-24 Thread Nick Hilliard 
David Farmer wrote:
> Also, in theory a link-local address could talk to a GUA or ULA address
> on the same link. However, in practices does this really happen? If it
> does happen in practice what are circumstances?

will that packet not be dropped because a LL ipv6 packet won't be
routed? (MUST NOT in whatever rfc).

Nick