Re: IPv6 Security [Was: Re: misunderstanding scale]
On Mar 26, 2014, at 4:25 PM, Luke S. Crawford l...@prgmr.com wrote: On 03/26/2014 03:49 PM, Matt Palmer wrote: On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote: There are many ways to skin this cat; stateless autoconfig looks like it mostly works, but privacy extensions seem to be the default in many places; outgoing IPv6 from those random addresses will trip my BCP38 filters. Your what-now? You do realise SLAAC works entirely within a single /64, which shouldn't be difficult to decide is either routable or not in one hit, right? If you give every customer their own vlan and /64, sure. That can be done, and there are many advantages to doing it that way. But it's quite a bit more complex than my current setup. The way I'm setup now, I've got an IPv4 address block on a vlan, and an IPv6/64 on the same vlan. I have many customers on that vlan. Each customer has one (or more) IPv4 /32 addresses and one IPv6 /128 addresses. (if the customer wants more IPv6, we just route a /64 to the /128 they are allowed.) There are firewall rules that only allow appropriate packets in and out of the interface.These rules are important for privacy as well as preventing spoofing; they prevent sniffing of most traffic bound for other guests. Why not just use private VLAN layer 2 controls for the privacy you describe? Yes, you risk customer A spoofing customer B, but is that really a problem in your environment? Really? If so, one could argue you might want to consider getting a better class of customers. Owen
Re: IPv6 Security [Was: Re: misunderstanding scale]
On Mar 26, 2014, at 5:50 PM, Chuck Anderson c...@wpi.edu wrote: On Wed, Mar 26, 2014 at 06:52:53PM -0500, Timothy Morizot wrote: On Mar 26, 2014 6:27 PM, Luke S. Crawford l...@prgmr.com wrote: My original comment and complaint, though, was in response to the assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6 does not fill the role that DHCPv4 fills, if you care about tying an IP to a MAC and you want that connection to persist across OS installs by customers. You're right. DHCPv6 is more robust than DHCPv4. At least those of us in the enterprise space appreciate a client identifier that doesn't change when the hardware changes. No, it is LESS robust, because the client identifier changes when the SOFTWARE changes. Around here, software changes MUCH more often than hardware. Heck, even a dual-boot scenario breaks the client identifier stability. Worse yet, DHCPv6 has created a scenario where a client's IPv4 connectivity and IPv6 connectivity break under /different/ scenarios, causing difficult-to-troubleshoot half-connectivity issues when either the hardware is replaced or the software is reloaded. Any client whose DUID changes on software re-install has a very poor choice of default DUID and should be configurable for a better choice of DUID. That is not DHCPv6’s fault. DHCPv6 is perfectly capable of behaving as you wish. Blaming the protocol for poor implementation choices by your (or your client’s) vendors is a little odd in my opinion. Owen
Re: misunderstanding scale
On Thu, Mar 27, 2014 at 6:17 AM, Owen DeLong o...@delong.com wrote: It only takes a single entry if you do not store /128s but that /64. Yes, RBL lookups do not currently know how to handle this, but there are a couple of good proposals around on how to do it. Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat. Admittedly, /48s are only 65,536 RBL entries per, but I still think that address-based reputations are a losing battle in an IPv6 world unless we provide some way for providers to hint at block sizes. That's why I believe having varying levels of granularity is the best trade off between cache friendliness, administrative effort and implementation complexity, independent on whether it's default deny or default accept. We either need to solve (or reduce the impact of) the DNS cache issue or we need to solve the fixed-range issue. Or IP-based reputation as we know it today is more or less dropped from the anti-spam toolset when it comes to IPv6. -- Matthias
Re: misunderstanding scale
On 2014-03-26, Owen DeLong o...@delong.com sent: Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat. Admittedly, /48s are only 65,536 RBL entries per, but I still think that address-based reputations are a losing battle in an IPv6 world unless we provide some way for providers to hint at block sizes. After all, if you start blocking a /64, what if it’s a /64 shared by thousands of hosting customers at one provider offering virtuals? It was brought to my attention in a parallel thread on Mailop that such a mechanism does exist for allowing ISP to hint about the size of customer allocations, at least in the RIPE database: http://www.ripe.net/ripe/docs/ripe-513 So how do we make this universal and get ISPs to use it? If we know customer sizes, it becomes much easier to do reputation on a per-customer basis, which is probably granular enough for a lot of cases. -- Chip Marshall c...@2bithacker.net http://2bithacker.net/ pgpDfvwQUlHki.pgp Description: PGP signature
Re: IPv6 Security [Was: Re: misunderstanding scale]
On 03/26/2014 11:14 PM, Owen DeLong wrote: Why not just use private VLAN layer 2 controls for the privacy you describe? The technology I know of is what cisco calls 'protected ports' - My understanding is that those simply mean you can't pass traffic to or from other 'protected ports' - I use that capability when, say, putting a bunch of IPMIs on a private network, it works great, as if one of the IPMI ports is trying to talk to another, something is very wrong and it gets blocked. They are commonly used in the dedicated server hosting world to do what you are describing, but they have a big downside when being used on the public side;customer 1 can't talk to customer 2.Now, this isn't usually a big deal, except in one very common case; what if one entity buys two hosts? now those two hosts can't talk to oneanother. This is a very common problem for dedicated hosting providers (and why I give my dedicated hosts a vlan and a routed subnet, wasting IPv4.) For my virtuals, though, I have a much more clever switch as it's just some software running in the Dom0, so at least in the IPv4 world, filtering just their /32 in and out is a much better solution. Yes, you risk customer A spoofing customer B, but is that really a problem in your environment? Really? If so, one could argue you might want to consider getting a better class of customers. You wouldn't feel uncomfortable if some other company could come in and not only spoof your IP, but receive the return traffic? Keep in mind that they could do this in a way that is quite difficult to detect or trace, if they were clever about it. I may trust my provider, to a certain extent, but I certainly don't trust everyone who gives my provider money.
Re: IPv6 Security [Was: Re: misunderstanding scale]
It might make sense to just give everyone their own vlan and their own /64; that would, of course, bring its own problems and complexities (namely that I've gotta have the capability to deal with more customers than I can have native vlans - not impossible to get around, but significant added complexity.) I don’t see the point of that. why not? After carefully considering everything you have told me, this sounds like the way forward to do it the IPv6 way - privacy IPs would work fine, and I could filter every port such that only packets from that /64 were allowed out and only addresses to that /64 would be allowed in.Nobody would be able to spoof or listen in on their neighbor; yeah, my router would have to send a lot of RAs, but routers that handle the amount of traffic my customers send are cheap. I have a lot of customers, sure, but they are small. Sure, it's going to cost me in routing complexity, but it looks like the only thing I can do that will actually solve my problems and use IPv6 the way IPv6 is expecting to be used. I'd then have to figure out how to make their ipv4 /32 work, but I can think of several possibilities that might work. If nothing else, I could give them one interface for IPv6 and one for IPv4, and leave the IPv4 interface the current system.
Re: misunderstanding scale
On March 26, 2014 at 22:17 o...@delong.com (Owen DeLong) wrote: Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat. Hang on, do spammers grab address blocks? Ok, I'm sure it happens, this is not an existence proof. But is that really a significant characterization of their behavior? That they go to an RIR or ISP and get an address block allocation? I mean post-Ralsky (almost obscure historical spam reference.) It seems like ALL the spam I see is purloined resources: botnets, unauthorized use of (usually misconfigured) mail servers, web software holes, free sites in general (such as google groups but also those community free sites), etc. I suppose this is the place where someone just says: Yes, Barry, it is and considers the matter settled but it sure doesn't match my experience. We block a lot of /24s (like about 150,000 right now) and even a few larger chunks but not because they're owned by spammers but because they're repeatedly ABUSED by spammers. But unfortunately they're just about always owned by people/companies who believe they're legitimate but just can't seem to keep the spammers from abusing them over and over. And the chance of ham from them is so slight that one just blocks them wholesale. Well, maybe for the purpose of this discussion it's the same thing, how do you block blocks which are being abused or you want to block for whatever reason. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: IPv6 Security [Was: Re: misunderstanding scale]
On 3/27/2014 12:19 PM, Luke S. Crawford wrote: This is a very common problem for dedicated hosting providers (and why I give my dedicated hosts a vlan and a routed subnet, wasting IPv4.) Implement what some DSL access providers do. Unnumbered interfaces with /32 routing to the vlan. The last I checked, I think a J can even get the /32 route from radius when using autoconfig with radius auth. We did similar things with IPv6, as well. proxy-arp/proxy-nd to handle the cross talk. IOS 12.1 7206 confirmed. No autoconf, but static subinterfaces for each vlan (q-in-q supported or atm), unnumbered to loopback. DHCPv4 and static routing works. IPv6 had issues, but could handle static /64 per subint. ASR/J MX, autoconfig w/ radius backend, manual subint/unit, or combination. DHCPv4 confirmed, static host routes confirmed. IPv6 not confirmed. Radius static host route establishment not confirmed. Still testing. Jack
Re: misunderstanding scale
On Wed, Mar 26, 2014 at 6:31 AM, Owen DeLong o...@delong.com wrote: OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there's not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list. It only takes a single entry if you do not store /128s but that /64. Yes, RBL lookups do not currently know how to handle this, but there are a couple of good proposals around on how to do it. This would also reduce the risks from cache depletion attacks via DNSxL lookups to IPv4 levels. Sometimes scale is everything. host-based reputation lists scale easily to 3.2 billion host addresses. IPv6, not so easily. As soon as we get away from host-centric-view to a network-block-view, things get pretty straightforward. -- Matthias
Re: misunderstanding scale, SMTP edition
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there�s not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list. Sometimes scale is everything. host-based reputation lists scale easily to 3.2 billion host addresses. IPv6, not so easily. Quite right. If I were a spammer or an ESP who wanted to listwash, I could easily use a different IP addres for every single message I sent. R's, John
Re: misunderstanding scale
It only takes a single entry if you do not store /128s but that /64. Yes, RBL lookups do not currently know how to handle this, but there are a couple of good proposals around on how to do it. Sigh. See previous note on wny aggregating on /64 won't work. This would also reduce the risks from cache depletion attacks via DNSxL lookups to IPv4 levels. Sigh. See previous note on wny aggregating on /64 won't work. R's, John
Re: misunderstanding scale, SMTP edition
On 3/26/2014 12:09 PM, John Levine wrote: OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there�s not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list. Sometimes scale is everything. host-based reputation lists scale easily to 3.2 billion host addresses. IPv6, not so easily. Quite right. If I were a spammer or an ESP who wanted to listwash, I could easily use a different IP addres for every single message I sent. Which isn't too bad for the spam block lists, as they will usually escalate and block /64 and shorter anyways. It will be problematic for handling something like CBL, though. DHCP shifted occasionally, but not as often as IPv6 privacy addresses can. The botnet world is where the problems will arise, and not just for spam. It becomes even more problematic, as you don't know if you have multiple bots in a /64 (individual handouts via DHCPv6) or a single bot shifting within a /64 assignment, or given some layouts, perhaps shifting within a /48 assignment. Jack
Re: misunderstanding scale, SMTP edition
On 03/26/2014 01:09 PM, John Levine wrote: Quite right. If I were a spammer or an ESP who wanted to listwash, I could easily use a different IP addres for every single message I sent. R's, John Week before last I saw this in great detail, with nearly 100,000 messages sent to our users per day from probably the same spammer (lots of similarities, including an image payload with invisible anti-bayesian text and a .in TLD) where no two messages came from the same IP. It did all come from the same hosting provider, though, and at least for now that hoster's whole address space (all twenty blocks, varying between a /23 and a /17) is in my border router's deny acl for incoming on port 25. At least for now; I did send an e-mail out to the abuse contact, waited 72 hours, then but the blocks in the incoming acl. This hoster was adding rwhois entries for each /32 allocated (yes, IPv4 /32) and they had different NIC handles. I'll probably wait a month, then pull the acl to see if it starts back up. Oh, and each and every /32 that sent mail had fully proper DNS, including PTR etc. Spamassassin's score was well in the 'ham' category for all of those messages. IP reputation lists are one weapon in the arsenal, but not nearly as effective as one would like. There is no technical magic bullet that I've seen work over the long haul. But that's not really on-topic for NANOG.
Re: misunderstanding scale, SMTP edition
John Levine jo...@iecc.com wrote: If I were a spammer or an ESP who wanted to listwash, I could easily use a different IP addres for every single message I sent. Until mail servers start rate-limiting the number of different addresses that are used :-) You can do something like the following in Exim, which limits IPv6 senders to 16 addresses per /64 per day. defer hosts = ; 2000::/4 ratelimit = 16 / 1d / per_conn /\ unique=$sender_host_address /\ ${mask:$sender_host_address/64} Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Shannon, Rockall: Southerly 5 or 6 at first in west, otherwise variable 3 or 4, becoming northeasterly 4 or 5. Moderate or rough. Showers. Good, occasionally moderate.
Re: IPv6 Security [Was: Re: misunderstanding scale]
On 03/24/2014 06:18 PM, Owen DeLong wrote: DHCPv6 is no less robust in my experience than DHCPv4. ARP and ND have mostly equivalent issues. This depends a lot on what you mean by 'robust' Now, I have dealt with NAT, and I see IPv6 as a technology with the potential to make my life less unpleasant. I really want IPv6 to succeed. However, DHCPv6 isn't anywhere near as useful for me, as someone who normally deals with IPs that don't change, as DHCPv4 is. With DHCPv4, my customers all get an address based on their mac that doesn't change if their box is re-installed. I configure this on the DHCP server, and the customer can run whatever dhcp client they like on whatever OS they like and they get the same IP every time. With DHCPv6 there is a time-based identifier that is added to the mac that makes it impossible, as far as I can tell, to give the customer a consistent IP across OS wipes without doing significant client configuration. There are many ways to skin this cat; stateless autoconfig looks like it mostly works, but privacy extensions seem to be the default in many places; outgoing IPv6 from those random addresses will trip my BCP38 filters. That, and reading the standard, it sure doesn't sound like consistency was a goal, even though it seems fairly consistent experimentally. there's a lot of generally and may in the text about what it adds to the mac in order to get the local identifier. It might make sense to just give everyone their own vlan and their own /64; that would, of course, bring its own problems and complexities (namely that I've gotta have the capability to deal with more customers than I can have native vlans - not impossible to get around, but significant added complexity.) I suppose I can also just keep DHCPv4 around, and if folks want IPv6, well, they have to wire down the address themselves. That's how I'm doing it now.
Re: IPv6 Security [Was: Re: misunderstanding scale]
On 3/26/2014 12:55 PM, Luke S. Crawford wrote: However, DHCPv6 isn't anywhere near as useful for me, as someone who normally deals with IPs that don't change, as DHCPv4 is. My favorite is the RA thing. Years ago I decided that stupid DSLAMs were better than smart ones, so I generally utilize 1 vlan per customer with q-in-q and let the router handle all security. This meant I didn't have the usual breakage smart DSLAMs had with IPv6. Ideally, the router would run passive and not send regular RA updates. However, that isn't always viable with all clients. Sending out regular announcements and replicating them to all the vlans is extremely inefficient. Jack
Re: IPv6 Security [Was: Re: misunderstanding scale]
On Wed, 26 Mar 2014, Luke S. Crawford wrote: On 03/24/2014 06:18 PM, Owen DeLong wrote: DHCPv6 is no less robust in my experience than DHCPv4. ARP and ND have mostly equivalent issues. This depends a lot on what you mean by 'robust' Now, I have dealt with NAT, and I see IPv6 as a technology with the potential to make my life less unpleasant. I really want IPv6 to succeed. However, DHCPv6 isn't anywhere near as useful for me, as someone who normally deals with IPs that don't change, as DHCPv4 is. With DHCPv4, my customers all get an address based on their mac that doesn't change if their box is re-installed. I configure this on the DHCP server, and the customer can run whatever dhcp client they like on whatever OS they like and they get the same IP every time. With DHCPv6 there is a time-based identifier that is added to the mac that makes it impossible, as far as I can tell, to give the customer a consistent IP across OS wipes without doing significant client configuration. This is stupidity of the DHCPv6 client/OS implementation. They should use DUID type 3 (DUID-LL) by default, not DUID type 1 (DUID-LLT). This can be circumvented by setting the default to type 3, but... Regards, Janos Mohacsi
RE: misunderstanding scale
If you can figure out how to store an address and a mask you can have any size entry you want. Just like a routing table. This is not insurmountable. Steven Naslund Chicago IL OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there's not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list. It only takes a single entry if you do not store /128s but that /64. Yes, RBL lookups do not currently know how to handle this, but there are a couple of good proposals around on how to do it. This would also reduce the risks from cache depletion attacks via DNSxL lookups to IPv4 levels. Sometimes scale is everything. host-based reputation lists scale easily to 3.2 billion host addresses. IPv6, not so easily. As soon as we get away from host-centric-view to a network-block-view, things get pretty straightforward. -- Matthias
Re: IPv6 Security [Was: Re: misunderstanding scale]
On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote: There are many ways to skin this cat; stateless autoconfig looks like it mostly works, but privacy extensions seem to be the default in many places; outgoing IPv6 from those random addresses will trip my BCP38 filters. Your what-now? You do realise SLAAC works entirely within a single /64, which shouldn't be difficult to decide is either routable or not in one hit, right? - Matt -- Q: Why do Marxists only drink herbal tea? A: Because proper tea is theft. -- Chris Suslowicz, in the Monastery
Re: IPv6 Security [Was: Re: misunderstanding scale]
On 03/26/2014 03:49 PM, Matt Palmer wrote: On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote: There are many ways to skin this cat; stateless autoconfig looks like it mostly works, but privacy extensions seem to be the default in many places; outgoing IPv6 from those random addresses will trip my BCP38 filters. Your what-now? You do realise SLAAC works entirely within a single /64, which shouldn't be difficult to decide is either routable or not in one hit, right? If you give every customer their own vlan and /64, sure. That can be done, and there are many advantages to doing it that way. But it's quite a bit more complex than my current setup. The way I'm setup now, I've got an IPv4 address block on a vlan, and an IPv6/64 on the same vlan. I have many customers on that vlan. Each customer has one (or more) IPv4 /32 addresses and one IPv6 /128 addresses. (if the customer wants more IPv6, we just route a /64 to the /128 they are allowed.) There are firewall rules that only allow appropriate packets in and out of the interface.These rules are important for privacy as well as preventing spoofing; they prevent sniffing of most traffic bound for other guests. This is in production on many of my hosts, and because I give every user both an IPv4 and an IPv6 address, this mostly works. My setup scripts wire down both the v4 and v6 addresses before I hand it off to the user; if the user wants re-install, well, they can wire down the IPv6 address by hand if they want it, and IPv4 works regardless. It is valid to say that I'm trying to use IPv6 the way I use IPv4, and perhaps that is the wrong thing to do. Perhaps IPv6 needs to be thought of in a different way from IPv4; Perhaps in IPv6, a /64 should be the smallest block I give to a user, and the smallest block I filter on, and I just need to eat the network complexity costs inherent to giving each user a vlan. My original comment and complaint, though, was in response to the assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6 does not fill the role that DHCPv4 fills, if you care about tying an IP to a MAC and you want that connection to persist across OS installs by customers.
Re: IPv6 Security [Was: Re: misunderstanding scale]
On Mar 26, 2014 6:27 PM, Luke S. Crawford l...@prgmr.com wrote: My original comment and complaint, though, was in response to the assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6 does not fill the role that DHCPv4 fills, if you care about tying an IP to a MAC and you want that connection to persist across OS installs by customers. You're right. DHCPv6 is more robust than DHCPv4. At least those of us in the enterprise space appreciate a client identifier that doesn't change when the hardware changes. And v6 doesn't work the same as v4 so you will expend more effort trying to force it to fit a v4 model. Scott
Re: IPv6 Security [Was: Re: misunderstanding scale]
On Wed, Mar 26, 2014 at 06:52:53PM -0500, Timothy Morizot wrote: On Mar 26, 2014 6:27 PM, Luke S. Crawford l...@prgmr.com wrote: My original comment and complaint, though, was in response to the assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6 does not fill the role that DHCPv4 fills, if you care about tying an IP to a MAC and you want that connection to persist across OS installs by customers. You're right. DHCPv6 is more robust than DHCPv4. At least those of us in the enterprise space appreciate a client identifier that doesn't change when the hardware changes. No, it is LESS robust, because the client identifier changes when the SOFTWARE changes. Around here, software changes MUCH more often than hardware. Heck, even a dual-boot scenario breaks the client identifier stability. Worse yet, DHCPv6 has created a scenario where a client's IPv4 connectivity and IPv6 connectivity break under /different/ scenarios, causing difficult-to-troubleshoot half-connectivity issues when either the hardware is replaced or the software is reloaded.
Re: misunderstanding scale
On Mar 26, 2014, at 3:18 AM, Matthias Leisi matth...@leisi.net wrote: On Wed, Mar 26, 2014 at 6:31 AM, Owen DeLong o...@delong.com wrote: OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there's not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list. It only takes a single entry if you do not store /128s but that /64. Yes, RBL lookups do not currently know how to handle this, but there are a couple of good proposals around on how to do it. Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat. Admittedly, /48s are only 65,536 RBL entries per, but I still think that address-based reputations are a losing battle in an IPv6 world unless we provide some way for providers to hint at block sizes. After all, if you start blocking a /64, what if it’s a /64 shared by thousands of hosting customers at one provider offering virtuals? This would also reduce the risks from cache depletion attacks via DNSxL lookups to IPv4 levels. Yes and no. Sometimes scale is everything. host-based reputation lists scale easily to 3.2 billion host addresses. IPv6, not so easily. As soon as we get away from host-centric-view to a network-block-view, things get pretty straightforward. Except where they don’t. Owen
Re: IPv6 Security [Was: Re: misunderstanding scale]
On Mar 26, 2014, at 10:55 AM, Luke S. Crawford l...@prgmr.com wrote: On 03/24/2014 06:18 PM, Owen DeLong wrote: DHCPv6 is no less robust in my experience than DHCPv4. ARP and ND have mostly equivalent issues. This depends a lot on what you mean by 'robust' Now, I have dealt with NAT, and I see IPv6 as a technology with the potential to make my life less unpleasant. I really want IPv6 to succeed. However, DHCPv6 isn't anywhere near as useful for me, as someone who normally deals with IPs that don't change, as DHCPv4 is. With DHCPv4, my customers all get an address based on their mac that doesn't change if their box is re-installed. I configure this on the DHCP server, and the customer can run whatever dhcp client they like on whatever OS they like and they get the same IP every time. Other than it being based on DUID instead of MAC (which, btw, DUID can be based on MAC), this is also possible in DHCP6. With DHCPv6 there is a time-based identifier that is added to the mac that makes it impossible, as far as I can tell, to give the customer a consistent IP across OS wipes without doing significant client configuration. Nope. Not true. There are many ways to skin this cat; stateless autoconfig looks like it mostly works, but privacy extensions seem to be the default in many places; outgoing IPv6 from those random addresses will trip my BCP38 filters. That, and reading the standard, it sure doesn't sound like consistency was a goal, even though it seems fairly consistent experimentally. there's a lot of generally and may in the text about what it adds to the mac in order to get the local identifier. Why would your BCP38 filters be filtering down below the prefix level? The random addresses all still have the same 64 bit prefix. For non-privacy addresses, it’s very clear… 64 bit mac is just used. 48 bit mac is OR’d with 0x0200 and then split at the OUI/ESI boundary (24 bits) where 0xfffe is inserted. Thus 1234.5678.abcd would become 1234.56ff.fe78.abcd and 0123.4567.89ab would become 0323.45ff.fe67.89ab. For privacy addresses, this is kind of all over the map and multiple different algorithms with different entropic properties are proposed. Worse, Micr0$0ft doesn’t conform to the standard at all and, instead, uses no entropy to provide an address that is different per prefix, but the same every time for the same prefix. It might make sense to just give everyone their own vlan and their own /64; that would, of course, bring its own problems and complexities (namely that I've gotta have the capability to deal with more customers than I can have native vlans - not impossible to get around, but significant added complexity.) I don’t see the point of that. I suppose I can also just keep DHCPv4 around, and if folks want IPv6, well, they have to wire down the address themselves. That's how I'm doing it now. That seems unnecessarily difficult. Owen
Re: misunderstanding scale
On Mar 24, 2014, at 8:52 PM, George Herbert george.herb...@gmail.com wrote: On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong o...@delong.com wrote: On Mar 24, 2014, at 9:21 AM, William Herrin b...@herrin.us wrote: On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com wrote: I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security. Hi Steve, It is your privilege to believe this and to practice it in the networks you operate. Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security. Which impossibility has been disproven multiple times. Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement. Actually, there are multiple implementations of transparent proxies available for IPv6. NAT isn’t the same thing at all. If you want to make your life difficult in IPv6, you can. Nobody prevents you from doing so. It is discouraged and non-sensical, but quite possible at this point. Owen Right. fc00::/7 exists. If you want to emulate your internal use of 10.0.0.0/8 plus NAT (or, proxies or load balancers or whatever) in your IPv6 implementation go ahead. Putting in some robust filtering that if the fc00::/7 ever appears outside the internal gateway the traffic goes poof should be as easy as the equivalents for 10, 172.16, 192.168 … More accurately fd00::/8. fc00::/8 was reserved for ULA coordinated which failed to gain consensus. While IETF did set aside the /7, only fd00::/8 has a legitimate documented purpose. Owen
Re: misunderstanding scale
In message 7b6af6e9-905a-4d14-b54f-8f244afcf...@delong.com, Owen DeLong write s: On Mar 24, 2014, at 8:52 PM, George Herbert george.herb...@gmail.com wrote: On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong o...@delong.com wrote: On Mar 24, 2014, at 9:21 AM, William Herrin b...@herrin.us wrote: On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com wrote: I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security. Hi Steve, It is your privilege to believe this and to practice it in the networks you operate. Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security. Which impossibility has been disproven multiple times. Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement. Actually, there are multiple implementations of transparent proxies available for IPv6. NAT isn't the same thing at all. If you want to make your life difficult in IPv6, you can. Nobody prevents you from doing so. It is discouraged and non-sensical, but quite possible at this point. Owen Right. fc00::/7 exists. If you want to emulate your internal use of 10.0.0.0/8 plus NAT (or, proxies or load balancers or whatever) in your IPv6 implementation go ahead. Putting in some robust filtering that if the fc00::/7 ever appears outside the internal gateway the traffic goes poof should be as easy as the equivalents for 10, 172.16, 192.168 ... More accurately fd00::/8. fc00::/8 was reserved for ULA coordinated which failed to gain consensus. While IETF did set aside the /7, only fd00::/8 has a legitimate documented purpose. And if you are going to filter fc00::/7 is more future proof. Owen -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: misunderstanding scale
On Mar 24, 2014, at 10:12 PM, Alexander Lopez alex.lo...@opsys.com wrote: On Mar 24, 2014, at 9:36 AM, Alexander Lopez alex.lo...@opsys.com wrote: not to mention the cost in readdressing your entire network when you change an upstream provider. Nat was a fix to a problem of lack of addresses, however, the use of private address space 10/8, 192.168/16 has allowed many to enjoy a simple network addressing scheme. This is easily and better solved in IPv6 using provider independent addressing which is readily available. rant Yes but the number of people needing just a /64 will far outnumber the one requesting a /48. Businesses? I doubt it. I would say that the majority of users today and for the future will not require a /48, but will simply use the allocation given to them by their upstream. Perhaps, but I don’t see that being just one subnet for anyone at all likely to have a concern about renumbering. Many today do not multi-home and how many SMB customers just use a single Public IP behind a NAT device? Those wouldn’t really have a problem renumbering their network. It is easy for us on this list to use or request PIA, but what about the 10 person office? I’ve done so for several. It’s not hard or expensive. Owen
Re: misunderstanding scale (was: Ipv4 end, its fake.)
On Mon, Mar 24, 2014 at 9:12 PM, Bob Evans b...@fiberinternetcenter.comwrote: Thus far, IPv6 has been the Field of Dreams those of us who have built it, we know they have not yet come (the IPv6 customers). That's all this discussion is really about is when will they come. I know the core of the Internet will be IPv4 for many years. All one has to do is talk to a few customer to find out that they are in no hurry. It's a no-brainer, because , none of us charges a customer more than than lunch money for an IPv4 address. While I will agree that it has taken longer than some of us thought / expected I don't believe you can say no-one is coming. My home (Comcast) my phone (T-Mo) get native IPv6, automatically, no extra charge - no special request - no special equipment. Our 4g hotspots are all dual-stack. We recently got a new Verizon (landline) circuit for a job-site - came with a /48 automatically. The carriers drive this part of the boat - and some of them are doing so quite nicely (finally). Not all, but some of the biggest have done the most work == more eyeballs. The content side is doing better as well; again - not all, but the big ones are good wins. The customers, the normal people that is, don't know or care. We know that. On the enterprise side there is of course the cost burden of dealing with the legacy network that still, largely, works as they expect. And in the govt it is even worse, despite some mandates to the contrary. But that too will shift over time - and needn't hold up anyone else's plans. And when people who do care have IPv6 at home/on their phone they will start to push that into said enterprises ... like I am doing :). /TJ
Re: misunderstanding scale
On Sun, Mar 23, 2014 at 10:07 PM, Naslund, Steve snasl...@medline.comwrote: As far as printers being a more dangerous attack vector than computers, I definitely don't buy that argument. It does not change in v4 or v6. Printers are not merely attack vectors; they are targets. It only makes sense to describe them solely as potential vectors, if the printer is connected to the LAN the real target is connected to. In which situation: they are equally dangerous. But: there are more hackers that can leverage a computer using generic scripts than can mess with a vulnerable printer, using specialized attacks. Assuming that both stacks are vulnerable to attack I would be less worried about the printer because I am not aware of any of my printers running malware in v4. I think the PC platform being much more This is what makes printers more dangerous. Users have no idea what code is running on their printer.It is the perfect place for an attacker to patch the firmware: hole up, and setup their backdoor VPN, proxy, or tunnel, because it's on 24x7 -- rarely replaced, almost never updated --- no antimalware software. complex and having many more interfaces for active programming like DLLs, Java, ActiveX, etc, are much more the threat. I personally have The complexity of the available middleware and 3rd party APIs has little to do with what kinds of attacks can be launched from a compromised printer being used to stage attacks; once the device is compromised, the intruder will bring the minimal software they need. You're talking about APIs that greatly expand the attack surface of some computer software. But it does not matter; if the socket protocol used by the printer was not designed with security in mind. One good vulnerability is enough.More known vulnerabilities doesn't make it more dangerous after it is compromised, it just makes it that much more impossible to harden. With the printer --- there is little attention to vulnerabilities, so chances are patches are not even available. not seen a DDoS attack launched by printers (they may exist but I am You haven't seen any chargen or snmp activity at all?? DDoS reflection using clumsy appliance defaults is among the most popular attacks to be facilitated by printers. not aware of them). If I was going to design an attack for a printer, I would think that data theft would be the most dangerous. I have The most likely use of compromising a printer (following DDoS -- which doesn't require breaking in) is to provide a covert backdoor for staging further compromise attempts or man-in-the-middle attacks. The computer has more data storage, so it is privvy to more confidential information and contents of network traffic from the computer is likely to be the ultimate target. But it just takes one Man-in-the-middle against a LAN computer, with malware covertly injected to a webpage, for a compromised printer to breach a computer. wondered about multifunction printers emailing print data to someone but I have never seen that yet. Maybe. Is an intruder going to go through the trouble to compromise a printer -- just to misdirect printouts? Probably not. But this requires profiling the intruder versus information at risk -- They want computing power, banking information, SSNs: usernames/passwords. Typically stuff you will never find on printouts --- particularly within an org whose staff are aware that documents sent to network printers go over the LAN unencrypted, and therefore: your printouts should never contain that kind of information. Steven Naslund Chicago IL
Re: misunderstanding scale
On 3/24/14 2:38 PM, William Herrin b...@herrin.us wrote: On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard l...@asgard.org wrote: On 3/24/14 1:37 PM, William Herrin b...@herrin.us wrote: That would be one of those details on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature. What kinds of devices are we talking about here? Are we talking about the default NAT on a home network router, or an enterprise-level NAT operating on a firewall? Hi Lee, I don't see NAT as a deployment issue for residential networks. Most folks just hook their computer up to whatever CPE the vendor sends them without any further attention. If we're talking about an enterprise firewall, then I don't understand--we're talking about a firewall. If it implements a symmetric NAT in addition to a stateful firewall, then it's implementing the same function twice. But, hey, it's your network, if security-through-obscurity is one of your defense in depth layers, that's fine. Obscurity offers one or more defense layers. If you disagree, post your passwords here. One that is largely mocked by security professionals. However, ULA can do this. Unaddressibility is a second defense layer. I offered ULA+NPT66. I don't recommend it, but it has been described as working, and provides addresses which are not globally reachable. Stateful firewalling is a third. We agree. Lee
Re: misunderstanding scale
On Tue, 25 Mar 2014 16:31:17 +1100, Mark Andrews said: My bet is the number needing more that a single /64 will exceed the number needing just a /64. Most phones really need two /64 for tethering and currently there are lots of kludges to work around only one being available. As a data point, cerowrt (an openwrt fork) will ask upstream for a /60 or /56 via dhcp-pd, and then burn a /64 for each logical subnet. On a WNDR3800, it can burn 9 /64s out of the box, and more if you start doing VLAN stuff... pgpQ5I1OybGhp.pgp Description: PGP signature
Re: IPv6 Security [Was: Re: misunderstanding scale]
On 3/24/14 10:17 PM, Naslund, Steve snasl...@medline.com wrote: I can easily answer that one as a holder of v4 space at a commercial entity. The end user does not feel any compelling reason to move to ipv6 if they have enough v4 space. I can't give my employer a solid business case of why they need to make the IPv6 transition. You may not need to yet. But it would be a good idea to know how long it would take you to deploy IPv6. Then think about when IPv6 will be cheaper than IPv4. (See the poll from NANOG60 for what others think about this: http://www.wleecoyote.com/blog/lightningpoll.htm Hint: 2017-2018) It might be a good idea to finish in time to save money. Oh, and if the enterprise cares about latency, IPv6 is better. (NANOG60: https://www.nanog.org/meetings/abstract?id=2281) They already hold enough v4 space and are putting more and more servers behind virtual IPs on boxes like the F5 so they are actually gaining on the v4 space issue. They see no economic reason to add an additional layer of complexity to their network where it is already pretty expensive to find savvy staff. Having to find v6 savvy staff is even more challenging. Even if the network guys are up to speed on v6 (admittedly a lot of the junior guys are not) the server and storage guys have a hard time wrapping their minds completely around ipv4. I bet your staff isn't savvy on lots of things they have to do. I don't know why IPv6 scares people so much. Story: So, will you be providing training on IS-IS? You'll get exactly the same training you got on OSPF when you started. . . . Lee
Re: misunderstanding scale (was: Ipv4 end, its fake.)
On 3/24/14 9:12 PM, Bob Evans b...@fiberinternetcenter.com wrote: I agree with one thing herein In order for IPv6 to truly work, everyone needs to be moving towards IPv6. Yep, chicken and the egg. I agree. We built an IPv6 native network - no tunneling - no customers to speak of ... didn't even bother to start IPv6 peering on it. How would there be traffic if you have no peering? An there you have it, how much is someone willing to pay for space in the Internet casino. Well, it's much more than free and probably close to the dollar level in the presentation by Lee Howard at an ARIN meeting (I think it was in Barbados or maybe I have that meeting place wrong and it was NANOG) ... Well, $40/month per IP address will be the pain level for all customers to finally cash-in the IPv4 chips and move to IPv6. I wish it was Barbados! NANOG56. http://www.nanog.org/meetings/nanog56/presentations/Wednesday/wed.general.h oward.24.wmv Thus far, IPv6 has been the Field of Dreams those of us who have built it, we know they have not yet come (the IPv6 customers). That's all this discussion is really about is when will they come. Some of us have quite a few IPv6 customers: http://www.worldipv6launch.org/measurements/ And we see significant traffic from those users. :-) I know the core of the Internet will be IPv4 for many years. All one has to do is talk to a few customer to find out that they are in no hurry. It's a no-brainer, because , none of us charges a customer more than than lunch money for an IPv4 address. Depends on what you mean by core. For some values of core, the Internet is already dual-stack. Now, if you tell me all the porn site owners were great net citizens, ready to move to IPv6 and shut off IPv4 access, well then I can see things moving along much faster. Feel free to offer them a discount for dual-stack, and a deeper discount for IPv6-only. Unfortunately, I don't know any porn site operators, so I haven't been able to have conversations with them about the economics of IPv6. Lee
Re: misunderstanding scale
It is late and I am just rambling, but even with DHCP(4and6) changing IP networks is not a trivial thing. Not hard, but it will require a lot more planning than what many do today of simply changing the WAN IP address and some records in the DNS (if needed) We tried: http://tools.ietf.org/wg/6renum In particular, you may want to read http://tools.ietf.org/html/rfc6879 when planning and renumbering IPv6; it's intended to save you pain later. Lee
Re: misunderstanding scale (was: Ipv4 end, its fake.)
Bob Evans CTO On 3/24/14 9:12 PM, Bob Evans b...@fiberinternetcenter.com wrote: I agree with one thing herein In order for IPv6 to truly work, everyone needs to be moving towards IPv6. Yep, chicken and the egg. I agree. We built an IPv6 native network - no tunneling - no customers to speak of ... didn't even bother to start IPv6 peering on it. How would there be traffic if you have no peering? 4 IPv6 transits and a handful of customers. Today, we only provide fiber service to businesses. Tiny traffic - no IPv6 peering at IX locations. An there you have it, how much is someone willing to pay for space in the Internet casino. Well, it's much more than free and probably close to the dollar level in the presentation by Lee Howard at an ARIN meeting (I think it was in Barbados or maybe I have that meeting place wrong and it was NANOG) ... Well, $40/month per IP address will be the pain level for all customers to finally cash-in the IPv4 chips and move to IPv6. I wish it was Barbados! NANOG56. http://www.nanog.org/meetings/nanog56/presentations/Wednesday/wed.general.h oward.24.wmv Thanks Lee, I was hunting for that link. Thus far, IPv6 has been the Field of Dreams those of us who have built it, we know they have not yet come (the IPv6 customers). That's all this discussion is really about is when will they come. Some of us have quite a few IPv6 customers: http://www.worldipv6launch.org/measurements/ And we see significant traffic from those users. :-) Maybe my isolation in silicon valley causes me to have a different IPv6 experience. Not much IPv6 happening here. I heard Google my have topped over 2% traffic that is IPv6. Significant ? Not from where I am sitting. I know the core of the Internet will be IPv4 for many years. All one has to do is talk to a few customer to find out that they are in no hurry. It's a no-brainer, because , none of us charges a customer more than than lunch money for an IPv4 address. Depends on what you mean by core. For some values of core, the Internet is already dual-stack. Now, if you tell me all the porn site owners were great net citizens, ready to move to IPv6 and shut off IPv4 access, well then I can see things moving along much faster. Feel free to offer them a discount for dual-stack, and a deeper discount for IPv6-only. Unfortunately, I don't know any porn site operators, so I haven't been able to have conversations with them about the economics of IPv6. We give away the IPv6 to every business on a second port - to make their life easy and encourage them to play with it. Unfortunately, few try it at all. Bob Lee
RE: misunderstanding scale
Look at it this way. If I see an attack coming from behind your NAT, I'm gonna deny all traffic coming from your NAT block until you assure me you have it fixed because I have no way of knowing which host it is coming from. Now your whole network is unreachable. If you have a compromised GUA host I can block only him. Better for both of us, no? That is assuming that the infected piece does not request another address in the /64, and that the person blocking at the target end blocks a /128 instead of the /64. I suppose that's possible and you could respond to that by blocking more addresses or the entire /64 if you want. The difference is that by seeing the actual address of the remote system you get to decide rather than blocking an entire corporate network. It would be trivial to program a rule that if multiple addresses in the block are offending we escalate to a bigger block. How about a single host spamming behind your NAT blocking your entire corporate public network from email services? Anyone ever see that one. Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal with that. I don't want to try to even think about SMTP on IPv6. Reputation of email servers as well as the whole thought process of spam control rely on a list of IP address. Yes, addresses that do not accurately represent the single system causing the problem. IPv6 adds an entirely new aspect to it. Well, if you mean the entirely new aspect is a list of hex addresses instead of dotted decimal addresses I guess so. I personally would rather have a list of actual end system addresses than a list of addresses that represent a mail server and several thousand other innocent devices behind a NAT. Might be easier to tell the system owner which system is compromised than to call a large company and tell them one of their systems is compromised. It would also be nice to be able to allow legitimate email to a business partner while blocking his compromised system only. Maybe GUAs will convince (scare) more enterprise users to actually treat the internal network as an environment that needs to be secured as well. We can only hope. Most enterprise admins, segment their BYOD (wifi) network from the production network. Some will even use a different WAN ip for the wifi network or in the minimum block outbound request to well known services ports. If they knew anything about security they would but I thought we were talking about the same guys that use NAT to secure their networks. I generally see where the only outbound connections allowed are http and https. All other ports are blocked. Maybe on the BYOD only networks but very few companies actually segregate the BYOD devices from the general wifi access in a sophisticated way. Just look at how many wifi vendors actually support that well and how many companies can actually tell a corporate owned wifi device from a BYOD device. To do that correctly requires something like a good machine certificate process and complex stuff like 802.1x and TLS, most don't have it. Good luck with allowing only http and https and nothing else. My wifi users happen to like to be able to use IP softphones, have web conferences, and do lots of other stuff that uses more than those two protocols. Steven Naslund Chicago IL
Re: IPv6 Security [Was: Re: misunderstanding scale]
On 03/24/2014 09:39 PM, Paul Ferguson wrote: I'll leave it as an exercise for the remainder of... everywhere to figure out why there is resistance to v6 migration, and it isn't just because people can't be bothered. I'm sure there are numerous enterprises in the same shape I am in, with significant equipment investment in non-quite-ipv6-ready gear, and insufficient technology refresh capex monies to get ipv6-ready capacity-equivalent replacements. Cisco 6500/7600 even with Sup720 has issues, and I know of a number of networks still running Sup2 on 6500/7600 or even older (including some gear in my own network, where I still have old gear, older even than I'm willing to admit publicly, serving in core roles; I just decommissioned a failing Extreme Summit 1i this past Saturday, and still have two more in core roles, doing Layer 3 IPv4 in one case). I know I'm not alone. While much of this gear may be fully depreciated, the cost of the forklift upgrade is major, and the gear is not the biggest part of the cost. Repairs are not anywhere near as draining on the capex budget as complete chassis upgrades are, and so we keep old gear running because it's what we can afford to do. So capex is a big part of it; but then there's training costs and the opex of dealing with a new-to-us technology. Just my very-late-to-the-party opinion, and not likely to change anything at all, but in hindsight it seems we might have been better off with ipv4.1 instead of ipv6, which, IMO, just simply bit off too much in one bite. Much like how the Fountainhead project at DG got eclipsed by the much less ambitious Eagle, and never really went anywhere due to its pie-in-the-sky goals, when all the customers really wanted was a 32-bit Eclipse, which Eagle provided. (Tracy Kidder, The Soul of a New Machine which should be on every tech's must-read list). Yeah, I know, too late to matter, as ipv6 is here and here to stay. But the transition could have been smoother and less traumatic to equipment vendors' customers. At least that's my opinion and experience, your mileage may vary.
Re: misunderstanding scale (was: Ipv4 end, its fake.)
On Tue, 25 Mar 2014 09:55:21 -0400, Lee Howard said: Some of us have quite a few IPv6 customers: http://www.worldipv6launch.org/measurements/ And we see significant traffic from those users. :-) I'm actually glad to see that we're no longer on the first page of that list. ;) pgpvBn_f_1ZcP.pgp Description: PGP signature
Re: misunderstanding scale
IPv6 adds an entirely new aspect to it. Well, if you mean the entirely new aspect is a list of hex addresses instead of dotted decimal addresses I guess so. I personally would rather have a list of actual end system addresses than a list of addresses that represent a mail server and several thousand other innocent devices behind a NAT. Might be easier to tell the system owner which system is compromised than to call a large company and tell them one of their systems is compromised. It would also be nice to be able to allow legitimate email to a business partner while blocking his compromised system only. I thin the new dimension is that a spammer today who manages to snag a /8 has 16.7 million addresses to play with. Even if he forces you to add each and every one to your list, that’s a few megabytes for a VERY large IPv4 block. OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there’s not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list. Sometimes scale is everything. host-based reputation lists scale easily to 3.2 billion host addresses. IPv6, not so easily. Owen
Re: misunderstanding scale (was: Ipv4 end, its fake.)
Thus far, IPv6 has been the Field of Dreams those of us who have built it, we know they have not yet come (the IPv6 customers). That's all this discussion is really about is when will they come. Some of us have quite a few IPv6 customers: http://www.worldipv6launch.org/measurements/ And we see significant traffic from those users. :-) Maybe my isolation in silicon valley causes me to have a different IPv6 experience. Not much IPv6 happening here. I heard Google my have topped over 2% traffic that is IPv6. Significant ? Not from where I am sitting. There’s actually lots of IPv6 happening in Silicon Valley. I’ve been running IPv6 for years and so has my employer. Your Google data is old… They’re well over 4% and it’s been doubling about every 3-6 months, so I’d expect to see upwards of 16% by the end of the year, but remember, that’s traffic that chose IPv6 based on happy eyeballs and doesn’t represent all traffic that could have gone IPv6 or even all traffic that would have gone best over IPv6. If Micr0$0ft would publish the stats of native vs. teredo from the xbox one, I bet we’d have a better idea of what percentage of folks are running IPv6 for real. I think it’s a lot more than you seem to believe. Of the major consumer providers in the area, ATT and SPRINT Wireless are the only ones I’m aware of that are completely unable to do IPv6. Even some of the smaller residential providers are now doing some IPv6 and I hear rumors that some ATT DSL and uVerse customers can now get IPv6. We give away the IPv6 to every business on a second port - to make their life easy and encourage them to play with it. Unfortunately, few try it at all. We make IPv6 available to all of our customers on the same port which seems to make their life even easier and many of our customers are using it. Perhaps this is food for thought. Owen
Re: misunderstanding scale
On Sun, 23 Mar 2014 16:21:50 -0700, Paul Ferguson said: On the other hand, there are beaucoup enterprise networks unwilling to consider to moving to v6 until there are management, control, administrative, and security issues addressed. The problem is that for many of those enterprises, the actual understanding of those issues even in the v4 arena is tenuous at best. You know - the same sort of beancounters and auditors with checklists that insist on NAT and won't allow a stateful firewall, or worry about ND attacks but don't check if you have anything in place to defeat ARP flooding pgpLidsvdp55_.pgp Description: PGP signature
Re: misunderstanding scale
On Sunday, March 23, 2014 09:35:31 PM Denis Fondras wrote: When speaking of IPv6 deployment, I routinely hear about host security. I feel like it should be stated that this is *in no way* an IPv6 issue. May the device be ULA, LLA, GUA or RFC1918-addressed, the device is at risk anyway. If this is the only argument for delaying IPv6 deployment, this sounds more like FUD to me ;-) I guess it's no surprise that host security is not an IPv4 or IPv6 issue. It's just that with IPv4, the majority of unclean and unupdated hosts have been living behind NAT44. In an ideal IPv6 world, all hosts have GUA's, and in this case, host security becomes a bigger problem, because now the host is directly accessible without a NAT66 in between (we hope). Mark. signature.asc Description: This is a digitally signed message part.
Re: misunderstanding scale (was: Ipv4 end, its fake.)
On Sunday, March 23, 2014 11:02:13 PM Mark Andrews wrote: Actually all you have stated in that printer vendors need to clean up their act and not that one shouldn't expect to be able to expose a printer to the world. It isn't hard to do this correctly. It also does not cost much on a per device basis. Well, all consumer device vendors, really... Mark. signature.asc Description: This is a digitally signed message part.
Re: misunderstanding scale
On Monday, March 24, 2014 01:15:27 AM Mark Andrews wrote: And there you go putting stricter requirements on printers that you don't put on laptop, servers. None of us would put any machines on the net if they had to meet your printer's requirements. Because, at the very least, a laptop or server can run a stateless packet filter to keep out pokes at ports that may be running by default, but have no business being queried over the network. Mark. signature.asc Description: This is a digitally signed message part.
Re: IPv6 Security [Was: Re: misunderstanding scale]
On Monday, March 24, 2014 01:37:52 AM Timothy Morizot wrote: Yes. As I said, same general sorts of risks for the most part as in IPv4. Details differ, but same general types. My point was that it's mostly FUD to wave the flag of scary new security weaknesses with no mitigations in IPv6. It's the same general sort of first hop and link security issues that exist in IPv4 with similar mitigations. Not identical, but not radically different or new either. While the mitigations may not exist yet (like proper firewalls in CPE to protect GUA'ed devices in the home), it still a good idea to bring the risks to light so folk can think about how to get them fixed. Mark. signature.asc Description: This is a digitally signed message part.
Re: misunderstanding scale
On Monday, March 24, 2014 02:41:00 AM Timothy Morizot wrote: The original assertion was that there are unaddressed security weaknesses in IPv6 itself preventing its adoption. At least that's the way I read it. And that assertion is mostly FUD. The risks have less to do with IPv6, and more to do with the fact that boxes that lived on RFC 1918 behind NAT44 security gateways may now, very possibly, be given a GUA address that now exposes them directly to the Interweb. Mark. signature.asc Description: This is a digitally signed message part.
Re: misunderstanding scale
On Mon, 2014-03-24 at 08:38 +0200, Mark Tinka wrote: In an ideal IPv6 world, all hosts have GUA's, and in this case, host security becomes a bigger problem, because now the host is directly accessible without a NAT66 in between (we hope). The mantras from my training courses: Addressable is not the same as accessible; routable is not the same as routed. Just because you give every host a globally routable address doesn't mean you have to route them. Just because you route them doesn't mean you have to forward all traffic to or from them. Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882 Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
Re: misunderstanding scale
On Monday, March 24, 2014 09:00:46 AM Karl Auer wrote: The mantras from my training courses: Addressable is not the same as accessible; routable is not the same as routed. Just because you give every host a globally routable address doesn't mean you have to route them. Just because you route them doesn't mean you have to forward all traffic to or from them. Agree, but also practically, there is a higher likelihood that a good majority of deployments (enterprise, home of wholesale backbones) will be reasonably more accessible over time, not less. You know the new mantras of this day - any computing or communications device is only as good as its connectivity. Mark. signature.asc Description: This is a digitally signed message part.
Re: misunderstanding scale
Additional support on my feeling of DO and IPv6, is DO's stance of directly not even allowing IPv6 tunnels to HE, SiXXs, or any of the other providers by specifically teliing them not to allow connections from your IPv4 address space. Say *what*? I've got HE tunnels into DO, purely because they won't get their finger out and offer native v6, but the rest of the service currently outweighs the hassle of tunneling. If this is going to get blocked, I'll be reversing the migration of my existing VPS services elsewhere *into* DO, and starting to look for yet-another provider :( I've already had a rather strange conversation with SIXXS where they swore seven ways from Sunday I couldn't have a tunnel because DO already offer native v6, despite sending them numerous official statements to the contrary, but trying to reason with SIXXS is always interesting... Regards, Tim.
Re: IPv6 Security [Was: Re: misunderstanding scale]
On Mon, Mar 24, 2014 at 1:51 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Monday, March 24, 2014 01:37:52 AM Timothy Morizot wrote: Yes. As I said, same general sorts of risks for the most part as in IPv4. Details differ, but same general types. My point was that it's mostly FUD to wave the flag of scary new security weaknesses with no mitigations in IPv6. It's the same general sort of first hop and link security issues that exist in IPv4 with similar mitigations. Not identical, but not radically different or new either. While the mitigations may not exist yet (like proper firewalls in CPE to protect GUA'ed devices in the home), it still a good idea to bring the risks to light so folk can think about how to get them fixed. While I don't really disagree with that statement, I'm not entirely sure what CPE firewalls and home devices have to do with enterprise deployments, the topic I was discussing. We've been actively working this for the past three years now and have yet to encounter an IPv6 specific enterprise risk for which no appropriate mitigation exists. That's why I called out the assertion that security weaknesses in IPv6 were *preventing* enterprise deployments as FUD. And until someone specifically names some major unmitigated IPv6-only security weakness blocking enterprise deployment instead of vague hand-waving or lists of security risks (as opposed to weaknesses) with well-defined mitigations, I'll stand by that statement. Scott
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 1:38 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Sunday, March 23, 2014 09:35:31 PM Denis Fondras wrote: When speaking of IPv6 deployment, I routinely hear about host security. I feel like it should be stated that this is *in no way* an IPv6 issue. May the device be ULA, LLA, GUA or RFC1918-addressed, the device is at risk anyway. If this is the only argument for delaying IPv6 deployment, this sounds more like FUD to me ;-) I guess it's no surprise that host security is not an IPv4 or IPv6 issue. It's just that with IPv4, the majority of unclean and unupdated hosts have been living behind NAT44. In an ideal IPv6 world, all hosts have GUA's, and in this case, host security becomes a bigger problem, because now the host is directly accessible without a NAT66 in between (we hope). NAT traversal is and has long been fairly trivial. NAT and RFC1918 provides no meaningful host protection whatsoever and never has. The only thing that limits direct access to internal networks is a stateful firewall. (Well, IPS can also drop packets.) That's true for IPv4 and for IPv6. So an enterprise relying n NAT44 and RFC1918 for internal host protection instead of a stateful firewall already has no meaningful security in place. There's no way for IPv6 to make things any worse other than puncturing the delusion under which they are currently operating. Scott
Re: misunderstanding scale
On 24/03/2014 06:47, Mark Tinka wrote: Because, at the very least, a laptop or server can run a stateless packet filter to keep out pokes at ports that may be running by default, but have no business being queried over the network. once upon a time, they didn't have host firewalls or packet filters, which was why we ended up with: https://isc.sans.edu/diary/Survival+Time+on+the+Internet/4721 Nick
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote: Addressable is not the same as accessible; routable is not the same as routed. Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com wrote: I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security. Hi Steve, It is your privilege to believe this and to practice it in the networks you operate. Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security. Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
On Sat, Mar 22, 2014 at 8:19 PM, Randy Bush ra...@psg.com wrote: don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN. it can be stateless You're smarter than that. -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
On 03/24/2014 09:20 AM, William Herrin wrote: On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote: Addressable is not the same as accessible; routable is not the same as routed. Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. A distinction without a difference, IMHO. Either I can send you an incoming SYN or I can't. The real battle here, IMHO, is to get the next gen CPE vendors to do the right thing. NANOG folks ought to be keeping tabs on the Homenet working group and then DEMAND that any CPE support its security, etc, baselines. Mike
Re: IPv6 Security [Was: Re: misunderstanding scale]
On Monday, March 24, 2014 02:42:07 PM Timothy Morizot wrote: While I don't really disagree with that statement, I'm not entirely sure what CPE firewalls and home devices have to do with enterprise deployments, the topic I was discussing. We've been actively working this for the past three years now and have yet to encounter an IPv6 specific enterprise risk for which no appropriate mitigation exists. That's why I called out the assertion that security weaknesses in IPv6 were *preventing* enterprise deployments as FUD. And until someone specifically names some major unmitigated IPv6-only security weakness blocking enterprise deployment instead of vague hand-waving or lists of security risks (as opposed to weaknesses) with well-defined mitigations, I'll stand by that statement. Agree - the security issues for deploying IPv6 in the enterprise are not that dissimilar from the concerns in the home in as far as assigning GUA's to enterprise printers, staff laptops, surveillance cameras, e.t.c., is concerned. This is not necessarily an issue of IPv6. It's more of an issue having a direct connetion to the Internet without NAT (a.k.a security by obscurity, false sense of security, e.t.c.), and what that means for the host's security. Mark. signature.asc Description: This is a digitally signed message part.
Re: misunderstanding scale
On Monday, March 24, 2014 02:56:13 PM Timothy Morizot wrote: NAT traversal is and has long been fairly trivial. NAT and RFC1918 provides no meaningful host protection whatsoever and never has. The only thing that limits direct access to internal networks is a stateful firewall. (Well, IPS can also drop packets.) That's true for IPv4 and for IPv6. So an enterprise relying n NAT44 and RFC1918 for internal host protection instead of a stateful firewall already has no meaningful security in place. Don't disagree with you there. I'm saying many an enterprise (small and large) as well as homes operate this way. There is a lot of unlearning to do. The whole issue is that a number of enterprises may only feel safe if IPv6 comes with NAT66, probably on top (or not on top) of a stateful IPv6 firewall. We need to think about how to re-train the enterprise, if we don't want to repeat the erasure of the end-to-end model, second time around. Mark. signature.asc Description: This is a digitally signed message part.
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote: Addressable is not the same as accessible; routable is not the same as routed. Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. Yet there is significant value to providing uniqueness in address space, a property that is incredibly useful. The proponents of this sort of in depth defense typically view NAT as a way to protect their networks, which it does, in some limited sense, from being addressable from the outside world. The problem is that it has broken one of the key design principles in IPv4, and so we've had to suffer for years under broken NAT regimes and workarounds and other folly. This is overall a bad thing for the Internet, and for the development of future protocols and applications. Time to give up two layers of meaningless security for the riches offered by the vastness of the new address space. If this job were easy, anyone could do it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
RE: misunderstanding scale
not to mention the cost in readdressing your entire network when you change an upstream provider. Nat was a fix to a problem of lack of addresses, however, the use of private address space 10/8, 192.168/16 has allowed many to enjoy a simple network addressing scheme. I have and will continue to deploy IPV6, however the ease and simplicity of IPv4 cannot and should not be overlooked. Ipv6 requires a complete reeducation of they way we look at routing and the core of the network. I will not be trolling here, I prefer to troll off the Florida straits for large fish instead. .. Original message From: William Herrin Date:03/24/2014 12:27 PM (GMT-05:00) To: Naslund, Steve Cc: NANOG list Subject: Re: misunderstanding scale On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com wrote: I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security. Hi Steve, It is your privilege to believe this and to practice it in the networks you operate. Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security. Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
On Monday, March 24, 2014 06:02:11 PM Nick Hilliard wrote: once upon a time, they didn't have host firewalls or packet filters, which was why we ended up with: https://isc.sans.edu/diary/Survival+Time+on+the+Internet/ 4721 :-). Mark. signature.asc Description: This is a digitally signed message part.
RE: misunderstanding scale
I think it would be just as easy to claim that breaking the end-to-end model is more of a security concern that lack of NAT. Having the NAT is essentially condoning a permanent man-in-the-middle. A lot of customers do believe that NAT adds to their security. I would advise them however that it probably offers a lot less than they think. It is a very common technique get an inside computer to establish a connection out to a bad host. That's how most of the malware today works (through the extra layer of defense that NAT provides),so I am not seeing how much worse IPv6 would make things. If you are going to allow inbound connections to your internal machines from anywhere you are unsecure. How hard is it to block inbound connections with a firewall? If the user cannot accomplish that then there is not much we can do to save them. I suppose NAT could add some sort of minimal additional assurance but if you cannot pull off a simple firewall or routing policy you are already unable to adequately secure your network. I see no technical reason that someone could not implement a transparent proxy whether it is v4 or v6. It does not really violate the end-to-end model because the proxy connects to the remote system and the local system connects to the proxy so there really is not an end-to-end connection as much as there are two separate connections. For that matter, is there really a technical reason that you could not do a NAT if you wanted to with IPv6? All we are really talking about here is replacing one address with another. Could you not get something similar by translating a routable IPv6 address to a link local address? I don't think I would want to but I suppose you could if you are really married to NAT and private addressing. I, for one, will not miss NAT very much. I have seen quite a few misconfigured NATs and holes being punched through firewalls because applications don't like NATs to believe that they are at least as much trouble as they are worth as a security feature. Steven Naslund -Original Message- From: William Herrin [mailto:b...@herrin.us] Sent: Monday, March 24, 2014 11:21 AM To: Karl Auer Cc: nanog@nanog.org Subject: Re: misunderstanding scale On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote: Addressable is not the same as accessible; routable is not the same as routed. Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
RE: misunderstanding scale
If they have a stateful IPv6 firewall (which they should and which most firewall vendors support), they already have what they need to prevent their internal systems from being accessible from the outside. If you are an enterprise and you don't have a stateful firewall, you are in trouble from a security standpoint whether you run v4 or v6. If you cannot configure a stateful firewall to block connections being initiated from outside, you are not qualified to be working with the firewall, v4 or v6 does not matter. If someone is relying on NAT in case their firewall is misconfigured, they have major issues with security. In the home, I am not sure what the major issue is there either. How many CPE devices have you seen that do not implement basic firewall functionality? People may not use them correctly but that is no more an issue with v6 than it is with v4. Most CPE even comes out of the box blocking inbound connections by default. Steve -Original Message- From: Mark Tinka [mailto:mark.ti...@seacom.mu] Sent: Monday, March 24, 2014 11:35 AM To: Timothy Morizot Cc: NANOG list Subject: Re: misunderstanding scale Don't disagree with you there. I'm saying many an enterprise (small and large) as well as homes operate this way. There is a lot of unlearning to do. The whole issue is that a number of enterprises may only feel safe if IPv6 comes with NAT66, probably on top (or not on top) of a stateful IPv6 firewall. We need to think about how to re-train the enterprise, if we don't want to repeat the erasure of the end-to-end model, second time around. Mark.
Re: misunderstanding scale
On Mar 24, 2014, at 12:21, William Herrin b...@herrin.us wrote: On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com wrote: I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security. Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security. Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement. NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT. -- TTFN, patrick
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 12:28 PM, Michael Thomas m...@mtcc.com wrote: On 03/24/2014 09:20 AM, William Herrin wrote: On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote: Addressable is not the same as accessible; routable is not the same as routed. Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. A distinction without a difference, IMHO. Either I can send you an incoming SYN or I can't. Hi Mike, You can either press the big red button and fire the nukes or you can't, so what difference how many layers of security are involved with the Football? I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco jgr...@ns.sol.net wrote: all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. Time to give up two layers of meaningless security for the riches offered by the vastness of the new address space. Hi Joe, You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint? -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 1:05 PM, Patrick W. Gilmore patr...@ianai.net wrote: On Mar 24, 2014, at 12:21, William Herrin b...@herrin.us wrote: Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement. NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT. Hi Patrick, What sort of traction are you getting from that argument with enterprise security folks who object to deploying IPv6 because of NAT? Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
Hi Mike, You can either press the big red button and fire the nukes or you can't, so what difference how many layers of security are involved with the Football? I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security. The problem here is that what's actually going on is that you're now enshrining as a security device a hacky, ill-conceived workaround for a lack of flexibility/space/etc in IPv4. NAT was not designed to act as a security feature. If you want more layers of security, put a second firewall into your design. Don't perpetuate horrid IPv4 hacks that were necessary for specific reasons into IPv6 where those hacks are no longer needed. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco jgr...@ns.sol.net wrote: all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. Time to give up two layers of meaningless security for the riches offered by the vastness of the new address space. Hi Joe, You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint? Actually, yes, it does. Using the product as intended is substantially less risky than trying to figure out how to use some sort of proxy or gateway functionality to emulate NAT, and then screwing that up. If you're afraid that you're insufficiently competent, help for hire is available, as are two levels of firewalling, which isn't really a bad idea anyways. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: misunderstanding scale
On Mar 24, 2014, at 5:05 PM, Patrick W. Gilmore patr...@ianai.net wrote: On Mar 24, 2014, at 12:21, William Herrin b...@herrin.us wrote: On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com wrote: I am not sure I agree with the basic premise here. NAT or Private addressing does not equal security. Many of the folks you would have deploy IPv6 do not agree. They take comfort in the mathematical impossibility of addressing an internal host from an outside packet that is not part of an ongoing session. These folks find that address-overloaded NAT provides a valuable additional layer of security. Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement. It's unfortunate that it is the way it is, but many enterprise people have this ingrained in them - they don't want to be connected to the internet except for a few exceptions. Just the fact that they can't ping their machines gives them a warm and fuzzy. In a run-of-the-mill default NAT setup, you can deploy a network printer with no security and nobody from the internet can print to it. It's default deny, even without setting anything else up, by virtue of not being on the internet and not having an address. I know there are ways to subvert a NAT but that applies to perimeter and host firewalls too. IPv6 global numbers are great for those of us that actually want to connect to the internet, but enterprise people with rfc1918 numbering have gotten used to being disconnected, and while most of us know that it's trivial to firewall IPv6, it's still a big jump from using a NAT/proxy to being 'on the internet'. It's even more complex if it's only halfway and there are two different protocols to manage. People will always resist change, and in this case, why should they change when it's only going to make their job harder? Makes sense to me, but I wish it weren't that way. They will probably just find ways to proxy and NAT IPv6 too, so that it fits the IPv4 model with 'private' addresses. Just look at what's been happening with UDP floods. It's scared people enough that some are just blocking certain UDP ports or UDP completely. I imagine we will soon see some big IPv6 specific attacks that result in crashing hosts/routers, and that will just make people resist it harder, because why would they want that headache? I think in a lot of situations, unless their business is networking specifically, the network is considered good enough if you can browse (most) webpages. For IPv6 only sites, that could be accomplished with a web proxy setting on all the desktops. It's not really right, it's inefficient, error prone and bunch of other things, but that doesn't mean people won't do it. They do all this today with v4 anyway, so if anything, the 'wrong way' is easier there since they're used to doing it. There has to be some big compelling reason to convince people that global addressing is the right way. We all know the reasons but they're obviously not good enough for enterprise security people. -Laszlo NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT. -- TTFN, patrick
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco jgr...@ns.sol.net wrote: I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security. The problem here is that what's actually going on is that you're now enshrining as a security device a hacky, ill-conceived workaround for a lack of flexibility/space/etc in IPv4. NAT was not designed to act as a security feature. Hi Joe, That would be one of those details on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature. You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint? Actually, yes, it does. Using the product as intended is substantially less risky than trying to figure out how to use some sort of proxy or gateway functionality to emulate NAT, and then screwing that up. What sort of traction are you getting from that argument when you speak with enterprise security folks? Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
RE: misunderstanding scale
I don't buy that one at all. Grandma does not care or know about ipv4 or ipv6. When the ipv4 CPE gets installed it blocks inbound connections by default, why would ipv6 be any different? Windows firewall if she is relying on that should not have any problems with v6 than it does with v4. I am also pretty sure that grandma does not care that NAT is present or not. In fact, grandma's cell phone might already using v6. If the equipment does not work right out of the box, that is the equipment supplier or service provider problem. Do you really believe that most people deploying home gateways understand ipv4, NAT, or stateful firewalls? No, they plug it in and the defaults should work for them. It might require an engineering degree (or reading) to understand how IPv6 works however grandma does not need to know how IPv6 works or even how a network works. She plugs in the CPE, plugs in her PC and off you go. The smart people on this list are to ones that need to know how is works. If we can't make the customer experience transparent to them, then bad on us. Steve -Original Message- From: Curtis Maurand [mailto:cmaur...@xyonet.com] Sent: Monday, March 24, 2014 12:34 PM To: Naslund, Steve Subject: Re: misunderstanding scale On 3/24/2014 12:53 PM, Naslund, Steve wrote: If they have a stateful IPv6 firewall (which they should and which most firewall vendors support), they already have what they need to prevent their internal systems from being accessible from the outside. If you are an enterprise and you don't have a stateful firewall, you are in trouble from a security standpoint whether you run v4 or v6. If you cannot configure a stateful firewall to block connections being initiated from outside, you are not qualified to be working with the firewall, v4 or v6 does not matter. If someone is relying on NAT in case their firewall is misconfigured, they have major issues with security. In the home, I am not sure what the major issue is there either. How many CPE devices have you seen that do not implement basic firewall functionality? People may not use them correctly but that is no more an issue with v6 than it is with v4. Most CPE even comes out of the box blocking inbound connections by default. But grandma doesn't have the ability to deploy a statefull firewall at her house. She doesn't even understand what statefull means putting up a NAT firewall on an IPv4 network is simple and it's easy. It provides adequate protection of one's internal network from the outside. You plug them in and they work. IPv6 just about requires an engineering degree to understand it. Nobody thought about simplicity with it.
Re: misunderstanding scale
On Mar 24, 2014, at 13:17 , William Herrin b...@herrin.us wrote: On Mon, Mar 24, 2014 at 1:05 PM, Patrick W. Gilmore patr...@ianai.net wrote: On Mar 24, 2014, at 12:21, William Herrin b...@herrin.us wrote: Some folks WANT to segregate their networks from the Internet via a general-protocol transparent proxy. They've had this capability with IPv4 for 20 years. IPv6 poorly addresses their requirement. NAT i s not required for the above. Any firewall can stop incoming packets unless they are part of an established session. NAT doesn't add much of anything, especially given that you can have one-to-one NAT. Hi Patrick, What sort of traction are you getting from that argument with enterprise security folks who object to deploying IPv6 because of NAT? The _good_ security people complain about deploying NAT in v4 or v6, because they don't think it is security. What sort of traction do you get with security people when you tell them NAT == security in depth? If you mean do people who get hired by $CORPORATION and do not know anything about security get upset when you tell them something they did not know? The answer is frequently, yes. I'm not sure what that has to do with the discussion at hand, though. -- TTFN, patrick signature.asc Description: Message signed with OpenPGP using GPGMail
Re: misunderstanding scale
On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said: You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint? The problem is that the two layers of security that they're giving up are made from the same fabric as the Emperor's new clothes pgpiqf9Dk6Odv.pgp Description: PGP signature
Re: misunderstanding scale
On 3/24/14 1:37 PM, William Herrin b...@herrin.us wrote: On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco jgr...@ns.sol.net wrote: I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security. The problem here is that what's actually going on is that you're now enshrining as a security device a hacky, ill-conceived workaround for a lack of flexibility/space/etc in IPv4. NAT was not designed to act as a security feature. Hi Joe, That would be one of those details on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature. What kinds of devices are we talking about here? Are we talking about the default NAT on a home network router, or an enterprise-level NAT operating on a firewall? The NAT on home gateways may be a full-cone NAT. This allows easier setup of online gaming, for instance, or other applications where an inbound SYN is required. This provides no security, since as soon as a connection is established, all traffic is allowed. Even restricted cone NATs provide little protection, just a bit of guessing that even a human could manage. If we're talking about an enterprise firewall, then I don't understand--we're talking about a firewall. If it implements a symmetric NAT in addition to a stateful firewall, then it's implementing the same function twice. But, hey, it's your network, if security-through-obscurity is one of your defense in depth layers, that's fine. You may use NPT66 with ULA; that function is defined. Lee
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 11:36 AM, Alexander Lopez alex.lo...@opsys.comwrote: not to mention the cost in readdressing your entire network when you change an upstream provider. Nat was a fix to a problem of lack of addresses, however, the use of private address space 10/8, 192.168/16 has allowed many to enjoy a simple network addressing scheme. Which is, of course, precisely the use case that ULA and NPTv6 (RFC 6296, not to be confused with a non-existent NAT66) addresses
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard l...@asgard.org wrote: On 3/24/14 1:37 PM, William Herrin b...@herrin.us wrote: That would be one of those details on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature. What kinds of devices are we talking about here? Are we talking about the default NAT on a home network router, or an enterprise-level NAT operating on a firewall? Hi Lee, I don't see NAT as a deployment issue for residential networks. Most folks just hook their computer up to whatever CPE the vendor sends them without any further attention. If we're talking about an enterprise firewall, then I don't understand--we're talking about a firewall. If it implements a symmetric NAT in addition to a stateful firewall, then it's implementing the same function twice. But, hey, it's your network, if security-through-obscurity is one of your defense in depth layers, that's fine. Obscurity offers one or more defense layers. If you disagree, post your passwords here. Unaddressibility is a second defense layer. Stateful firewalling is a third. You observe that all three are accomplished by the same lines of code in the firewall. The firewall doesn't exist in a void. It's part of a system. That system is configured with unroutable addresses or it isn't. It has many public addresses or it doesn't. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 8:25 AM, Joe Greco jgr...@ns.sol.net wrote: Bill Herrin wrote: I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security. The problem here is that what's actually going on is that you're now enshrining as a security device a hacky, ill-conceived workaround for a lack of flexibility/space/etc in IPv4. NAT was not designed to act as a security feature. If you want more layers of security, put a second firewall into your design. Don't perpetuate horrid IPv4 hacks that were necessary for specific reasons into IPv6 where those hacks are no longer needed. With 24 million small businesses in the US alone, that's way too many apples. Precisely. Repeat after me. NAT is not a security feature. Period. It offers no meaningful protection. We've known how to bypass NATs almost from the moment they were developed. Defense in depth has nothing to do with NAT. In our enterprise deployment, it involves two layers of heterogeneous firewalls (protecting multiple security zones from the internal network and the Internet), IPS/IDS, web filters, mail filters, and an active CSIRC monitoring, analyzing, and responding to threats and attacks. If you're an enterprise and don't have something similar in place, then you have no security defense in depth. Thanks goodness our Cybersecurity organization actually comprehends real computer and network security instead of promoting snake oil. Scott
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 12:37 PM, William Herrin b...@herrin.us wrote: What sort of traction are you getting from that argument when you speak with enterprise security folks? Actually, I never even had to make the argument in our enterprise. Our cybersecurity organization already knew that overall NAT reduced rather than enhanced network security and had a deeper real understanding of security defense in depth than I did. I never had to convince anyone that NAT wasn't a security feature. It sounds like we have so many enterprises that do security poorly because many don't even understand the basics. Scott
Re: misunderstanding scale
it involves two layers of heterogeneous firewalls (protecting multiple ^ Ugh. Knew I was forgetting something. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
RE: misunderstanding scale
I doubt that many residential customers will be readdressing their networks except for us geeks. Most of them are going to be using CPE that grabs an address via DHCP for the WAN interface and then does an IPv6 DHCP PD with the /64 it gets from the service provider. The customer sees nothing at all. It is plug and play. In IPv6 the concept of manual addressing is strongly discouraged so the issue of readdressing networks should be improved not made more difficult. Private address space assignments might be simple to you but grandma and my sister in law, not so much. They just plug in their gear and don't worry about addresses. In the corporate world, there is nothing stopping you from keeping your ipv4 private addressing going for a long time. In fact, I think that is what most companies will do. If you want IPv6 internally, then have at it and please use DHCP. Steven Naslund On Mon, Mar 24, 2014 at 11:36 AM, Alexander Lopez alex.lo...@opsys.commailto:alex.lo...@opsys.com wrote: not to mention the cost in readdressing your entire network when you change an upstream provider. Nat was a fix to a problem of lack of addresses, however, the use of private address space 10/8, 192.168/16 has allowed many to enjoy a simple network addressing scheme. Which is, of course, precisely the use case that ULA and NPTv6 (RFC 6296, not to be confused with a non-existent NAT66) addresses
Re: misunderstanding scale
* William Herrin On Sat, Mar 22, 2014 at 8:19 PM, Randy Bush ra...@psg.com wrote: don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN. it can be stateless You're smarter than that. https://tools.ietf.org/html/rfc6145 https://tools.ietf.org/html/draft-ietf-softwire-map-t-05 https://tools.ietf.org/html/draft-anderson-siit-dc-00 Tore
RE: misunderstanding scale
Yes, that is exactly what IPv6 expects of us. The only surprising part is by all indications the IPv6 designers did not think this would be a problem. -Original Message- From: William Herrin [mailto:b...@herrin.us] Sent: Monday, March 24, 2014 1:14 PM To: Joe Greco Cc: nanog@nanog.org Subject: Re: misunderstanding scale On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco jgr...@ns.sol.net wrote: all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. Time to give up two layers of meaningless security for the riches offered by the vastness of the new address space. Hi Joe, You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint? -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
On 3/24/14 10:08 AM, William Herrin wrote: On Mon, Mar 24, 2014 at 12:28 PM, Michael Thomas m...@mtcc.com wrote: On 03/24/2014 09:20 AM, William Herrin wrote: On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote: Addressable is not the same as accessible; routable is not the same as routed. Indeed. However, all successful security is about _defense in depth_. If it is inaccessible, unrouted, unroutable and unaddressable then you have four layers of security. If it is merely inaccessible and unrouted you have two. A distinction without a difference, IMHO. Either I can send you an incoming SYN or I can't. Hi Mike, You can either press the big red button and fire the nukes or you can't, so what difference how many layers of security are involved with the Football? I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security. The point here is that your depth is the same with or without nat. The act of address translation does not alter its routability, it's the firewall rules that say no incoming SYN's without an existing connection state, etc. That, and always has been, the business end of firewalls. The other thing about v6 is that counting on addressibility in any way shape or form is a fool's errand: hosts want desperately to number their interfaces with whatever GUA's they can given RA's, etc. So you may think you're only giving out ULA's, but I wouldn't count on that from a security perspective. v6 is not like DHCPv4 even a little in that respect: if the hosts can get a GUA, they will configure it and use it. Mike
Re: misunderstanding scale
https://tools.ietf.org/html/rfc6145 https://tools.ietf.org/html/draft-ietf-softwire-map-t-05 https://tools.ietf.org/html/draft-anderson-siit-dc-00 derived from 6346 randy
Re: misunderstanding scale
On 3/24/14 10:37 AM, valdis.kletni...@vt.edu wrote: On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said: You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint? The problem is that the two layers of security that they're giving up are made from the same fabric as the Emperor's new clothes Made of neutrinos for which nobody is exactly sure have mass. Mike
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 2:56 PM, Tore Anderson t...@fud.no wrote: * William Herrin On Sat, Mar 22, 2014 at 8:19 PM, Randy Bush ra...@psg.com wrote: don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN. it can be stateless You're smarter than that. https://tools.ietf.org/html/rfc6145 https://tools.ietf.org/html/draft-ietf-softwire-map-t-05 https://tools.ietf.org/html/draft-anderson-siit-dc-00 And all those IPv4 addresses for the 1:1 translation required by the stateless version are coming from where exactly? And then only for the v6 hosts you've configured in the v6 address range for which v4 translation is allowed (no SLAAC!). Like I told Randy: you're smarter than that. -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
And all those IPv4 addresses for the 1:1 translation required by the stateless version are coming from where exactly? maybe you should read the documents
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 1:37 PM, valdis.kletni...@vt.edu wrote: On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said: You'd expect folks to give up two layers of security at exactly the same time as they're absorbing a new network protocol with which they're yet unskilled? Does that make sense to you from a risk-management standpoint? The problem is that the two layers of security that they're giving up are made from the same fabric as the Emperor's new clothes Howdy, In an environment of increasing breaches despite massive attention and expenditure on cyber security, you'll find that giving up any layer of security is a very hard sell. You'll find convincing folks to deploy new technologies which demand that they give up a layer of security an even harder sell. And of course everybody likes to be told that they're an idiot by someone whose explanation of the error in their reasoning consists of restating the claim of error in the form of a metaphor. But don't let me dissuade you from trying. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 6:46 PM, Randy Bush ra...@psg.com wrote: And all those IPv4 addresses for the 1:1 translation required by the stateless version are coming from where exactly? maybe you should read the documents I did. They were abstruse beyond even the normal level for RFCs but I made it through. You propose stateless NAT64 as an viable alternative to CGN. The question stands: where are you planning to get the extra IPv4 addresses for the static 1:1 mapping? -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
You propose stateless NAT64 as an viable alternative to CGN. where do i do that? The question stands: where are you planning to get the extra IPv4 addresses for the static 1:1 mapping? maybe look at the +P in A+P randy
Re: misunderstanding scale
On Mon, Mar 24, 2014 at 7:37 PM, Randy Bush ra...@psg.com wrote: You propose stateless NAT64 as an viable alternative to CGN. where do i do that? Nick Hilliard: don't believe for a moment that v6 to v4 protocol translation is any less ugly than CGN. Your reply (verbosity added for clarity): [Sure it is! Unlike where folks solve their problem with CGN, v6 to v4 protocol translation] can be stateless. The question stands: where are you planning to get the extra IPv4 addresses for the static 1:1 mapping? maybe look at the +P in A+P Nah, I'm done following bread crumbs for the day. Explain yourself or don't. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: misunderstanding scale
You propose stateless NAT64 as an viable alternative to CGN. ^^^ where do i do that? Nick Hilliard ahh. i see your error. i am not nick hilliard. he's the cute one. Your reply (verbosity added for clarity): [Sure it is! Unlike where folks solve their problem with CGN, v6 to v4 protocol translation] can be stateless. again, you put words in my mouth which were not there. i did not say v6 to v4 translation. Nah, I'm done following bread crumbs for the day. cool. then we can all go back to reality and whet people actually said. bye randy
Re: misunderstanding scale
FYI He tells everyone they¹re cute. Don¹t buy his tricks, he doesn¹t call back the next morning. ;) Ps. Take it easy on each other. It¹s the beginning of spring.. Head outside.. Go have a beer.. Smoke a joint.. What I am getting at is.. It¹s possible you guys should relax and realize that in the grand scheme of things a lot of this really doesn¹t matter. Go be humans beings in the world, the internet and this flame thread will still be here as it has been for generations (internet generations, anyways..) Just my .02 WOSA On 3/24/14, 4:53 PM, Randy Bush ra...@psg.com wrote: You propose stateless NAT64 as an viable alternative to CGN. ^^^ where do i do that? Nick Hilliard ahh. i see your error. i am not nick hilliard. he's the cute one. Your reply (verbosity added for clarity): [Sure it is! Unlike where folks solve their problem with CGN, v6 to v4 protocol translation] can be stateless. again, you put words in my mouth which were not there. i did not say v6 to v4 translation. Nah, I'm done following bread crumbs for the day. cool. then we can all go back to reality and whet people actually said. bye randy
Re: misunderstanding scale (was: Ipv4 end, its fake.)
In order for IPv6 to truly work, everyone needs to be moving towards IPv6. Maintaining dual protocols for the entire internet is problematic, wasteful, and horribly inefficient at best. Bottom line, the internet outgrew IPv4 almost 30 years ago and we’ve been using various hacks like NAT as a sort of IPv4 life-support ever since. Ask any doctor about the prospects for a patient on life support for years at a time and they will probably laugh at you. Patients rarely survive more than a few days on life support, let alone weeks, months, or even years. Yes, we’ve done really well with internet life support. So well that many have been lulled into a false sense of safety believing that these extreme measures can be continued indefinitely and scaled well beyond their breaking points. There is little visibility into the escalating cost and complexity of these measures and even less awareness of the relative ease of deploying IPv6 compared to most of these mechanisms. Owen On Mar 22, 2014, at 2:25 AM, Bryan Socha br...@digitalocean.com wrote: Fair point. There are some situations that do need more than most, but aren't they the ones that should be on ipv6 already??? I know a few are shouldn't I be on ipv6 and that's fair too. I'm plqnnning some speaking engagements to cover that. Its not blind and ignoring. On Mar 22, 2014 4:36 AM, TJ trej...@gmail.com wrote: Millions of IPs don't matter in the face of X billions of people, and XX-XXX billions of devices - and this is just the near term estimate. (And don't forget utilization efficiency - Millions of IPs is not millions of customers served.) Do IPv6. /TJ On Mar 22, 2014 3:09 AM, Bryan Socha br...@digitalocean.com wrote: As someone growing in the end of ipv4, its all fake.Sure, the rirs will run out, but that's boring.Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy.Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left.
Re: misunderstanding scale (was: Ipv4 end, its fake.)
Let’s assume, for a moment, that there are 32 /8s out there that could be reclaimed. Let’s further assume that renumbering out of a /8 takes, on average, about 18 months. (That’s moving almost 1,000,000 customers per month on average, potentially). Even if we got all 32 /8 equivalents back over the next 18 months, it would only buy us approximately 2 years of additional IPv4 life-span when divvied up among APNIC, RIPE, etc. The IPv4 situation is not artificial. IPv4 is being maintained well past its useful life at great cost. Owen On Mar 22, 2014, at 2:30 AM, Bryan Socha br...@digitalocean.com wrote: Oh btw, how many ipv4s are you hording with zero justification to keep them? I was unpopular during apricot for not liking the idea of no liability leasing of v4. I don't like this artificial v4 situation every eyeball network created.Why is v4 a commodity and asset? Where is the audits.I can justify my 6 /14s, can you still? On Mar 22, 2014 4:36 AM, TJ trej...@gmail.com wrote: Millions of IPs don't matter in the face of X billions of people, and XX-XXX billions of devices - and this is just the near term estimate. (And don't forget utilization efficiency - Millions of IPs is not millions of customers served.) Do IPv6. /TJ On Mar 22, 2014 3:09 AM, Bryan Socha br...@digitalocean.com wrote: As someone growing in the end of ipv4, its all fake.Sure, the rirs will run out, but that's boring.Don't believe the fake auction sites. Fair price of IP at the end is $1 for bad Rep $2 for barely used, $3 for no spam and $4 for legacy.Stop the inflation. Millions of IPS exist, there is no shortage and don't lie for rirs with IPS left.
Re: misunderstanding scale
On Mar 22, 2014, at 10:16 AM, Nick Hilliard n...@foobar.org wrote: On 22/03/2014 16:29, Doug Barton wrote: It is a mistake to believe that the only reason to add IPv6 to your network is size. Adding IPv6 to your network _now_ is the right decision because at some point in the not-too-distant future it will be the dominant network technology, and you don't want to get left behind. not wanting to rain on anyone's parade, but people have been claiming this since the days of IPng. Granted, we're a couple of years after IANA runout and two RIRs are also in post-runout phase, but the level of pain associated with continued deployment of ipv4-only services is still nowhere near the point that ipv6 can be considered a viable alternative. Nick True. However, if you wait until that point to start deploying IPv6, you’re in for a LOT of pain during that protracted emergency transition phase you just volunteered for. OTOH, if you implement IPv6 in parallel to your IPv4 from this point forward, there’s very little additional pain and retrofitting your IPv4 can proceed at some pace until complete. After that, you can turn off IPv4 as soon as you don’t need it any more and enjoy the show while everyone else plays catchup. Owen
Re: misunderstanding scale
On 2014-03-24, Naslund, Steve snasl...@medline.com wrote: If they have a stateful IPv6 firewall (which they should and which most firewall vendors support), they already have what they need to prevent their internal systems from being accessible from the outside. If you are an enterprise and you don't have a stateful firewall, you are in trouble from a security standpoint whether you run v4 or v6. If you cannot configure a stateful firewall to block connections being initiated from outside, you are not qualified to be working with the firewall, v4 or v6 does not matter. If someone is relying on NAT in case their firewall is misconfigured, they have major issues with security. In the home, I am not sure what the major issue is there either. How many CPE devices have you seen that do not implement basic firewall functionality? People may not use them correctly but that is no more an issue with v6 than it is with v4. Most CPE even comes out of the box blocking inbound connections by default. Tell that to our little D-Link AP/router with stateless filters only for v6, and broken config options that make it impossible to apply even that to a tunnel interface (HE). I agree with you on pushing v6 adoption and that the at the root of it you should have a stateful firewall be it v4 or v6, but: - if this thread is any indication and as per your first paragraph, way too many orgs are depending on NAT as a security feature and v6 is exposing that weakness in their posture - home CPE implementations are largely crap, and good luck getting a decent portion of them supporting (functional) stateful v6 firewalls Steve -- Hugo -Original Message- From: Mark Tinka [mailto:mark.ti...@seacom.mu] Sent: Monday, March 24, 2014 11:35 AM To: Timothy Morizot Cc: NANOG list Subject: Re: misunderstanding scale Don't disagree with you there. I'm saying many an enterprise (small and large) as well as homes operate this way. There is a lot of unlearning to do. The whole issue is that a number of enterprises may only feel safe if IPv6 comes with NAT66, probably on top (or not on top) of a stateful IPv6 firewall. We need to think about how to re-train the enterprise, if we don't want to repeat the erasure of the end-to-end model, second time around. Mark. -- Hugo Slabbert Network Specialist Phone: 604.606.4448 Email: hslabb...@stargate.ca Stargate Connections Inc. http://www.stargate.ca signature.asc Description: Digital signature
Re: misunderstanding scale (was: Ipv4 end, its fake.)
IPv4 has already been trading around $10/address. So the prices quoted a while back don’t make much sense to me. Further, could you please quantify “vast”? How many /8 equivalents in a “vast number”? Until they ran out, APNIC was issuing approximately 1.5 /8s per month. How long, exactly, do you expect 3.2 billion unicast addresses to provide enough addressing for 6.8+ billion people? Owen On Mar 22, 2014, at 12:57 PM, John Levine jo...@iecc.com wrote: In such a case, where you are still pushing the case for IPv4, how do you envisage things will look on your side when everybody else you want to talk to is either on IPv6, or frantically getting it turned up? Do you reckon anyone will have time to help you troubleshoot patchy (for example) IPv4 connectivity when all the focus is on IPv6? I've put that concern on my calendar for sometime around 2025. People have been saying switch to IPv6 now Now NOW for about a decade, and you can only cry wolf so many times. My servers do IPv6 through a tunnel from HE (thanks!) where the performance is only somewhat worse than the native v4, and my home cable has v6 that mostly works, but the key term there is mostly. (The ISP had a fairly bad internal routing bug which apparently nobody noticed until I tracked down why my v6 connectivity was flaky, and I happened to know some senior people at the ISP who could understand what I was telling them about their internal routers.) We've just barely started to move from the era of free IPv4 to the one where you have to buy it, and from everyhing I see, there is vast amounts of space that will be available once people realize they can get real money for it. The prices cited a couple of messages back seem to be in the ballpark. It will be a long time before the price of v4 rises high enough to make it worth the risk of going v6 only. R's, John
Re: misunderstanding scale (was: Ipv4 end, its fake.)
On Mar 22, 2014, at 12:36 PM, William Herrin b...@herrin.us wrote: On Sat, Mar 22, 2014 at 11:54 AM, Justin M. Streiner strei...@cluebyfour.org wrote: On Sat, 22 Mar 2014, William Herrin wrote: On Sat, Mar 22, 2014 at 10:33 AM, Justin M. Streiner strei...@cluebyfour.org wrote: All of these 'Hail Mary' options for 'saving' IPv4 really are pointless. IPv4 is like the U.S. Penny. It'll be useless long before it goes away. And right now it's far from useless. Interesting analogy, but it misses the larger point. The larger point is that the ongoing effort to squeeze more mileage out of IPv4 will soon [1] outweigh the mileage we (collectively) get out of it. Hi Justin, That's what I hear. Interesting thing though: it hasn't happened yet. IANA ran out of /8's and it didn't happen. The RIRs dropped to high-conservation mode on their final allocations and it didn't happen. How could that be? I disagree with your assertion that it hasn’t happened. It _IS_ happening. The cost of maintaining IPv4 is already going up and the increases will continue to become more dramatic over time. Owen