Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[John Levine]

In article  you write:
>What can you do with ULA that GUA isn’t suitable for?

I have a home network with two segments, one wired and one wireless.
It has IPv6 addresses assigned by my ISP, Spectrum nee TWC, which
probably won't change but who knows, they make no promises.  I have
some servers on my network, like printers, scanners, backup disks, and a
phone TA.  Getting my own /48 would be absurd.  ULAs are just the
ticket.

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Matt Erculiani]

Not sure if this is the common thought, but if anyone has a network
which requires static IP assignments, they can probably justify a
request for a /48 from an RIR.  After all, ARIN's requirement for an
end-user IPv6 block is, at minimum: "Justify why IPv6 addresses from
an ISP or other LIR are unsuitable". I would think that ISP
portability would satisfy this requirement, but If I'm wrong, I'm
absolutely open to being corrected on this. But most home users have
no need for static IPs, so the dynamic ISP assignment is perfectly
fine.

I think the tech will advance fast enough that keeping up with an IPv6
route table will be a non-issue. IPv6 adoption is, unfortunately, slow
enough that there will be no issues keeping up, even assuming a "slow"
hardware refresh cycle.

-M

On Thu, Mar 1, 2018 at 5:48 PM, Mark Andrews  wrote:
>
>> On 2 Mar 2018, at 9:28 am, Owen DeLong  wrote:
>>
>>
>>> On Mar 1, 2018, at 1:20 PM, Harald Koch  wrote:
>>>
>>> On 1 March 2018 at 15:18, Owen DeLong >> > wrote:
>>> Second, RFC-1918 doesn’t apply to IPv6 at all, and (fortunately) hardly 
>>> anyone
>>> uses ULA (the IPv6 analogue to RFC-1918).
>>>
>>> Wait. What's the objection to ULA? Is it just that NAT is bad, or is there 
>>> something new?
>>
>> No particular objection, but I don’t see the point.
>>
>> What can you do with ULA that GUA isn’t suitable for?
>>
>> Owen
>
> ULA provide stable internal addresses which survive changing ISP
> for the average home user. Now, I know you can do the same thing
> by going to a RIR and getting a prefix but the RIR’s aren’t setup
> to supply prefixes like that to 10 billion of us.
>
> They are also in a specific range which makes setting filtering
> rules easier for everyone else.
>
> Now I would love it if we could support 100 billion routes in the
> DFZ but we aren’t anywhere near being able to do that which would
> be a requirement for abandoning ULA.  Until them they have there
> place.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Owen DeLong]

> On Mar 2, 2018, at 19:25, Bjørn Mork  wrote:
> 
> Owen DeLong  writes:
> 
>>> On Mar 2, 2018, at 3:17 AM, Bjørn Mork  wrote:
>>> 
>>> Owen DeLong  writes:
>>> 
 What can you do with ULA that GUA isn’t suitable for?
>>> 
>>> 1) get
>>> 2) keep
>>> 3) move
>> 
>> Wrong.
>> 
>> 1) get
>>Easy as going to http://tunnelbroker.net  and 
>> filling out a form. Remember to check the box for your /48.
> 
> Provided you have IPv4 connectivity and an email address you can and
> will associate with the tunnel/prefix.  You are limiting the scope here.
> 

Having an email address is a pretty low bar. You don’t need to actually set up 
the tunnel, so all you need is an ipv4 address that answers Icmp echo. Also not 
hard to come by. 


>> 2) keep
>>Admittedly, you might have to connect to your tunnel every once in a 
>> while to keep it alive, but that’s
>>hardly a high bar.
> 
> Depends.  How about preconfigured devices in storage?  There are a
> number of use cases where outside connectivity does not matter, and
> where depending on regular connections will complicate stuff.

You don’t have to connect from the devices using the addresses, you just need 
to connect. A simple laptop will do. 


> 
>> 3) move
>>If you’re not talking to the internet with it (which you can’t with ULA, 
>> theoretically), you can move that same
>>HE /48 anywhere you want, with the additional advantage that you can, if 
>> you need to, connect your tunnel
>>and actually make it work on the internet too.
> 
> Sure. There is also a long tradition in IPv4 for "borrowing" someone
> elses addresses.  It is never a good idea.  You or anyone else cannot
> make any guarantee about HE address availability at any point in time or
> space.

Meh... if you’re concerned about that, get the addresses from an RIR. Some 
people think $100/year is a barrier, so I proposed a free alternative. 
> 
> You may also want to consider https://www.tunnelbroker.net/tos.php

Last time I read it, it didn’t preclude what I’m suggesting. It may have been 
updated, but if it was, I bet there are still workarounds within the TOS. 

> 
> 
>>> Granted, many of us can do that with GUAs too.  But with ULA those
>>> features are avaible to everyone everywhere.  Which is useful for a
>> 
>> You really think that doing ULA according to the RFCs (collision
>> avoidance algorithm and all) is easier than filling out a form at HE?
>> REALLY?
> 
> Yes.
> 
> You are comparing apples and orange seeds.  If you don't want to
> construct your tunnel from the RFCs, then you cannot require ULA users
> to start there either,

I wasn’t proposing actually constructing a tunnel at all. Merely using the 
tunnel as a way to get a /48 for free. 

I wasn’t requiring the Ilan user to start from the RFCs, but specifying that 
the had to comply with them. 

The calculator is a slightly shorter form, I’ll grant you, but it doesn’t 
strike me as substantially easier. 

> 
> The ULA equivalent of the HE tunnel form is an ULA calculator. E.g
> http://www.kame.net/~suz/gen-ula.html
> 
> Which is much simpler.  At least it looks simpler to me.
> 
> But it doesn't really matter.  The main point is that ULAs are usable in
> many cases where HE (or other ISP allocated) GUAs are not. If you don't
> care about Internet connectivity, then ULAs are as good as PI GUA space.

My point is that in that case GUA is as good as ULA too. ULA offers no 
advantage. It’s just a waste of a /7. 

> 
> Believe it or not, but there are still devices and networks where
> Internet connectivity is either optional or even unwanted.  These
> devices and networks still need addresses for their internal
> communcation.

Never denied that. I have some at home. They have /64s carved out of my /48 and 
work just fine. 


> 
>>> number of applications where you care mostly about the local environment
>>> and not so much about global connectivity.
>> 
>> I hear you, but I’m not convinced about the ease.
> 
> When was the last time you saw a non RFC1918 address in a consumer
> equipment setup guide?  If we consider the distant future where IPv4 is
> long dead and buried, what is default configuration URL is going to
> replace http://192.168.1.1/ and similar?

One would home something less brain-dead like http://config.local

If your asking about what prefix should be used in examples, well, that’s what 
we have 2001:db8::/32 for. 

> 
> IoT might be a thing for a while until people start worrying about where
> they store their data.  I'm sure local sensor networks will become
> popular again once the hype is over.
> 
> Many ISPs make more money on providing network accesses which are
> isolated from the Internet than actually providing Internet access
> 
> More and more systems are made up of networked subsystems.  Take a look
> at your average core router for example. These susbsystems need
> addresses.  But you rarely want them to connect to the Internet.
> 
> One can easily imagine futur

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Bjørn Mork]

Owen DeLong  writes:

>> On Mar 2, 2018, at 3:17 AM, Bjørn Mork  wrote:
>> 
>> Owen DeLong  writes:
>> 
>>> What can you do with ULA that GUA isn’t suitable for?
>> 
>> 1) get
>> 2) keep
>> 3) move
>
> Wrong.
>
> 1) get
>   Easy as going to http://tunnelbroker.net  and 
> filling out a form. Remember to check the box for your /48.

Provided you have IPv4 connectivity and an email address you can and
will associate with the tunnel/prefix.  You are limiting the scope here.

> 2) keep
>   Admittedly, you might have to connect to your tunnel every once in a 
> while to keep it alive, but that’s
>   hardly a high bar.

Depends.  How about preconfigured devices in storage?  There are a
number of use cases where outside connectivity does not matter, and
where depending on regular connections will complicate stuff.

> 3) move
>   If you’re not talking to the internet with it (which you can’t with 
> ULA, theoretically), you can move that same
>   HE /48 anywhere you want, with the additional advantage that you can, 
> if you need to, connect your tunnel
>   and actually make it work on the internet too.

Sure. There is also a long tradition in IPv4 for "borrowing" someone
elses addresses.  It is never a good idea.  You or anyone else cannot
make any guarantee about HE address availability at any point in time or
space.

You may also want to consider https://www.tunnelbroker.net/tos.php


>> Granted, many of us can do that with GUAs too.  But with ULA those
>> features are avaible to everyone everywhere.  Which is useful for a
>
> You really think that doing ULA according to the RFCs (collision
> avoidance algorithm and all) is easier than filling out a form at HE?
> REALLY?

Yes.

You are comparing apples and orange seeds.  If you don't want to
construct your tunnel from the RFCs, then you cannot require ULA users
to start there either,

The ULA equivalent of the HE tunnel form is an ULA calculator. E.g
http://www.kame.net/~suz/gen-ula.html

Which is much simpler.  At least it looks simpler to me.

But it doesn't really matter.  The main point is that ULAs are usable in
many cases where HE (or other ISP allocated) GUAs are not. If you don't
care about Internet connectivity, then ULAs are as good as PI GUA space.

Believe it or not, but there are still devices and networks where
Internet connectivity is either optional or even unwanted.  These
devices and networks still need addresses for their internal
communcation.

>> number of applications where you care mostly about the local environment
>> and not so much about global connectivity.
>
> I hear you, but I’m not convinced about the ease.

When was the last time you saw a non RFC1918 address in a consumer
equipment setup guide?  If we consider the distant future where IPv4 is
long dead and buried, what is default configuration URL is going to
replace http://192.168.1.1/ and similar?

IoT might be a thing for a while until people start worrying about where
they store their data.  I'm sure local sensor networks will become
popular again once the hype is over.

Many ISPs make more money on providing network accesses which are
isolated from the Internet than actually providing Internet access

More and more systems are made up of networked subsystems.  Take a look
at your average core router for example. These susbsystems need
addresses.  But you rarely want them to connect to the Internet.

One can easily imagine future PC or handheld systems where internal
buses like I2C and USB (when used to connect *internal* lowspeed
components like fingerprint readers etc) have been replaced by IP over
ethernet.

Just to name a few applications I can think of here and now.  There are
many many more.

I'm not claiming that ULAs are the answers to all these.  There are
certainly reasons why you might want GUAs instead.  But these are cases
where the main disadvantage of the ULAs - The lack of Internet
connectivity - does not matter, or is even turned into an advantage.




Bjørn

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Owen DeLong]

> On Mar 2, 2018, at 3:17 AM, Bjørn Mork  wrote:
> 
> Owen DeLong  writes:
> 
>> What can you do with ULA that GUA isn’t suitable for?
> 
> 1) get
> 2) keep
> 3) move

Wrong.

1) get
Easy as going to http://tunnelbroker.net  and 
filling out a form. Remember to check the box for your /48.

2) keep
Admittedly, you might have to connect to your tunnel every once in a 
while to keep it alive, but that’s
hardly a high bar.

3) move
If you’re not talking to the internet with it (which you can’t with 
ULA, theoretically), you can move that same
HE /48 anywhere you want, with the additional advantage that you can, 
if you need to, connect your tunnel
and actually make it work on the internet too.

> Granted, many of us can do that with GUAs too.  But with ULA those
> features are avaible to everyone everywhere.  Which is useful for a

You really think that doing ULA according to the RFCs (collision avoidance 
algorithm and all) is easier
than filling out a form at HE? REALLY?

> number of applications where you care mostly about the local environment
> and not so much about global connectivity.

I hear you, but I’m not convinced about the ease.

Owen

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Owen DeLong]

For that matter, if we can kill IPv4, we have plenty of headroom for a LOT of 
IPv6 PI space.

Owen

> On Mar 1, 2018, at 4:48 PM, Matt Erculiani  wrote:
> 
> Not sure if this is the common thought, but if anyone has a network
> which requires static IP assignments, they can probably justify a
> request for a /48 from an RIR.  After all, ARIN's requirement for an
> end-user IPv6 block is, at minimum: "Justify why IPv6 addresses from
> an ISP or other LIR are unsuitable". I would think that ISP
> portability would satisfy this requirement, but If I'm wrong, I'm
> absolutely open to being corrected on this. But most home users have
> no need for static IPs, so the dynamic ISP assignment is perfectly
> fine.
> 
> I think the tech will advance fast enough that keeping up with an IPv6
> route table will be a non-issue. IPv6 adoption is, unfortunately, slow
> enough that there will be no issues keeping up, even assuming a "slow"
> hardware refresh cycle.
> 
> -M
> 
> On Thu, Mar 1, 2018 at 5:48 PM, Mark Andrews  wrote:
>> 
>>> On 2 Mar 2018, at 9:28 am, Owen DeLong  wrote:
>>> 
>>> 
 On Mar 1, 2018, at 1:20 PM, Harald Koch  wrote:
 
 On 1 March 2018 at 15:18, Owen DeLong >>> > wrote:
 Second, RFC-1918 doesn’t apply to IPv6 at all, and (fortunately) hardly 
 anyone
 uses ULA (the IPv6 analogue to RFC-1918).
 
 Wait. What's the objection to ULA? Is it just that NAT is bad, or is there 
 something new?
>>> 
>>> No particular objection, but I don’t see the point.
>>> 
>>> What can you do with ULA that GUA isn’t suitable for?
>>> 
>>> Owen
>> 
>> ULA provide stable internal addresses which survive changing ISP
>> for the average home user. Now, I know you can do the same thing
>> by going to a RIR and getting a prefix but the RIR’s aren’t setup
>> to supply prefixes like that to 10 billion of us.
>> 
>> They are also in a specific range which makes setting filtering
>> rules easier for everyone else.
>> 
>> Now I would love it if we could support 100 billion routes in the
>> DFZ but we aren’t anywhere near being able to do that which would
>> be a requirement for abandoning ULA.  Until them they have there
>> place.
>> 
>> Mark
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>> 

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Owen DeLong]

> On Mar 1, 2018, at 5:30 PM, Mark Andrews  wrote:
> 
> 
>> On 2 Mar 2018, at 11:48 am, Matt Erculiani  wrote:
>> 
>> Not sure if this is the common thought, but if anyone has a network
>> which requires static IP assignments, they can probably justify a
>> request for a /48 from an RIR.  After all, ARIN's requirement for an
>> end-user IPv6 block is, at minimum: "Justify why IPv6 addresses from
>> an ISP or other LIR are unsuitable". I would think that ISP
>> portability would satisfy this requirement, but If I'm wrong, I'm
>> absolutely open to being corrected on this. But most home users have
>> no need for static IPs, so the dynamic ISP assignment is perfectly
>> fine.
> 
> ISP assigned addresses are perfectly fine for TALKING TO THE REST OF THE 
> WORLD.
> ISP assigned addresses are not perfectly fine for internal communication.

Meh.

ISP assigned addresses _CAN_ be used to talk to the rest of the world. PI 
addresses are also
perfectly fine for this where supported.

> With IPv6 you use ULA along side ISP assigned addresses.

With IPv6 you _CAN_ use ULA along PA.
or you can use PI.
or you can use PI along side PA.

IMHO, either of the latter two are better than the former.

> With IPv4 RFC 1918 address + NAT the home user has STATIC local addresses
> for devices that need them.  Go look at your home router’s web pages.  You
> will be able to assign static addresses to your internal machines via DHCP.

My home router doesn’t have web pages since I turned off J-web.
It also doesn’t run DHCP as a server. (It does run a DHCP client to talk to 
Comcast).

I do, however, have some static DHCP entries in my dhcpd.conf file on my dhcp 
server.

> Are YOU going to tell everyone that sets values there that they no longer
> can do the same thing for IPv6.  That they need to fully renumber all their
> devices just because the ISP gave them a different prefix this morning?

Nope… But there’s _NO_ reason that can’t do that equally well with a PI block
(or a free /48 from HE that they just don’t bother to really connect to a 
tunnel)
instead of ULA.

So… I stand by my point… ULA offers no… ZERO advantages over GUA.

All the defense of ULA makes strange assumptions about the nature of GUA.
I did not. Any form of GUA that suits the purpose is fine with me. If you’re
comfortable with PA, great. If you prefer PI, great. If you need something
free, get a /48 from HE, they hand them out on a simple web form. If you’re
using it locally, nothing says you _HAVE_ to actually turn on the tunnel.
OTOH, if you want, you’re certainly free to do so and it will solve certain 
address
selection oddities that happen with some systems when ULA is used and
greatly simplify your DNS life.

Owen

>> I think the tech will advance fast enough that keeping up with an IPv6
>> route table will be a non-issue. IPv6 adoption is, unfortunately, slow
>> enough that there will be no issues keeping up, even assuming a "slow"
>> hardware refresh cycle.
>> 
>> -M
>> 
>> On Thu, Mar 1, 2018 at 5:48 PM, Mark Andrews  wrote:
>>> 
 On 2 Mar 2018, at 9:28 am, Owen DeLong  wrote:
 
 
> On Mar 1, 2018, at 1:20 PM, Harald Koch  wrote:
> 
> On 1 March 2018 at 15:18, Owen DeLong  > wrote:
> Second, RFC-1918 doesn’t apply to IPv6 at all, and (fortunately) hardly 
> anyone
> uses ULA (the IPv6 analogue to RFC-1918).
> 
> Wait. What's the objection to ULA? Is it just that NAT is bad, or is 
> there something new?
 
 No particular objection, but I don’t see the point.
 
 What can you do with ULA that GUA isn’t suitable for?
 
 Owen
>>> 
>>> ULA provide stable internal addresses which survive changing ISP
>>> for the average home user. Now, I know you can do the same thing
>>> by going to a RIR and getting a prefix but the RIR’s aren’t setup
>>> to supply prefixes like that to 10 billion of us.
>>> 
>>> They are also in a specific range which makes setting filtering
>>> rules easier for everyone else.
>>> 
>>> Now I would love it if we could support 100 billion routes in the
>>> DFZ but we aren’t anywhere near being able to do that which would
>>> be a requirement for abandoning ULA.  Until them they have there
>>> place.
>>> 
>>> Mark
>>> --
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>>> 
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
> 

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Owen DeLong]

> On Mar 1, 2018, at 6:30 PM, Harald Koch  wrote:
> 
> On 1 March 2018 at 18:48, Mark Andrews  wrote:
> 
>> ULA provide stable internal addresses which survive changing ISP
>> for the average home user.
> 
> 
> Yeah this is pretty much what I'm doing. ULA for stable, internal addresses
> that I can put into the (internal) DNS: ISP prefixes for global routing.
> Renumbering is hard.
> 
> All of the objections I've seen to ULA are actually objections to (IPv6)
> NAT, which is why I was confused.

I object to NAT more strongly than ULA, but IMHO, even if you aren’t going to 
route it, a block of GUA PI makes more sense than ULA for virtually any 
installation I can imagine.

Owen

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Owen DeLong]

> On Mar 2, 2018, at 1:50 AM, Saku Ytti  wrote:
> 
> Enno et al ULA fans
> 
> I could not agree more.
> 
> Either you provide your enterprise customers transportable address or
> ULA. If you assign and promote them to use your 'PA' address, they
> will take your PA address with them when they change operator 10 years
> from now, and if you reuse it, these two customers cannot reach each
> other. Why? Because anyone who has worked at non-trivial size
> enterprise knows that even just finding out what needs to be done, to
> renumber internal networks is massively long, expensive and error
> prone proposal, there will be tons of documents and scripts in
> non-standard locations containing IP addresses punched in.

This, right here, is inherently the a very good reason NOT to use ULA IMHO.

See, no matter how widely you deploy ULA, those same scripts are still going to 
use
the provider assigned public addresses that work for all the things they care 
about and
not just local connectivity.  Instead, you adopted a false sense of security 
and made
it more confusing when things do get renumbered.

I completely agree that PI is the way to go and that PA was a silly idea whose 
time
is long past. For home users, perhaps PA is OK for a little while longer 
(wouldn’t
make me happy in my home, but I’ve got PI, so whatever other folks want to do
isn’t my problem here).

> No matter how well you do your job, you cannot impact how others do,
> and you must expect them to continue working as they have in the past,
> and you must realise when that poses risk to yourself and protect
> yourself from that.

Which won’t happen with ULA.

> ULA at inside and 1:1 to operator address in the edge is what I've
> been recommending to my enterprise customers since we started to offer
> IPv6 commercially. Fits their existing processes and protects me from
> creating tainted unusable addresses.

Oh, please. NAT all over again? That’s another inherently very good reason
NOT to use ULA.

Owen

> 
> 
> On 2 March 2018 at 11:39, Enno Rey  wrote:
>> Hi,
>> 
>> On Thu, Mar 01, 2018 at 09:30:32PM -0500, Harald Koch wrote:
>>> On 1 March 2018 at 18:48, Mark Andrews  wrote:
>>> 
 ULA provide stable internal addresses which survive changing ISP
 for the average home user.
>>> 
>>> 
>>> Yeah this is pretty much what I'm doing. ULA for stable, internal addresses
>>> that I can put into the (internal) DNS: ISP prefixes for global routing.
>>> Renumbering is hard.
>> 
>> as is proper (source|destination) address selection in a sufficiently 
>> complex environment.
>> for interest: for a system which must be both globally and internally 
>> reachable, which address do you put into which DNS?
>> 
>> 
>>> 
>>> All of the objections I've seen to ULA are actually objections to (IPv6)
>>> NAT, which is why I was confused.
>> 
>> the main objection against ULAs is avoidance of complexity in environments 
>> where at least some systems need global reach(ability), which applies to 
>> pretty much all environments nowadays.
>> 
>> best
>> 
>> Enno
>> 
>> 
>> 
>> 
>> 
>> 
>>> 
>>> (As it turns out my ISP prefix has been static for years, but I'm too lazy
>>> to undo all of the work...)
>>> 
>>> --
>>> Harald
>> 
>> --
>> Enno Rey
>> 
>> ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
>> Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
>> 
>> Handelsregister Mannheim: HRB 337135
>> Geschaeftsfuehrer: Matthias Luft, Enno Rey
>> 
>> ===
>> Blog: www.insinuator.net || Conference: www.troopers.de
>> Twitter: @Enno_Insinuator
>> ===
> 
> 
> 
> -- 
>  ++ytti

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Bjørn Mork]

Owen DeLong  writes:

> What can you do with ULA that GUA isn’t suitable for?

1) get
2) keep
3) move

Granted, many of us can do that with GUAs too.  But with ULA those
features are avaible to everyone everywhere.  Which is useful for a
number of applications where you care mostly about the local environment
and not so much about global connectivity.


Bjørn

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Saku Ytti]

Enno et al ULA fans

I could not agree more.

Either you provide your enterprise customers transportable address or
ULA. If you assign and promote them to use your 'PA' address, they
will take your PA address with them when they change operator 10 years
from now, and if you reuse it, these two customers cannot reach each
other. Why? Because anyone who has worked at non-trivial size
enterprise knows that even just finding out what needs to be done, to
renumber internal networks is massively long, expensive and error
prone proposal, there will be tons of documents and scripts in
non-standard locations containing IP addresses punched in.

No matter how well you do your job, you cannot impact how others do,
and you must expect them to continue working as they have in the past,
and you must realise when that poses risk to yourself and protect
yourself from that.

ULA at inside and 1:1 to operator address in the edge is what I've
been recommending to my enterprise customers since we started to offer
IPv6 commercially. Fits their existing processes and protects me from
creating tainted unusable addresses.


On 2 March 2018 at 11:39, Enno Rey  wrote:
> Hi,
>
> On Thu, Mar 01, 2018 at 09:30:32PM -0500, Harald Koch wrote:
>> On 1 March 2018 at 18:48, Mark Andrews  wrote:
>>
>> > ULA provide stable internal addresses which survive changing ISP
>> > for the average home user.
>>
>>
>> Yeah this is pretty much what I'm doing. ULA for stable, internal addresses
>> that I can put into the (internal) DNS: ISP prefixes for global routing.
>> Renumbering is hard.
>
> as is proper (source|destination) address selection in a sufficiently complex 
> environment.
> for interest: for a system which must be both globally and internally 
> reachable, which address do you put into which DNS?
>
>
>>
>> All of the objections I've seen to ULA are actually objections to (IPv6)
>> NAT, which is why I was confused.
>
> the main objection against ULAs is avoidance of complexity in environments 
> where at least some systems need global reach(ability), which applies to 
> pretty much all environments nowadays.
>
> best
>
> Enno
>
>
>
>
>
>
>>
>> (As it turns out my ISP prefix has been static for years, but I'm too lazy
>> to undo all of the work...)
>>
>> --
>> Harald
>
> --
> Enno Rey
>
> ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
> Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
>
> Handelsregister Mannheim: HRB 337135
> Geschaeftsfuehrer: Matthias Luft, Enno Rey
>
> ===
> Blog: www.insinuator.net || Conference: www.troopers.de
> Twitter: @Enno_Insinuator
> ===



-- 
  ++ytti

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Enno Rey]

Hi,

On Thu, Mar 01, 2018 at 09:30:32PM -0500, Harald Koch wrote:
> On 1 March 2018 at 18:48, Mark Andrews  wrote:
> 
> > ULA provide stable internal addresses which survive changing ISP
> > for the average home user.
> 
> 
> Yeah this is pretty much what I'm doing. ULA for stable, internal addresses
> that I can put into the (internal) DNS: ISP prefixes for global routing.
> Renumbering is hard.

as is proper (source|destination) address selection in a sufficiently complex 
environment.
for interest: for a system which must be both globally and internally 
reachable, which address do you put into which DNS?


> 
> All of the objections I've seen to ULA are actually objections to (IPv6)
> NAT, which is why I was confused.

the main objection against ULAs is avoidance of complexity in environments 
where at least some systems need global reach(ability), which applies to pretty 
much all environments nowadays.

best

Enno






> 
> (As it turns out my ISP prefix has been static for years, but I'm too lazy
> to undo all of the work...)
> 
> -- 
> Harald

-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Matthias Luft, Enno Rey

===
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
===

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Harald Koch]

On 1 March 2018 at 18:48, Mark Andrews  wrote:

> ULA provide stable internal addresses which survive changing ISP
> for the average home user.


Yeah this is pretty much what I'm doing. ULA for stable, internal addresses
that I can put into the (internal) DNS: ISP prefixes for global routing.
Renumbering is hard.

All of the objections I've seen to ULA are actually objections to (IPv6)
NAT, which is why I was confused.

(As it turns out my ISP prefix has been static for years, but I'm too lazy
to undo all of the work...)

-- 
Harald

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Mark Andrews]

> On 2 Mar 2018, at 11:48 am, Matt Erculiani  wrote:
> 
> Not sure if this is the common thought, but if anyone has a network
> which requires static IP assignments, they can probably justify a
> request for a /48 from an RIR.  After all, ARIN's requirement for an
> end-user IPv6 block is, at minimum: "Justify why IPv6 addresses from
> an ISP or other LIR are unsuitable". I would think that ISP
> portability would satisfy this requirement, but If I'm wrong, I'm
> absolutely open to being corrected on this. But most home users have
> no need for static IPs, so the dynamic ISP assignment is perfectly
> fine.

ISP assigned addresses are perfectly fine for TALKING TO THE REST OF THE WORLD.
ISP assigned addresses are not perfectly fine for internal communication.

With IPv6 you use ULA along side ISP assigned addresses.

With IPv4 RFC 1918 address + NAT the home user has STATIC local addresses
for devices that need them.  Go look at your home router’s web pages.  You
will be able to assign static addresses to your internal machines via DHCP.

Are YOU going to tell everyone that sets values there that they no longer
can do the same thing for IPv6.  That they need to fully renumber all their
devices just because the ISP gave them a different prefix this morning?

> I think the tech will advance fast enough that keeping up with an IPv6
> route table will be a non-issue. IPv6 adoption is, unfortunately, slow
> enough that there will be no issues keeping up, even assuming a "slow"
> hardware refresh cycle.
> 
> -M
> 
> On Thu, Mar 1, 2018 at 5:48 PM, Mark Andrews  wrote:
>> 
>>> On 2 Mar 2018, at 9:28 am, Owen DeLong  wrote:
>>> 
>>> 
 On Mar 1, 2018, at 1:20 PM, Harald Koch  wrote:
 
 On 1 March 2018 at 15:18, Owen DeLong >>> > wrote:
 Second, RFC-1918 doesn’t apply to IPv6 at all, and (fortunately) hardly 
 anyone
 uses ULA (the IPv6 analogue to RFC-1918).
 
 Wait. What's the objection to ULA? Is it just that NAT is bad, or is there 
 something new?
>>> 
>>> No particular objection, but I don’t see the point.
>>> 
>>> What can you do with ULA that GUA isn’t suitable for?
>>> 
>>> Owen
>> 
>> ULA provide stable internal addresses which survive changing ISP
>> for the average home user. Now, I know you can do the same thing
>> by going to a RIR and getting a prefix but the RIR’s aren’t setup
>> to supply prefixes like that to 10 billion of us.
>> 
>> They are also in a specific range which makes setting filtering
>> rules easier for everyone else.
>> 
>> Now I would love it if we could support 100 billion routes in the
>> DFZ but we aren’t anywhere near being able to do that which would
>> be a requirement for abandoning ULA.  Until them they have there
>> place.
>> 
>> Mark
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Mark Andrews]

> On 2 Mar 2018, at 9:28 am, Owen DeLong  wrote:
> 
> 
>> On Mar 1, 2018, at 1:20 PM, Harald Koch  wrote:
>> 
>> On 1 March 2018 at 15:18, Owen DeLong > > wrote:
>> Second, RFC-1918 doesn’t apply to IPv6 at all, and (fortunately) hardly 
>> anyone
>> uses ULA (the IPv6 analogue to RFC-1918).
>> 
>> Wait. What's the objection to ULA? Is it just that NAT is bad, or is there 
>> something new?
> 
> No particular objection, but I don’t see the point.
> 
> What can you do with ULA that GUA isn’t suitable for?
> 
> Owen

ULA provide stable internal addresses which survive changing ISP
for the average home user. Now, I know you can do the same thing
by going to a RIR and getting a prefix but the RIR’s aren’t setup
to supply prefixes like that to 10 billion of us.

They are also in a specific range which makes setting filtering
rules easier for everyone else.

Now I would love it if we could support 100 billion routes in the
DFZ but we aren’t anywhere near being able to do that which would
be a requirement for abandoning ULA.  Until them they have there
place.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Owen DeLong]

> On Mar 1, 2018, at 1:20 PM, Harald Koch  wrote:
> 
> On 1 March 2018 at 15:18, Owen DeLong  > wrote:
> Second, RFC-1918 doesn’t apply to IPv6 at all, and (fortunately) hardly anyone
> uses ULA (the IPv6 analogue to RFC-1918).
> 
> Wait. What's the objection to ULA? Is it just that NAT is bad, or is there 
> something new?

No particular objection, but I don’t see the point.

What can you do with ULA that GUA isn’t suitable for?

Owen