Re: [BEHAVE] Perils of structured host identifiers

To: Iljitsch van Beijnum <iljitsch at muada.com>
Subject: Re: [BEHAVE] Perils of structured host identifiers
From: marcelo bagnulo braun <marcelo at it.uc3m.es>
Date: Wed, 08 Jul 2009 09:42:57 +0200
Cc: Christian Huitema <huitema at windows.microsoft.com>, Xing Li <xing at cernet.edu.cn>, 6man <ipv6 at ietf.org>, Behave WG <behave at ietf.org>, Dave Thaler <dthaler at windows.microsoft.com>
Delivered-to: ipv6 at core3.amsl.com
In-reply-to: <2BAEB3B6-3FAE-4396-B568-6E71D012029F at muada.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-help: <mailto:ipv6-request@ietf.org?subject=help>
List-id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-post: <mailto:ipv6@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
References: <E4561B14EE2A3E4E9D478EBFB5416E1B0A2F5A at TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com> <18256DC3-184D-48FE-B37C-2F9867597304 at free.fr> <E4561B14EE2A3E4E9D478EBFB5416E1B0A5745 at TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com> <EB331E19-8164-4805-A412-4686D16C955F at free.fr> <4A4F5F9A.40202 at gmail.com> <268554C4-E415-492E-B950-4B9531F53CEA at free.fr> <6B55F0F93C3E9D45AF283313B8D342BA0436FB0A at TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> <4A524FE3.8070101 at it.uc3m.es> <204533CC-5DEE-47DD-A2CD-CF1EC41A4679 at muada.com> <E4561B14EE2A3E4E9D478EBFB5416E1B0C1A9A at TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com> <2BAEB3B6-3FAE-4396-B568-6E71D012029F at muada.com>
User-agent: Thunderbird 2.0.0.21 (Macintosh/20090302)

Iljitsch van Beijnum escribió:

On 7 jul 2009, at 22:21, Dave Thaler wrote:
CGAs are only useful when they're assigned to a host, not in the
address space of protocol A that represents the address space of
protocol B.
Disagree.  I'm not sure it's a big deal, but I disagree it has
0 worth.  CGAs are useful to prevent spoofing.  If a translator
chooses to use a CGA to represent an IPv4 host, then spoofing
it is _extremely_ difficult.
A CGA ties a public key to an address. This is useful if you havepeople sending you packets with a source address that may or may notbelong to them. In the NAT64 case that would mean that a fake NAT64tries to spoof the source addresses (that encode IPv4 addresses) ofthe real NAT64. But since the IPv6 host sets up the session in thefirst place, all of this is taken care of (for a low level ofsecurity) by return routability. Sessions can also be protected by SSLthrough the NAT64 directly to the IPv4 destination or with IPsecbetween the host and the NAT64. Both of these are much more usefulthan CGA if a high level of security is required. But I don't see howit would be, at some point you have to assume that if you give peoplepackets they will take care of them.

for example, suppose you want to run shim6 on the nat64 box, how wouldyou do it if you cannot use the lower 64 bits to store crypto info?

(what i mean is that the IPv6 host talks shim6 with its peer, which inthis case i behind the nat64 box, so the shim6 protocol runs between theIPv6 node and the nat64)


Regards, marcelo

Sorry, but the idea that privacy should apply to NAT64 is stupid.
Disagree.  People already (whether we like it or not) associate
a certain degree of privacy with NATs.
In this regard, a NAT64 is no different from a NAT44 in principle.
Of course the fact that a NAT64 will most likely be deployed in theISP network renders the issue largely moot.
What you would have to do is _encrypt_ the destination address to hideit from prying eyes. Guess what, we have a protocol for that: IPsectunnel mode. Encrypts the rest of the packet, too.
I would worry more about the DNS, though. Not only is it easilyspoofable, it also leaks not only addresses but FQDNs. So at the veryleast you'd want DNSSEC and probably also talk to the DNS over IPsec.

Follow-Ups:
- Re: [BEHAVE] Perils of structured host identifiers
  - From: Iljitsch van Beijnum

References:
- Re: [BEHAVE] Modified EUI-64 format
  - From: Rémi Després
- Re: [BEHAVE] Modified EUI-64 format
  - From: Brian E Carpenter
- Re: [BEHAVE] Modified EUI-64 format
  - From: Rémi Després
- Perils of structured host identifiers (was: Modified EUI-64 format)
  - From: Christian Huitema
- Re: [BEHAVE] Perils of structured host identifiers
  - From: marcelo bagnulo braun
- Re: [BEHAVE] Perils of structured host identifiers
  - From: Iljitsch van Beijnum
- RE: [BEHAVE] Perils of structured host identifiers
  - From: Dave Thaler
- Re: [BEHAVE] Perils of structured host identifiers
  - From: Iljitsch van Beijnum

Prev by Date: Re: [BEHAVE] Perils of structured host identifiers
Next by Date: Re: [BEHAVE] Perils of structured host identifiers
Previous by thread: Re: [BEHAVE] Perils of structured host identifiers
Next by thread: Re: [BEHAVE] Perils of structured host identifiers
Index(es):
- Date
- Thread

Re: [BEHAVE] Perils of structured host identifiers

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.