Re: [savi] More Opinions, Please - On the Protection of Unused Addresses
"Joel M. Halpern" <jmh@joelhalpern.com> Mon, 29 June 2009 23:36 UTC
Return-Path: <jmh@joelhalpern.com>
X-Original-To: savi@core3.amsl.com
Delivered-To: savi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3784E3A6C04 for <savi@core3.amsl.com>; Mon, 29 Jun 2009 16:36:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.511
X-Spam-Level:
X-Spam-Status: No, score=-3.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id blfc3VDnSuzV for <savi@core3.amsl.com>; Mon, 29 Jun 2009 16:36:31 -0700 (PDT)
Received: from hermes.mail.tigertech.net (hermes.mail.tigertech.net [64.62.209.72]) by core3.amsl.com (Postfix) with ESMTP id 73A7C3A6A48 for <savi@ietf.org>; Mon, 29 Jun 2009 16:36:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.tigertech.net (Postfix) with ESMTP id 4133C430516 for <savi@ietf.org>; Mon, 29 Jun 2009 16:36:47 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at hermes.tigertech.net
Received: from [10.10.10.100] (pool-71-161-52-172.clppva.btas.verizon.net [71.161.52.172]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.tigertech.net (Postfix) with ESMTP id AEB31430515 for <savi@ietf.org>; Mon, 29 Jun 2009 16:36:46 -0700 (PDT)
Message-ID: <4A49500B.6000702@joelhalpern.com>
Date: Mon, 29 Jun 2009 19:36:43 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: SAVI Mailing List <savi@ietf.org>
References: <81955095-4CA3-41E8-8435-99B2AF644621@ericsson.com> <CD75E53C-F792-454F-AC1D-B3C097AEF774@ericsson.com>
In-Reply-To: <CD75E53C-F792-454F-AC1D-B3C097AEF774@ericsson.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [savi] More Opinions, Please - On the Protection of Unused Addresses
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the SAVI WG <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2009 23:36:32 -0000
While I appreciate Christian's question, I think that this is part of a larger pair of questions that we talk around, but do not address. 1) What threats are we actually trying to protect against. The threats draft talks about general internet threats and the need to be able to track them back. But it is not particularly clear about what behavioral threats we are actually concerned with stopping in SAVI - Are we concerned with ensure that every packet leaving a site can be reliably tracked back to a human being - Are we concerned with preventing one device within a site from masquerading as another device, either at the IP or MAC layer. 2) What tools do we want to require or prohibit. While we probably do not want to mandate a single tool set, without mandating something we get nowhere. Possibilities include - restricting mobility (with or without session continuity) - Requiring MAC or IP authentication (*02.1X, SEND, ...) - Requiring central management of addressing and bindings No, those are not all the alternatives. As far as I can tell from watching this list, there are folks who take as given the need for almost any subset of these and related constraints you can imagine. Unless we pick, explicitly, we will continue to argue in circles. For example, the question of controlling unregistered addresses turns on assumptions about what threats we are addressing, and assumptions about address allocation that mean that "unregistered" is a meaningful condition. I don't object to that particular pair, but it is really hard to discuss the acceptability of answers without agreeing on the questions. Yours, Joel M. Halpern Christian Vogt wrote: > Folks - > > I would like to solicit more feedback on the benefit-cost analysis > (below) for protecting unused addresses. How valuable do people consider > protection of unused addresses, how much cost do they think is OK? Is > there something that the analysis overlooks? We already got several > very useful comments from a few people. What do the others think? > > To recap: We need to decide between the following three options of > dealing with unused addresses: > > - Not protect unused addresses, i.e., forward packets without a binding. > Logging is still possible, though. > > - Protect unused addresses, and coordinate SAVI devices on the same link > by manually disabling SAVI protection on ports connecting to other > SAVI devices. > > - Protect unused addresses, and coordinate SAVI devices on the same link > with a dedicated binding synchronization protocol. > > Please send your feedback by Sunday, July 5. We will vote after that. > > - Christian
- [savi] On the Protection of Unused Addresses Christian Vogt
- Re: [savi] On the Protection of Unused Addresses Fred Baker
- Re: [savi] On the Protection of Unused Addresses Christian Vogt
- Re: [savi] On the Protection of Unused Addresses Fred Baker
- Re: [savi] On the Protection of Unused Addresses Greg Daley
- [savi] More Opinions, Please - On the Protection … Christian Vogt
- Re: [savi] On the Protection of Unused Addresses Christian Vogt
- Re: [savi] More Opinions, Please - On the Protect… Joel M. Halpern
- Re: [savi] More Opinions, Please - On the Protect… Christian Vogt
- Re: [savi] More Opinions, Please - On the Protect… Christian Vogt
- Re: [savi] On the Protection of Unused Addresses marcelo bagnulo braun
- Re: [savi] More Opinions, Please - On the Protect… marcelo bagnulo braun
- Re: [savi] More Opinions, Please - On the Protect… marcelo bagnulo braun
- Re: [savi] On the Protection of Unused Addresses Christian Vogt
- Re: [savi] On the Protection of Unused Addresses Christian Vogt
- Re: [savi] On the Protection of Unused Addresses marcelo bagnulo braun
- Re: [savi] On the Protection of Unused Addresses marcelo bagnulo braun
- [savi] Using shared secrets to identify other SAV… Christian Vogt
- Re: [savi] On the Protection of Unused Addresses Christian Vogt
- Re: [savi] Using shared secrets to identify other… marcelo bagnulo braun
- Re: [savi] Using shared secrets to identify other… Greg Daley
- Re: [savi] Using shared secrets to identify other… Christian Vogt