IETF83 - Opsec

Chairs:

Using Only Link-Local Address in Network Core -- Michael Behringer

To be able to point to a document explaining this // Intention to be a reference
Advantage -- reduce attack surface
Disadvantage --
Target: BCP

ISIS -> Operational BCP to only advertise passive interfaces, which are loopback -> routing table does not carry link addresses

Interface ICMP - workaround RFC 5837
Traceroute - which link? -> workaround RFC 5837
From remote you cannot ping a particular interface
Hardware dependency -- LL by default EUI-64 -> Address changes with hardware -> Workaround static LL fe80::1

I think BCP means documenting something everyone does -- not something you want people to do. Therefore, this should be Informational
Should cross-reference another equivalent document (for v4?)
LL Addresses are not on the config so we cannot parse through the config

Michael: Does BCP need to be widely deployed? No necessarily -- BCP is a subjective distinction that the WG needs to come to terms with
Fred Baker: 2026 language means "something we all agree to" -- not that everyone does it everywhere, but rather: if you want to use this, then this is how you do it. In this specific case, do we all really agree? Or are there camps that do not agree? Potential outcome, this can be Informational
Warren: Does this belong in the charter? Maybe not really. We do not have "real stable chairs" so no discussion, but roughly, interest as wg item? /* some hands up I did not count how many */ anyone against? no hands /* that I saw */

Passive IP Addresses // Fred Baker

This came from Gunter, and several people talking about attacks from traceroute. I learn addresses, and then choose to attack them.
Principle of Least Privilege
Michael talked about one approach. However our observation is that it does not alleviate the problem. Because source from the loopback.
Use a ULA? attack from infrastructure
Desirements (not Requirements)

Should I use this address (PTB) in a message to someone that does not manage me? Find that address in DNS
Should I respond if I am addressed here? Discard it!

Wes: How do you make it work when it is not supported everywhere?
Fred: You can put it in just one router
Fred: A Host will understand it -- host does not know, configured on the router side

Jared Maulch: 2 thoughts on this: 1. over years end users expect they should be able to ping and intermediately device. 2. difficult to contract filters for CoPP because you do not know which addresses on device

Jared: Hard to construct a policy to filter on IP addresses, without enumerating all addresses -- some vendors have better macros than others.

Igor Yahoo: Implicitly implement CoPP on prefix-type basis. How is this any better than CoPP with proper macros? As an operator a vendor has done things better with one macro that identifies (e.g., regex config of router) and then I configure interfaces I choose on the CoPP scheme.

What is the intent of this draft?
There are already ways to answer trace route with a configured address that might not be in the router

Robert Razuk: You not consider source of trace or source address of ping
Question: Bogus versus unreachable? Impact on regular uses and operational practices
Rajiv Asati: MPLS networks -- many core routers do not even respond to traceroute.CoPP gives ability to deny packets in the router -- but network wide it is not easy to know if on a given edge router which other addresses are used on the network -- net-net: we should filter at the edge

Human Sage IPv6 -- Andrew Yourtchenko

I am pretty against this, actually. We are solving the problem with more complicated solution than available ones. Solution: DNS -- I am having the NOC stop the habit of memorizing IP addresses -- breaks renumbering also - things have dynamic addresses
CGA is security by obscurity already

Andrew: Talking about the host portion -- not all address
?: I agree with this -- same password for 1,000 routers not great.
Jared: I disagree with both previous speakers. I see something that would show up in interface installer. It does not reduce the ability to put in DNS anyway
Warren: kind of cool and interesting trick, it's cool. It's not encryption, it's obfuscation.
?: Not a good idea -- scaling.
No way to make it backwards compatible with IPv4 -- v6 does not need to be special.
Michael Behringher: this is for internal addresses only, right? Yes.

Filtering of IPv4 packets containing IPv4 Options -- Fernando Gont

During this I-D we found unused but never deprecated options, we
Question: ready to adopt as a wg doc
How many people read the I-D? not enough to gauge consensus. Try for people read the document and poll on the list. Or poll on Wednesday

Finish 5 minutes early -- anyone else?