Chairs:
- NOTE WELL
- Blue Sheets
- Agenda has been shuffled
- Wes: Agenda looks fine, very few slide decks are posted
Using Only Link-Local Address in Network Core -- Michael Behringer
- Writing down existing proposal and caveats // Nothing new
- Proposal: Use IPv6 LLA
- To be able to point to a document explaining this // Intention to be a reference
- Advantage -- reduce attack surface
- Disadvantage --
- Target: BCP
- Proven to work
- Advantages -- smaller routing table and memory consumption
- ISIS -> Operational BCP to only advertise passive interfaces, which are loopback -> routing table does not carry link addresses
- Reduces configuration complexity
- Caveats -> What have we missed?
- Interface ICMP - workaround RFC 5837
- Traceroute - which link? -> workaround RFC 5837
- From remote you cannot ping a particular interface
- Hardware dependency -- LL by default EUI-64 -> Address changes with hardware -> Workaround static LL fe80::1
- That's it!
- Wes George:
- I think BCP means documenting something everyone does -- not something you want people to do. Therefore, this should be Informational
- Should cross-reference another equivalent document (for v4?)
- LL Addresses are not on the config so we cannot parse through the config
- Michael: Does BCP need to be widely deployed? No necessarily -- BCP is a subjective distinction that the WG needs to come to terms with
- Fred Baker: 2026 language means "something we all agree to" -- not that everyone does it everywhere, but rather: if you want to use this, then this is how you do it. In this specific case, do we all really agree? Or are there camps that do not agree? Potential outcome, this can be Informational
- Warren: Does this belong in the charter? Maybe not really. We do not have "real stable chairs" so no discussion, but roughly, interest as wg item? /* some hands up I did not count how many */ anyone against? no hands /* that I saw */
Passive IP Addresses // Fred Baker
- This came from Gunter, and several people talking about attacks from traceroute. I learn addresses, and then choose to attack them.
- Principle of Least Privilege
- Michael talked about one approach. However our observation is that it does not alleviate the problem. Because source from the loopback.
- Use a ULA? attack from infrastructure
- Desirements (not Requirements)
- Something you cannot route to.
- Identify from the name, which operator to talk to.
- Router address SHOULD be in ipv6.arpa
- Proposal: put an attribute in an address:
- Should I use this address (PTB) in a message to someone that does not manage me? Find that address in DNS
- Should I respond if I am addressed here? Discard it!
- Do you think the approach makes sense?
- Have you read the draft? A few hands go up.
- Wes George: What is the incremental deployment model for this?
- Wes: How do you make it work when it is not supported everywhere?
- Fred: You can put it in just one router
- Fred: A Host will understand it -- host does not know, configured on the router side
- Jared Maulch: 2 thoughts on this: 1. over years end users expect they should be able to ping and intermediately device. 2. difficult to contract filters for CoPP because you do not know which addresses on device
- Jared: Hard to construct a policy to filter on IP addresses, without enumerating all addresses -- some vendors have better macros than others.
- Lee Howard: you define 2 properties but no default. Would like a good default.
- Fred: loopback active otherwise passive?
- Lee: I do not know
- Igor Yahoo: Implicitly implement CoPP on prefix-type basis. How is this any better than CoPP with proper macros? As an operator a vendor has done things better with one macro that identifies (e.g., regex config of router) and then I configure interfaces I choose on the CoPP scheme.
- What is the intent of this draft?
- There are already ways to answer trace route with a configured address that might not be in the router
- Robert Razuk: You not consider source of trace or source address of ping
- Question: Bogus versus unreachable? Impact on regular uses and operational practices
- Rajiv Asati: MPLS networks -- many core routers do not even respond to traceroute.CoPP gives ability to deny packets in the router -- but network wide it is not easy to know if on a given edge router which other addresses are used on the network -- net-net: we should filter at the edge
Human Sage IPv6 -- Andrew Yourtchenko
- IPv6 addresses are unbearably long, cannot pronounce them, etc.
- That's why operators use vanity addresses
- Two conflicting goals:
- Increase randomness of address
- Operators want to decrease randomness.
- Proposal: Human readable hostname.
- Shows example
- Properties:
- ifid basically random
- symmetric cypher -> can derive hostname
- Intent to protect from blind attacks -- non-NOC will know this.
- Wes George:
- I am pretty against this, actually. We are solving the problem with more complicated solution than available ones. Solution: DNS -- I am having the NOC stop the habit of memorizing IP addresses -- breaks renumbering also - things have dynamic addresses
- CGA is security by obscurity already
- Andrew: Talking about the host portion -- not all address
- ?: I agree with this -- same password for 1,000 routers not great.
- Jared: I disagree with both previous speakers. I see something that would show up in interface installer. It does not reduce the ability to put in DNS anyway
- Warren: kind of cool and interesting trick, it's cool. It's not encryption, it's obfuscation.
- ?: Not a good idea -- scaling.
- No way to make it backwards compatible with IPv4 -- v6 does not need to be special.
- Michael Behringher: this is for internal addresses only, right? Yes.
Filtering of IPv4 packets containing IPv4 Options -- Fernando Gont
- I am speaking, Carlos Pignataro also in the audience
- This doc suggested by Ron Bonica at IETF76
- Changes in last few revisions:
- 2119 language
- missing options
- During this I-D we found unused but never deprecated options, we
- Question: ready to adopt as a wg doc
- How many people read the I-D? not enough to gauge consensus. Try for people read the document and poll on the list. Or poll on Wednesday
Finish 5 minutes early -- anyone else?
- Ron Bonica: glad to see so much v6 work on this WG, right direction