Re: Why ULA: low collision chance (Was: IPv6 fc00::/7 — Unique local addresses)

William Herrin bill at herrin.us
Sat Oct 23 14:07:09 UTC 2010


On Sat, Oct 23, 2010 at 3:07 AM, Owen DeLong <owen at delong.com> wrote:
>> On Oct 22, 2010, at 6:10 PM, William Herrin wrote:
>> Just for grins, let's put some rough math to that assertion. The
>> average percentage of the Internet reached by a ULA or RFC1918 leak
>> will be close to:
>>
>> (1-A)^B
>>
>> A = the probability of any given organization filtering private
>> address announcements and/or private address packets at their borders
>> B = the average width of the Internet in organizations (which should
>> be slightly higher than the width in ASes)
>
> I think your estimation of 50% is highly optimistic. I also think
> you underestimate the diameter of the internet, being much
> closer to 25 than 10 from what I can see. Filling in more
> realistic (based on my observations) numbers of 5% and 25,
> my numbers come out as:
> (1-0.05)^25 = 0.95 ^ 25 = 0.27 = a little more than 1/4 of the internet.

Owen,

I see. In trying to pick those numbers, my current (today) experience is this:

I filter.
Two of the three ISPs I interact with personally filter.
My employer filters.
Three of the five ISPs they deal with filter.

Total: 7 of 10 filter.

What experience of yours leads you to believe that something closer to
1 in 20 organizations choose to filter out RFC1918 and/or ULA at their
borders? Do *you* filter border-crossing RFC1918 traffic? Does your
employer, HE?

> ULA won't supplant GUA, it will be much more insidious than that. Most
> people will still use GUA for GUA purposes.
> However, deliberate routing of ULA will start small and slowly spread
> over time like a slow-growing cancer. You won't even really detect it
> until it has metastasized to such an extent that nothing can be done
> about it.
> I believe that DELIBERATE routing of ULA will
> be a very likely outcome of current policies eventually resulting in
> ULA being ubiquitously routed just as GUA is intended to be. This
> unfortunate end result of the combination of human nature to do
> the expedient rather than the correct will eventually remove any
> perceive benefits to ULA and cause additional problems as ULA
> becomes a globally routable resource not subject to RIR policy.

You need to back that up with something. This sort of thing doesn't
just magically happen. Spin at least one scenario leading there in
which the step-by-step choices by each of the participants are at
least arguably rational.


> In my opinion, the far more secure thing to do is to use GUA.
> Put the hosts you want to be reachable from the outside in
> specific ranges of your GUA.
> For example:
> Route filters:
> From internal interfaces:
> Accept 2620:0db8:532a::/56 or longer
> Deny 2620:0db8:532a:: ge /48 le /55

Fat finger the second line (interpose the b and the d) and misconnect
one ethernet cable so that your firewall interior protocol can touch
your firewall exterior protocol. In comes a set of formerly interior
routes ranging from /56 to /64, more specific routes that override
your nulls. You're done. Your entire internal network is now
firewall-free on the Internet.

You've never typed in a line wrong in a router config or plugged a
cable in to the wrong jack, right? And you've never tasked network
setup work to a junior engineer whose networking sophistication is
less than your own.

BTW, in your opinionated security process you forgot to install RA
guard. Without RA guard on every switch port that doesn't connect to
an intentional router, some idiot user can plug a 4G modem into their
laptop and every damn device sharing the network will assign itself an
additional GUA address and route through him. Two IPv4 dhcp servers
tended to conflict with each other so the result was an outage. IPv6's
designers considered that a bug and made it go away so that there's a
good chance you won't notice the breach.

We have not yet begun to reach the depths of SLAAC's badness.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004




More information about the NANOG mailing list