[ipv6hackers] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

[Fernando Gont]

Hello, Maarkus,

THanks for the comments! In-line...

On 5/2/23 13:26, Markus Reschke wrote:
> Hi!
> 
> On Sun, 5 Feb 2023, Andrew Walding wrote:
> 
>> Example #5:  Dealing with an intrusive or misbehaving ipv6 source.  The
>> tendency here is to create either a whitelist or blacklist collection of
>> allowed or banned addresses.  In an IPv4 network this is relatively
>> straight forward as an interface most likely has only one address.
>> Further, it does not matter whether the source is a server or client, in
>> the IPv4 space these addresses tend not to change.  In IPv6 this could 
>> also
>> be the case, however there are further considerations.
> 
> IMHO, it's not just about a host having multiple IPv6 addresses or 
> changing addresses (e.g. Privacy Extensions), but also the tradeoff 
> between the number of ACL rules and filtering resources available. The 
> latter also applies to IPv4. Up to some threshold we can put single 
> addresses into the ACL with minimal impact on performance. However, when 
> exceeding the threshold we have to aggregate addresses if possible to 
> counter the performance impact, also creating collateral damage to some 
> extend (another tradeoff). And by adding IPv6 /128s we would run much 
> faster into the threshold.

This is noted in the I-D, though. Is there anything missing?

Thanks!

Regards,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar
PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01