IETF 100, Singapore: How do you use abundant local IPv6 addresses?

By on 16 Nov 2017

Category: Tech matters

Tags: , ,

Blog home

How can we use the almost infinite number of IPv6 unique addresses?

The IETF 6man working group discusses all kinds of aspects of IPv6 maintenance, including the need to continue work on the underlying standard documents and associated text that directs how IPv6 actually works in practice.

We like to say that it’s done but, really, design work on a protocol is never finished — from nits and clarifications to extensions, the work goes on.

A brief presentation towards the end of the 6man session at IETF 100 discussed an interesting idea about how we can exploit the emergence of almost limitless addresses on each node. This isn’t yet an adopted idea, it was more of a ‘putting it out there’ position from Fernando Gont, who has done much work on temporary, transitional, and ephemeral addressing.

The idea is to look at the ‘right-hand side’ of the IPv6 network address — the local part, which the host gets to pick.

The Regional Internet Registries don’t usually talk about this side, because it’s the customer side, although we actually care about it. For example, we recommend that home users get offered a /56 as a minimum because they can have up to 255 local /64 networks to play with. We strongly prefer that people not assign a /128 on cellular networks because it removes all the benefits of privacy addressing.

This part of the address usually has some understanding with its router about how it can vary the address and how it can tell people it’s using addresses. However, this misses a point — it would be really nice to be able to ask for specific addresses for one-time use, ephemerally, and not have them being visible in other ways. For example, if you use a privacy address in IPv6 to perform NTP, and somehow wind up talking to a rogue NTP server, the privacy address can be ‘leaked’ allowing outsiders to see the host and determine: if it is working on HTTP;  if it is working on the printer port; if they can login on this; and if they can send you DDoS bad packets and crash you. None of this should happen, but as things stand, it’s very hard to stop.

As part of the ‘sockets’ API, it’s entirely possible a lot of other code on your host uses the in6addr_any method to specify any address; even requested ephemeral addresses are going to respond on the binding if a packet comes in.

The idea being floated by Fernando is to extend the API to add flags specifying that an address is explicitly for one time, or one purpose, or not to be bound into existing services or a number of behaviours.

It’s a very loose proposal but it gets to the root of an ongoing question we have with IPv6, “If we have an almost infinite numbers of unique addresses, how do we want to use them?”

As it turns out, it’s likely the question went into the wrong working group because all standard processes wind up getting complex, and although 6man is where questions like this once got asked, now we have other spaces to discuss things in. But even if misdirected, I think it’s a good question.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *