Sounds a lot like PCP… Op wo 24 apr 2024 om 16:26 schreef Jared Mauch <ja...@puck.nether.net>
> I had thought of doing something where the device could send a profile to > the router/DHCP server that says “here’s the ports, dns names, etc.. that I > will be using”. > > This would then permit only those related bits to flow. > > - Jared > > > On Apr 24, 2024, at 4:23 PM, Hubert W <hubert.wisniew...@gmail.com> > wrote: > > > > > > > > On Wed, Apr 24, 2024, 07:46 Mark Andrews <ma...@isc.org> wrote: > > > > > > > On 23 Apr 2024, at 16:51, Hubert W <hubert.wisniew...@gmail.com> > wrote: > > > > > > Dear WG, > > > > > > > > > I woke up with one idea and I would like to challenge it. > > > In IPv6, every device receives a routable address. To protect > endpoints effectively, we require firewalls to filter unwanted traffic. > > > > Apart from packet volume this is a false assertion. No device should > require a firewall. > > > > > But what if we could stop such traffic at the source? Could this > approach convince more people toward adopting IPv6? > > > > > > According to RFC 7381: “In a /48 assignment, typical for a site, there > are then still 65,535 /64 blocks.” and “All user access networks should be > a /64.” > > > > /64 is typical not required. > > > > > Can we use then bit 63 to convey a message: “I don’t want any incoming > traffic initiated towards me!!!”? Of course a response would be accepted. > > > > > > We could divide the /64 allocations into two groups: one for servers, > and these accept incoming traffic (bit 63 = 0): > > > > > > for example 2001:0db8:0000:0000::/64 > > > > > > And the second group: endpoints, these never accept incoming traffic > (bit 63 = 1): > > > > > > for example 2001:0db8:0000:0001::/64 > > > > > > We only need all systems to understand the message. If a router or > firewall sees such a packet, then drops it. > > > Every TCP packet with flag SYN, where destination address (IPv6) has > bit 63 equal 1, must be dropped. > > > > All the world is not TCP. Additionally for TCP the filtering device > would need to track state and that implies symmetric routing. > > > > > Would it be theoretically possible? > > > > No. > > > > > Best regards > > > > > > Hubert Wisniewski > > > > > > -------------------------------------------------------------------- > > > IETF IPv6 working group mailing list > > > i...@ietf.org > > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > > -------------------------------------------------------------------- > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > I think there would be no issue with asymmetric traffic if we only check > SYN flag, but I understand that is not a good idea. Thank you for your > opinion. > > > > Hubert Wisniewski > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > i...@ietf.org > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > -------------------------------------------------------------------- > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > i...@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
_______________________________________________ 6lo mailing list 6lo@ietf.org https://www.ietf.org/mailman/listinfo/6lo
