[153929] in North American Network Operators' Group
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Jun 17 19:31:08 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4FDE19B0.80800@bogus.com>
Date: Sun, 17 Jun 2012 16:29:45 -0700
To: Joel jaeggli <joelja@bogus.com>
Cc: Arturo Servin <arturo.servin@gmail.com>, NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 17, 2012, at 10:53 AM, Joel jaeggli wrote:
> On 6/17/12 10:24 , valdis.kletnieks@vt.edu wrote:
>> On Sun, 17 Jun 2012 13:10:59 -0400, Arturo Servin said:
>>> Wouldn't BCP38 help?
>>=20
>> The mail I'm replying to has as the first Received: line:
>>=20
>> Received: from ?IPv6:2800:af:ba30:e8cf:d06f:4881:973a:c68? =
([2800:af:ba30:e8cf:d06f:4881:973a:c68]) by mx.google.com with ESMTPS id =
b8sm25918444anm.4.2012.06.17.10.11.04 (version=3DTLSv1/SSLv3 =
cipher=3DOTHER); Sun, 17 Jun 2012 10:11:06 -0700 (PDT)
>=20
>=20
>> Obviously BCP38 doesn't help, as it's an established TCP connection =
so it can't be
>> spoofed traffic (gotta ACK Google's ISN from the SYN-ACK) - unless =
Google is silly
>> enough to *still* not be doing RFC1948 properly. I mean, Steve =
Bellovin wrote
>> that literally last century. ;)
>>=20
>> So - who owns 2800:af:ba30:e8cf:4881:973a:c68? And how does an LEO
>> find that info quickly if they need to figure out who to hand a =
warrant to?
>=20
> so first of you introduced a typo
>=20
> 2800:af:ba30:e8cf:4881:973a:c68
>=20
> 2800:af:ba30:e8cf:d06f:4881:973a:c68
>=20
> which like the wrong address in a search warrant can be a problem.
>=20
> jjaeggli@cXX-XX-XX0> show route table inet6.0
> 2800:af:ba30:e8cf:4881:973a:c68
> ^
> invalid ip address or hostname: 2800:af:ba30:e8cf:4881:973a:c68 at
> '2800:af:ba30:e8cf:4881:973a:c68'
>=20
> jjaeggli@cXX-XX-XX0> show route table inet6.0
> 2800:af:ba30:e8cf:d06f:4881:973a:c68
>=20
> inet6.0: 9674 destinations, 38494 routes (9674 active, 0 holddown, =
19088
> hidden)
> + =3D Active Route, - =3D Last Active, * =3D Both
>=20
> 2800:a0::/28 *[BGP/170] 1w2d 00:00:21, MED 50, localpref 200, =
from
> 2620:102:8004::10
> AS path: 7922 12956 6057 I
>=20
> XXXX-XXXXX:~ jjaeggli$ whois -h whois.lacnic.net
> 2800:af:ba30:e8cf:d06f:4881:973a:c68
>=20
> scopes it to not being a problem you can solve with policy in the arin
> region.
Lather rinse repeat with a better choice of address...
2001:550:3ee3:f329:102a3:2aff:fe23:1f69
This is in the ARIN region...
It's from within a particular ISP's /32.
Has that ISP delegated some overlapping fraction to another ISP? If so, =
it's not in whois.
Have they delegated it to an end user? Again, if so, it's not in whois.
Same for 2001:550:10:20:62a3:3eff:fe19:2909
I don't honestly know if either of those prefixes is allocated or not, =
so maybe nothing's wrong
in this particular case, but if they have been delegated and not =
registered in whois, that's
a real problem when it comes time to get a search warrant if speed is of =
the essence.
Owen
