IETF Logo Mail Archive

Re: [6lo] ND cache entries creation on first-hop routers

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Wed, 03 July 2019 08:18 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95AC71204E0; Wed, 3 Jul 2019 01:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=YFlIqDq2; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=U2oDBrtu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mrhtmGZtrz_a; Wed, 3 Jul 2019 01:18:55 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08B481202E3; Wed, 3 Jul 2019 01:18:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4860; q=dns/txt; s=iport; t=1562141935; x=1563351535; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=paZqqZZkkJvBH+uzaboGLrQkVe4UIEok7NDfx4DN6jQ=; b=YFlIqDq2HG1So9O+JVNGlvqfxdOgnJ0SoS/XN/QVrPEoAt/KEps9LVX8 /QXDlaN3QvKBrp4w+xnHSarvtr8MgVy1Y5MWPxChoXaBFVLZdjcSeArUT O+3bVpeLjEd3o/vSa3P5E9msPJq4OP1KGNQWkXV4hG4cG3ucv5HwjhSQq o=;
IronPort-PHdr: 9a23:JfD8XxNeancz6oiuSw0l6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEu6w/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBjjMP73ZSEgAOxJVURu+DewNk0GUMs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AHAAClYxxd/4cNJK1lGQEBAQEBAQEBAQEBAQcBAQEBAQGBUwQBAQEBAQsBgUNQA2pVIAQLKAqHWQOEUooMglt+iE+NeYEuFIEQA1QJAQEBDAEBGAsKAgEBgUuCdQKCHyM0CQ4BAwEBBAEBAgEFbYo3DIVKAQEBBAEBECgGAQEsCwELBAIBCA4DBAEBARUJECEGCx0IAgQBDQUIEweDAYFqAx0BAgyZNwKBOIhggiOCeQEBBYEyARNBgw0NC4ISAwaBNAGEcYQkgSuBHheBQD+BEUaBTkk1PoIaRwEBAgEBgRgJFSk9gn2CJowDEp1nQAkCghaGVok2hA6XbY0whzyBco4AAgQCBAUCDgEBBYFQOIFYcBU7gmyCQYNxhRSFP3IBAYEnikeBMQGBIAEB
X-IronPort-AV: E=Sophos;i="5.63,446,1557187200"; d="scan'208";a="293778675"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Jul 2019 08:18:53 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x638Iro4026611 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 3 Jul 2019 08:18:53 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 3 Jul 2019 03:18:53 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 3 Jul 2019 03:18:52 -0500
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 3 Jul 2019 04:18:52 -0400
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=Duy6eeFDcB7HwHEwzbSBM82FHeVgYs5A02VLiKBo83Td0O0GCnPrjUNb82/Z2Z/FRB9XoRNJEvMqwrUNU+RdKtTVcYuV9pp3EmHGNdFmhmcsOxJEk4hZ3eBtp/AlKflphES1ZXXiYKEVczdhGRJUixceFaP+hfVuwLyLt7xw/A8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NhTeLO+ykq3TEcN1CRBOnjQA0KD2P0FV7ufdVTT3k/E=; b=EJuuMeDXKYwjy3V7lrjfo/+WEeAQ9peRuDGVXBOHUAslT+1IdkzGIz5AK8vaMZ7yzH5bw3J/N6kXVanb67SEmwZGZKhSeelA7Z4dIaeLJJ44tXJ6jr2vhdsCBkYl9dAdXJ5wr2DZaG8KbKZGpgBelJ1z2qtzcgTTBwHbPnyhjCQ=
ARC-Authentication-Results: i=1; test.office365.com 1;spf=none;dmarc=none;dkim=none;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NhTeLO+ykq3TEcN1CRBOnjQA0KD2P0FV7ufdVTT3k/E=; b=U2oDBrtuGlVjSrUH7wzEfO7KSFJM/jVaMUDFJQog45uG9ehG9Yrbsig9jOynkwskCUcXCzGOyTwLWbx1EKKGhk4mc31lFRkd2/QYzpNeb+EThNbL+PayPVclZwEVqzb9q1mFWT/z9Q9wGrRr3VvG+jpCAvrhhQAgOBa6MZOnDlg=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (20.178.250.159) by MN2PR11MB4063.namprd11.prod.outlook.com (20.179.149.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Wed, 3 Jul 2019 08:18:50 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a%6]) with mapi id 15.20.2032.019; Wed, 3 Jul 2019 08:18:50 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Jen Linkova <furry13@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "6tisch@ietf.org" <6tisch@ietf.org>, 6man <6man@ietf.org>, V6 Ops List <v6ops@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Thread-Topic: [6lo] ND cache entries creation on first-hop routers
Thread-Index: AQHVMOxYqZ+Ae5ReXkiJP5a4XqZLuaa4dcOAgAAWmHA=
Date: Wed, 03 Jul 2019 08:18:34 +0000
Deferred-Delivery: Wed, 3 Jul 2019 08:18:31 +0000
Message-ID: <MN2PR11MB356554390F9F0CD970CEAA6CD8FB0@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <CAFU7BAQ4xrjNn9-EUyRhyHKDDT=f381Z4T6x6qJ=ftm2D2K4cw@mail.gmail.com> <5377.1562081856@localhost> <CAFU7BAQomCzfDQaAOpJO7CmQYiAVzHFThviLv7r-0=C9v4MD-w@mail.gmail.com>
In-Reply-To: <CAFU7BAQomCzfDQaAOpJO7CmQYiAVzHFThviLv7r-0=C9v4MD-w@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [173.38.220.52]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fe8a5b4a-074c-457b-bd12-08d6ff8f1435
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR11MB4063;
x-ms-traffictypediagnostic: MN2PR11MB4063:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <MN2PR11MB40632B317CC983D884DB2C21D8FB0@MN2PR11MB4063.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00872B689F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(136003)(376002)(396003)(366004)(39860400002)(189003)(199004)(13464003)(51444003)(74316002)(7736002)(81166006)(81156014)(102836004)(14444005)(256004)(305945005)(2906002)(6506007)(99286004)(7696005)(26005)(6436002)(8936002)(76176011)(9686003)(55016002)(68736007)(53936002)(6246003)(478600001)(33656002)(6306002)(186003)(8676002)(53546011)(229853002)(5660300002)(66066001)(6666004)(11346002)(71190400001)(446003)(3846002)(6116002)(66574012)(486006)(966005)(73956011)(66946007)(76116006)(52536014)(316002)(25786009)(54906003)(66556008)(110136005)(66476007)(64756008)(4326008)(476003)(66446008)(14454004)(86362001)(71200400001); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4063; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: +UC5dapSfGMmAT/Zu1S+QsamW0psRlqimjfkWhdw5OW1OSiACaG9F6nifq7oxEig2KDFhfcaxhQVpjqXO2pPgzu4XUc/BD9ihazgg8gC/HtvdiKwVVd3D5m0jJP7LTRp+SHYM/qNy5NMsFN0cJ5V4QqUKHNUCWDj1MKrq6krIP28MD3VD4ig3/kAGUeZQhDC338a0BgaHcqQCASiHA5RimSGLRL72N/EdsWfPb53ZKkv7U7ixIr7dvJJzLdP2lQU/wNU8RnG0N9rJpHxwhI5OMAe8ycA+O/SYF7IkWZwDDvJPrPN0y2vY4g4HVd83Tvg4qYkdXAekCXfTearzW0u/8P/8MmG2wVIGvfIm3t59Q3GMMI8Fdv5mLk3SJoBNVhNSPrXfX0PwRGLkspi4//0L7i2mNsA2ru7JfwO7MKlDcY=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: fe8a5b4a-074c-457b-bd12-08d6ff8f1435
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2019 08:18:50.2207 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pthubert@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4063
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: alln-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/1f3dpVP_Ue1h__uB0e_qWRo6ciM>
Subject: Re: [6lo] ND cache entries creation on first-hop routers
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 08:18:57 -0000

Hello Jen

The routers that Michael is talking about are real routers, deployed in large volumes in the field, e.g., in Smartgrid networks. 
They are not running ND as RFC 4861/4862 but as RFC 6775/8505, and then operate RPL routing within the ML subnet.
It would be great to have a section that describes that new ND operation and shows how it changes the deal. I'd be happy to help you on that if you need.
There are some hints in https://datatracker.ietf.org/doc/draft-thubert-6man-ipv6-over-wireless/.

All the best,

Pascal

> -----Original Message-----
> From: 6lo <6lo-bounces@ietf.org> On Behalf Of Jen Linkova
> Sent: mercredi 3 juillet 2019 08:52
> To: Michael Richardson <mcr+ietf@sandelman.ca>
> Cc: 6tisch@ietf.org; 6man <6man@ietf.org>; V6 Ops List <v6ops@ietf.org>;
> 6lo@ietf.org
> Subject: Re: [6lo] ND cache entries creation on first-hop routers
> 
> On Wed, Jul 3, 2019 at 1:37 AM Michael Richardson
> <mcr+ietf@sandelman.ca> wrote:
> > I think that the discussion here is particularly relevant to
> > constrained devices/routers on route-over MESH(RPL,etc.) networks.
> >
> > I also think that for L=0 networks, which RPL creates with RPL DIO
> > messages rather than (just) RAs, and 6LRs that need to support join
> > operations (like draft-ietf-6tisch-minimal-security) this may matter.
> 
> Disclaimer: I have very limited knowledge in that area.
> 
> > In particular, in the minimal-security case, we need to partition the
> > ND cache such that untrusted (unverified) malicious pledge nodes can
> > not attack the ND cache.
> 
> The next version of the draft will have much more details on discussing the
> security considerations indeed.
> 
> > The behaviour 2.2.1.  Host Sending Unsolicited NA, should probably
> > never flush an old entry out of the ND.
> 
> I'd say that the router behaviour for creating a STALE entry upon receiving an
> unsolicited NA should be the same as for creating an entry for any other
> reason (e.g. for receiving an RS with SLLAO).
> The same safety rules shall apply.
> 
> > I think that under attack
> > (whether from untrusted pledges, or from p0woned devices already on
> > the network), it is better to prefer communication from existing nodes
> > rather than new ones.  2.2.1.2 mentions this.
> 
> I guess your routers do purge old stale entries?
> 
> > {typo:
> >       -It's recommended that thsi functionality is configurable and
> >       +It's recommended that this functionality is configurable and }
> 
> Thanks, will fix in -01.
> 
> > I didn't really understand 2.2.2: is it exploiting some corner case in
> > the spec, or maybe just some part I am not well clued in about.  So
> > maybe an extra paragraph to explain things.
> 
> It's just using the standard ND process: when the node B receives an NS from
> node A and that NS contains the node B  address as a target address and
> SLLAO contains node A LLA, the node B would respond with NA and would
> create a STALE entry for the node A -
> https://tools.ietf.org/html/rfc4861#section-7.2.3
> 
> > I kinda like the ping all routers trick.
> 
> I think it's a hack ;( we do have a mechanism for communicating neighbours
> addresses/reachability called ND. It would be nice to utilise its machinery.
> Pinging creates additional overhead on routers and could get filtered.
> But I'd not be surprised if it's the only way we have realistically to mitigate the
> issue..
> 
> >
> > Jen Linkova <furry13@gmail.com> wrote:
> >     > I wrote a short draft to discuss and document an operational issue
> >     > related to the ND state machine and packet loss caused by how routers
> >     > create ND cache entries for new host addressed:
> >
> >     >
> > https://datatracker.ietf.org/doc/draft-linkova-v6ops-nd-cache-init/
> >
> >     > (taking into account some vendors have implemented one of the
> proposed
> >     > solution already, I guess it's a well-known problem but it might still
> >     > worth documenting)
> >
> >     > Comments are appreciated!
> >
> >     > --
> >     > SY, Jen Linkova aka Furry
> >
> >     > --------------------------------------------------------------------
> >     > IETF IPv6 working group mailing list
> >     > ipv6@ietf.org
> >     > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >     >
> > --------------------------------------------------------------------
> >
> >
> > --
> > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> > -= IPv6 IoT consulting =-
> >
> >
> >
> 
> 
> --
> SY, Jen Linkova aka Furry
> 
> _______________________________________________
> 6lo mailing list
> 6lo@ietf.org
> https://www.ietf.org/mailman/listinfo/6lo

v2.23.0 | Report a Bug | By Email