IETF Logo Mail Archive

Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-6lo-backbone-router-16: (with DISCUSS and COMMENT)

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Mon, 23 March 2020 10:50 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE4B53A0484; Mon, 23 Mar 2020 03:50:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=RVKv5dgv; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=XJ0x0IUK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GdtWteKUFA53; Mon, 23 Mar 2020 03:50:51 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 176B33A044A; Mon, 23 Mar 2020 03:50:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6893; q=dns/txt; s=iport; t=1584960651; x=1586170251; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=M6BJt6c4055qHurgOzDq5tsdXUJb3lXgiQNR0G3CS20=; b=RVKv5dgvdElTd6Lzfwt9CN00y4C3JV7qUrKQBP+vbFBUp4zWZVSCZO8y m2Hy0jt02qaGhCCjJjhlQCrBfy06o/yACDVH+U5y0AroiA225I74S8kV9 2vygYwUbzZtAUQdD4hCs17+xSVfCWV1rjCQUasFhOa269H4vI/jOcKKkb Y=;
X-IPAS-Result: A0CoDADwk3he/4cNJK1mDhABCxyDT1AFgUQgBAsqh10DinBOghGBAZcbgUKBEANUCQEBAQwBAS0CBAEBhEUCgiUkOBMCAwEBAQMCAwEBAQEFAQEBAgEFBG2FVgyFYwEBAQECARIoBgEBNwEPAgEINhAyJQEBBAoEDRqFUAMOIAGhDQKBOYhigieCfwEBBYUcGIIMCYE4hSCEQ3gQgUQagUE/gRFHghg1PoQiDwIag0GCLI1cgmCQUY9ECoI8jTGJc4JMjQCMDZBdmiECBAIEBQIOAQEFgWkiRIEUcBWDJ1AYDY4dDBcVgzuKGD10gSmLKoJDAQE
IronPort-PHdr: 9a23:QYmJKxOjjy/gxuL0OP4l6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEu6w/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBjjMP73ZSEgAOxJVURu+DewNk0GUJ+kNUffqXCz8zMeXw7nO1opdMLyHIOaz9yt0Py/8IHSZAMOgyehZbR1L1O9qgCD/sIXmoBlbK02z1PFpXZTM+JR2StkKEmSkBD1+srVntZ7/j5Vuu49+sIISqj8c6kiBbxfFyg9cm0=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.72,296,1580774400"; d="scan'208";a="440265919"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Mar 2020 10:50:49 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 02NAoncl028217 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 23 Mar 2020 10:50:49 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 23 Mar 2020 05:50:49 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 23 Mar 2020 05:50:48 -0500
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 23 Mar 2020 06:50:48 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aU8FJ/HcAwR865KWDre8veMyTIu6WRfYBkSTZC1JL2LKh1lMtfPJaEKn8SgFKcDUk1LUoltVwkQdnwBFt9B4cqrXpTmGV1bxsme3LC1VckBGDo2IgVxpwXPm+hOKs278+B5OdzrqCw5CyCKXxplQzQjB819IsLcVJcs+ZxDINLu9SrLcXqc93iUQ7sM5EVG1IrY3EDgiz9JDiHAI14u3Fi1H/chM1tao99T7hyKOQ/CRagu8TXBFMqDsjT5Q9yWuWWsR+SiZ7nXuQHvthThr7kU1Py22G7gLxSCCbMawXkRzZKTUy2wjXwVX5D+fZJXlSvP/XBmlsvqRKT6RhZOCPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=0B8pMcbvZgBrSu0Dz7Bt0guBaEC9iM1PjX0BlHkswdw=; b=LtIR2LBkd2N9/P0mBPpsPjSSDEo7hqdFiycorF4lxJwluq0ewKmxfxYlX1oQbHHePKWKV4iRKaPL3vDjz3BV0ijENgfK3MW71kYzdSxoMJjGFK1SoJq4z5Z1mRJPmazZQJ4Q9S7qXN8iENnqxOcI6jpzV/BIv7ITjjeRcUo4VtOQkb6EUp+ogpIgTZI5DYwfuI62CJAkl9cGX05EIYzNK1I01GeLryKMvlRpMop5kQZHd45EHV8TjAYH3OSf9sCrVW8FKtg1ozH5CFJTZNUgdXmUWnpzWX9Bx4rOkzc4/9GLi0U7BrDgkgSXYUnKPei1rm0kbVQowWogaJ4YNScuwQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0B8pMcbvZgBrSu0Dz7Bt0guBaEC9iM1PjX0BlHkswdw=; b=XJ0x0IUKnHliqiQWf433akvogQr+MbJZvd9wb1UgU/b0wAeipnClpk+ReNqLnt+ILTIp6io2WAj6ChK6hPoDioJ3VUJbTuZ4JedQO0RGsKWhHFs/i1Sh7YElc2LbGvZyCJn0rRvIyrdKB5ByiZs2EKFBf6++t+CZIp2s0xWmQIw=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (2603:10b6:208:ea::31) by MN2PR11MB4445.namprd11.prod.outlook.com (2603:10b6:208:18a::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.18; Mon, 23 Mar 2020 10:50:47 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::113b:3127:ef12:ea7]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::113b:3127:ef12:ea7%7]) with mapi id 15.20.2835.021; Mon, 23 Mar 2020 10:50:47 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-6lo-backbone-router@ietf.org" <draft-ietf-6lo-backbone-router@ietf.org>, Carles Gomez <carlesgo@entel.upc.edu>, Samita Chakrabarti <samitac.ietf@gmail.com>, "Shwetha Bhandari (shwethab)" <shwethab@cisco.com>, "6lo-chairs@ietf.org" <6lo-chairs@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-6lo-backbone-router-16: (with DISCUSS and COMMENT)
Thread-Index: AdXoCIFC+QHgJb6FQSiPQ9HNJDofNwYh8gYAABr7uTA=
Date: Mon, 23 Mar 2020 10:50:25 +0000
Deferred-Delivery: Mon, 23 Mar 2020 10:49:48 +0000
Message-ID: <MN2PR11MB35659829D467B581F8C75353D8F00@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <MN2PR11MB356519AC65DF298664EEA30DD8E70@MN2PR11MB3565.namprd11.prod.outlook.com> <20200322212436.GB50174@kduck.mit.edu>
In-Reply-To: <20200322212436.GB50174@kduck.mit.edu>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2a01:cb1d:4ec:2200:21e6:d690:3c23:51d]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f2af8d20-9bde-45a4-0afb-08d7cf180bc1
x-ms-traffictypediagnostic: MN2PR11MB4445:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR11MB4445B39597870A40674CDA25D8F00@MN2PR11MB4445.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0351D213B3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(136003)(376002)(366004)(346002)(396003)(199004)(478600001)(8676002)(86362001)(66476007)(66556008)(76116006)(33656002)(66946007)(9686003)(6506007)(55016002)(6666004)(4326008)(7696005)(5660300002)(81166006)(81156014)(6916009)(8936002)(2906002)(71200400001)(54906003)(64756008)(316002)(52536014)(66574012)(186003)(66446008); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4445; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RdfETH8n///DFgOPZHhCjxF7Xo6nDgIdn+3JykZGkzWqiuDdOhZ9t5TDEDHy9k0haflMaJrcXixKQhVf2EAL8jxAP35ZfOgg1t3NzZXHiX0ykhceAfdppMrHu6GywQ6f0Hh/C1g8Wwt7DwZdVguKabtOWO4DusohhO190qA5mdX4Pvuq0lotzbd3AEoUR8D92tv9+oRC+zEzvZsVchd+W1ZCKFitXJKqck2Nm871eA+wR0jUBQVZw5GBk3U3sfDCAUvNI6SleC/QmKh+/xvckTxNHVKzS3meT2k8rLOuLdbfE9LGyXm2vjw3ubxie5hLJ/n4DuhTQgiZ6CYDO7UvndMxlMWLhbD4dTYk+Zgi0STR4tKO9cmoXFBx+iJ7rYdUprj5sEpoGkV+SwH6TX7C06o9S8jCIKSDMQjToHdvPqCyOltwG/W0ib6YPcVMDuFX
x-ms-exchange-antispam-messagedata: rdnei8G2LqbAxjDbILNaK24fGz7uAqDBKLUXx+20WXvNOUSO/BOc0VptCveJ30exqlZu6XpPg/SYxIisnt/n4fwJgCljyBKAY1SGTpnrrgV4uczzdm/T4V0eaa7sKmW/7ZOW2ks/+/y5+l2U5jlnQjdC90H4ot5fRiHXybeqbueiFsVBp265wFEyP5ITUoqObx4BrDgBeLjilzxljM/Tfw==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: f2af8d20-9bde-45a4-0afb-08d7cf180bc1
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2020 10:50:47.7830 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cupnlbvLOv948G64rxzvWXaHGKFm6/uenJVH3WLasY2UQ1r4la25cK3jcm3JaUobBroM6NcbkUY5Y/LkBGBx2A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4445
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/ALJT6mu9xUrwmMLnQaPXCLV7dAM>
Subject: Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-6lo-backbone-router-16: (with DISCUSS and COMMENT)
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2020 10:50:54 -0000

Hello again, Benjamin

> > Again and again, many thanks for your arch-fantastic reviews!


> > "
> >   Each Backbone Router (6BBR) maintains a data structure for its
> >    Registered Addresses called a Binding Table.  The abstract data that
> >    is stored in the Binding Table includes the Registered Address,
> >    anchor information on the Registering Node such as connecting
> >    interface, Link-Local Address and Link-Layer Address of the
> >    Registering Node on that interface, the EARO including ROVR and TID,
> >    a state that can be either REACHABLE, TENTATIVE, or STALE, and other
> >    information such as a trust level that may be configured, e.g., to
> >    protect a server.  The combined Binding Tables of all the 6BBRs on a
> >    backbone form a distributed database of 6LNs that reside in the LLNs
> >    or on the IPv6 Backbone.
> > "
> 
> This is nice!  I am still not sure about how much a deployment needs to care
> about concurrency and/or consistency issues for the "distributed database";
> given that lossy radio technologies are involved I mostly assume that things
> will be self-healing in the face of a bit of delayed update propagation, but it
> would be nice to have that confirmed.

To do care and this is why we have the ROVR and the TID included in the exchange on the backbone.
The point is to ensure that the database is maintained up to date with the right state at the right place.
This db becomes a core functionality for a modern switch and router as it is the point where the hosts are observed.
This is injected in many features, such as LISP MS/MR, SD-stuff, network management and security tools.




> > > Section 9
> > >
> > >    even for a duplicate address.  Consequently, and unless
> > >    administratively overridden, the 6BBR still needs to perform IPv6 ND
> > >    DAD over the backbone after an EDAC with a status code of 0 or 9.
> > >
> > > I'd be curious to see a pointer to the discussions that caused
> > > "unless administratively overridden" to be introduced, as naively
> > > that note does not seem necessary.
> >
> > The idea behind it is that if all nodes register to the 6LBR then the DAD can
> be avoided.
> > But the only way to know is administrative. I wanted to leave that door
> open. But I guess it is implicitly.
> > Removed the text.
> >
> > >
> > >    If a registration is received for an existing Binding with a non-null
> > >    Registration Lifetime and the registration is fresher (same ROVR,
> > >    fresher TID), then the Binding is updated, with the new Registration
> > >    Lifetime, TID, and possibly Registering Node.  In Tentative state
> > >    (see Section 9.1), the current DAD operation continues unaltered.  In
> > >    other states (see Section 9.2 and Section 9.3 ), the Binding is
> > >    placed in Reachable state for the Registration Lifetime, and the 6BBR
> > >    returns an NA(EARO) to the Registering Node with a status of 0
> > >    (Success).
> > >
> > > Does this mean we don't re-do DAD for registrations already in a
> > > Stale state when we receive an updated registration for them?
> >
> > Correct. If a sign of reuse of the address had been seen the Binding would
> have been removed in 9.3. That's the point actually of keeping the address in
> Stale state.
> 
> I guess I wasn't sure if those mechanisms would be 100% reliable to avoid two
> nodes thinking they have the same address, but it's been too long since I
> wrote this for me to be sure what I was thinking.  If you say they are 100%
> reliable, that is good enough for me.

Classical IPv6 ND DAD is NOT 100% reliable. It is in fact very unreliable on large wireless deployments.
Anything that happens on the backbone that is based on multicast may have misses. 
What makes IPv6 work is that the collisions actually do not happen with pseudo-random, crypto-based or MAC-seeded IIDs.
The next spec on having a 6LBR on the backbone will make it reliable, provided that the 6LBR itself is. But getting 6MAN to endorse it will be an interesting time, help appreciated.



> > >
> > > It might be worth a brief preface that since we're modifying the ND
> > > and DAD processes, the attacks in scope are basically limited to
> > > blocking discovery of taking over addresses from other nodes (which,
> > > to be fair, can in some cases have substantial consequences in terms of
> reading the "stolen" traffic!).
> >
> > Argl, I cannot parse that. Would you kindly suggest text?
> 
> I was thinking something like:
> 
>   The procedures in this document modify the mechanisms used for IPv6 ND
>   and DAD and should not affect other aspects of IPv6 or
>   higher-level-protocol operation.  As such, the main classes of attacks
>   that are in play are those which week to block neighbor discovery or to
>   forcibly claim an address that another node is attempting to use.  In the
>   absence of cryptographic protection at higher layers, the latter class of
>   attacks can have significant consequences, with the attacker being able
>   to read all the "stolen" traffic that was directed to the target of the
>   attack.

Cool, using it. At some point you become an author!

> > > The 6BBR can also perform such an attack, right?  It might be worth
> > > explicitly stating that we trust it to behave honestly in order for
> > > this stuff to work properly.
> >
> > Sure, the attacker impersonates a 6BBR. A compromised 6BBR is an ideal
> attacker.
> > A compromised 6BBR can do anything like accept registration but not
> forward traffic, not proxy, etc...
> > But that's obvious isn't it?
> 
> It's probably obvious, yes.  At this point I'm never sure where the line is for
> "too obvious to mention"; some things are obvious to me but far-from-
> obvious to people who haven't had a couple years' experience as SEC AD...

And I probably know my spec too well. Let's go then. What about uplifting the below:

"
   This specification introduces a 6BBR that is a router on the path of
   the LLN traffic and a 6LBR that is used for the lookup.  They could
   be interesting targets for an attacker.  A compromised 6BBR can
   accept a registration but block the traffic, or refrain from
   proxying.  A compromised 6LBR may accept unduly the transfer of
   ownership of an address, or block a new comer by faking that its
   address is a duplicate.  But those attacks are possible in a
   classical network from a compromised default router and a DHCP
   server, respectively, and can be prevented using the same methods.
"


Again, many, many thanks Benjamin : )

Since these are limited changes I'll post a single update with Mirja's comments as well.

Keep safe!

Pascal

v2.23.0 | Report a Bug | By Email