[6lo] Benjamin Kaduk's Discuss on draft-ietf-6lo-backbone-router-16: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Mon, 17 February 2020 23:21 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: 6lo@ietf.org
Delivered-To: 6lo@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 09C67120041; Mon, 17 Feb 2020 15:21:46 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-6lo-backbone-router@ietf.org, Carles Gomez <carlesgo@entel.upc.edu>, Samita Chakrabarti <samitac.ietf@gmail.com>, Shwetha Bhandari <shwethab@cisco.com>, 6lo-chairs@ietf.org, shwethab@cisco.com, 6lo@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.117.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <158198170602.23989.6191753822198720003.idtracker@ietfa.amsl.com>
Date: Mon, 17 Feb 2020 15:21:46 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/JRIcwKx9FyaIA3SoTavTR9veaQU>
Subject: [6lo] Benjamin Kaduk's Discuss on draft-ietf-6lo-backbone-router-16: (with DISCUSS and COMMENT)
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2020 23:21:46 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-6lo-backbone-router-16: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-6lo-backbone-router/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks for this -- it was a good read. I just have a few super-boring poitns of apparent internal inconsistency to fix before publication. There seems to be an internal inconsistency relating to the handling of link-local addresses by a Bridging Proxy: Section 8 descriptively says that such addresses are (always) registered ("[t]he Bridging Proxy registers any Binding including for a Link-Local address to the 6LBR"), but Section 9 has this behavior as optional ("[a] Bridging Proxy MAY register Link Local addresses at the 6BBR and proxy ND for these addresses over the backbone"). Similarly, I see Section 6 saying that when a 6BBR generates an NA in response to an NS(DAD), it "MUST have the Override flag set", but Section 9.2 says "MUST be answered ... the Override flag not set" (for the "different registration" case, i.e., second bullet) and nothing at all about the Override flag for the "not as fresh"/"Moved" case (i.e., the third bullet). Am I misreading something? Continuing the theme, Section 10 notes that a "Registering Node SHOULD register all of its IPv6 Addresses to its 6LR, which is the 6BBR when they are connected at Layer 2", but Appendix B states the stronger condition that "[t]he 6BBR assumes that if a node registers at least one IPv6 Address to it, then the node registers all of its Addresses to the 6BBR." ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- In Section 3 we talk about the Binding Table as a "distributed database", but I didn't see much further exposition on that topic. It would be great to have a bit of discussion about what the logical contents of a row in the database are (e.g., IP address, MAC address, ROVR, registration state, associated host route, ...), as well as what the concurrency and consistency properties of the distributed database are expected or required to be. I also am not quite sure I understand the full picture for backwards compatibility/incremental deployment: it seems like we may need the 6LBR(s) to be updated to support this spec before anything else can use it, though I'm not sure. For example, if we need both IPv6 ND's DAD and EDAR/EDAC between 6BBR/6LBR, does that mean the 6LBR has to be updated first? Section 1 Because IPv6 ND messages sent to the SNMA group are broadcast at the radio MAC Layer, wireless nodes that do not belong to the SNMA group still have to keep their radio turned on to listen to multicast NS messages, which is a total waste of energy for them. In order to nit: "total waste" might be a stronger statement than you want to have to defend (vs. just "waste"). These problems can be alleviated by reducing the IPv6 ND broadcasts over wireless access links. This has been done by splitting the broadcast domains and routes between subnets, or even by assigning a /64 prefix to each wireless node (see [RFC8273]). "If there are already solutions, why do we need more solutions?" ;) (Maybe it's worth mentioning that these proposed workarounds have weaknesses, or even what those weaknesses are.) Another way is to proxy at the boundary of the wired and wireless domains the Layer 3 protocols that rely on MAC Layer broadcast operations. For instance, IEEE 802.11 [IEEEstd80211] situates proxy- ARP (IPv4) and proxy-ND (IPv6) functions at the Access Points (APs). The 6BBR provides a proxy-ND function and can be extended for proxy- ARP in a continuation specification. nit-ish: it might be worth saying something about "in an analogous manner" and/or "for LLNs" in the last sentence. Section 2.2 Sleeping Proxy: A 6BBR acts as a Sleeping Proxy if it answers ND Neighbor Solicitations over the Backbone on behalf of the Registering Node which might be in a sleep state in a low power network. The Sleeping Proxy that is also a Bridging Proxy will preferably forward the relevant messages to the Registering Node as unicast frames in accord to the duty cycle of the Registering Node and let it respond. Should we expect the reader to know what "the relevant messages" are that the bridging proxy forwards to the registering node? Without additional context, the text here implies that the ND NS messages are the "relevant" ones, with the awkward implication that the 6BBR both answers on behalf of the registering node and forwards messages to it. Bridging Proxy: A Bridging Proxy provides IPv6 ND proxy functions while preserving forwarding continuity at the MAC Layer. The Bridging Proxy advertises the MAC Address of the Registering Node as the TLLA in the proxied NAs over the Backbone. In that case, the MAC Address and the mobility of 6LN is still visible across the bridged Backbone, and the 6BBR may be configured to proxy for Link Local Addresses. nit: I think there's a singular/plural issue for "mobility of 6LN". Section 2.4 nit: the current structure doesn't do a good job of indicating why the references are grouped into bullet points as opposed to a single consolidated list. Section 3 nit: the list after figure 1 is missing a blank line between the last two elements. * Advertise a Registered Address over the Backbone using an unsolicited NA message, asynchronously or as a response to a NS message. This includes joining the multicast group associated to nit: I think the binding of "unsolicited" is not quite right, as it currently also applies to the "as a response to a NS" case. The first of these functions enables the 6BBR to fulfill its role as a Routing Registrar for each of its attached LLNs. The remaining functions fulfill the role of the 6BBRs as the border routers connecting the Multi-link IPv6 subnet to the Internet. I'm a bit confused by this last sentence (probably just me, but...) -- the functions in question are things like forwarding/briding traffic between LLN and backbone, so why is "the Internet" required to be in play? The registration to a proxy service uses an NS/NA(EARO) exchange. nit(?): does the "(EARO)" apply to just NA, or to NS as well? The 6BBRs use the Extended Address Registration Option (EARO) defined in [RFC8505] as follows: [...] * The Link Layer Address (LLA) that the 6BBR advertises for the Registered Address on behalf of the Registered Node over the Backbone can belong to the Registering Node; in that case, the 6BBR (acting as a Bridging Proxy (see Section 8)) bridges the unicast packets. Alternatively, the LLA can be that of the 6BBR on the Backbone interface, in which case the 6BBR (acting as a Routing Proxy(see Section 7)) receives the unicast packets at Layer 3 and routes over. I'm not seeing how the EARO is used as part of this. Section 3.1 Would it be worth a forward-reference to Section 9 (for it's list of "6LR operation is modified as follows")? Note: [RFC6775] requires that the registration NS(EARO) contains an SLLAO and [RFC4862] that the NS(DAD) is sent from the unspecified nit: RFC 6775 predates RFC 8505 that introduces the EARO, so it's hard to see how 6775 specifically requires this of a registration NS(EARO). Section 3.3 side note: some of our previous discussions on 6lo documents gave me the impression that a 6LBR was more of a privileged/distinguished thing than Figure 4 makes it out to be, e.g., that there would be one logical 6LBR per network. Going back and re-reading (e.g., RFC 8505) it seems I was mistaken, and it's okay to have many independent 6LBRs like this; they just need to be managing distinct LLNs. Section 3.4 * Identical registrations (same TID, same ROVR) from the same Registering Node are accepted with a status of 0 (Success). In Tentative state, the response is held and may be overwritten, but nit: is this still "the EDAC response" as in the previous item? Section 3.5 A 6BBR may optionally be primary or secondary. The primary is the I'm not sure what the "optionally" means here -- is it an implementation choice to just not think about the question of primary vs. secondary and alawys behave the same [as primary]? The next paragraph implies that it is so, but perhaps more clarity is warranted. Section 4 Nodes located inside the subnet do not perform the IPv6 Path MTU Discovery [RFC8201]. [...] nit(?): I couldn't find where in RFC 8201 it's specified that PMTUD is not performed for same-subnet paths; is that specified elsewhere or just a consequence of the nature of a subnet? Section 5 This specification allows for an address to be registered to more than one 6BBR. Consequently a 6LBR MUST be capable of maintaining state for each of the 6BBR having registered with the same TID and same ROVR. This seems like something worth calling out in the "Updating RFC 6775" section. Section 6 The 6BBR advertises and defends the Registered Addresses over the Backbone Link using RS, NS(DAD) and NA messages with the Registered Address as the Source or Target address, respectively. nit: I don't think "respectively" is right, since there are three elements in the first list (RS, NS(DAD), and NA) but only two in the second (Source address, Target address). An NA message generated in response to an NS(DAD) MUST have the Override flag set and a status of 1 (Duplicate) or 3 (Moved) in the EARO. An NA message generated in response to an NS(Lookup) or an NS(NUD) MUST NOT have the Override flag set. I think there's an implicit "by the 6BBR" in both the "message generated"s here, but please confirm. This specification enables proxy operation for the IPv6 ND resolution of LLN devices and a prefix that is used across a Multi-Link Subnet MAY be advertised as on-link over the Backbone. This is done for backward compatibility with existing IPv6 hosts by setting the L flag in the Prefix Information Option (PIO) of RA messages [RFC4861]. Are there any drawbacks to providing this backwards-compatible behavior worth mentioning? Section 7 EUI-48). Since a 6LN may not be able to resolve an arbitrary destination in the MLSN directly, the MLSN prefix MUST NOT be advertised as on-link in RA messages sent towards the LLN. nit(?): is there a single distinguished MLSN prefix to merit the definite article here? (I note that in the previous section we speak only of "a prefix that is used across a [MLSN]".) Section 8 If the Registering Node owns the Registered Address, then its mobility does not impact existing NCEs over the Backbone. Otherwise, when the 6LN selects another Registering Node, the new Registering Node SHOULD send a multicast NA with the Override flag set to fix the existing NCEs across the Backbone. I think I'm confused about the distinction between "Registering Node" and "6LN", here -- in my head they are the same entity. (If I replace "Registering Node" with "6BBR" in the second and third occurrences, things seem to make more sense and are roughly analogous to the discussion in Section 7...but looks can be deceiving.) [ed. Section 10 does describe a case where Registering Node and 6LN are different] Section 9 even for a duplicate address. Consequently, and unless administratively overridden, the 6BBR still needs to perform IPv6 ND DAD over the backbone after an EDAC with a status code of 0 or 9. I'd be curious to see a pointer to the discussions that caused "unless administratively overridden" to be introduced, as naively that note does not seem necessary. If a registration is received for an existing Binding with a non-null Registration Lifetime and the registration is fresher (same ROVR, fresher TID), then the Binding is updated, with the new Registration Lifetime, TID, and possibly Registering Node. In Tentative state (see Section 9.1), the current DAD operation continues unaltered. In other states (see Section 9.2 and Section 9.3 ), the Binding is placed in Reachable state for the Registration Lifetime, and the 6BBR returns an NA(EARO) to the Registering Node with a status of 0 (Success). Does this mean we don't re-do DAD for registrations already in a Stale state when we receive an updated registration for them? Upon a registration that is identical (same ROVR, TID, and Registering Node), the 6BBR returns an NA(EARO) back to the Registering Node with a status of 0 (Success). A registration that is not as fresh (same ROVR, older TID) is ignored. What (if anything) happens to the registration lifetime in this case? registering node. It MAY preserve a temporary state in order to forward packets in flight. The state may be a NCE formed based on a received NA message, or a Binding in Stale state and pointing at the new 6BBR on the backbone. nit: is this an exhaustive list of permitted ways to implement "temporary state"? The implementation should also use REDIRECT messages as specified in [RFC4861] to update the correspondents for the Registered Address, pointing the new 6BBR. s/should/SHOULD/? Section 9.1 * The Binding MUST be removed if an NA message is received over the Backbone for the Registered Address with no EARO, or containing an EARO with a status of 1 (Duplicate) that indicates an existing registration owned by a different Registering Node. In that case, an NA MUST be sent back to the Registering Node with a status of 1 (Duplicate) in the EARO. This behavior might be overriden by policy, in particular if the registration is trusted, e.g., based on the validation of the ROVR field (see [I-D.ietf-6lo-ap-nd]). I suggest to reword this to say "an NA is sent back to the Registering Node" to avoid having a normative "MUST" that is then overridden by the last sentence. (Similarly for the next item as well.) Also, to check my understanding, the first two bullets in combination mean that if we somehow end up in a state with identical Tentative bindings at two different 6BBRs, they will both respond to each others' NS(DAD) with an NA, causing both bindings to be removed (i.e., "everyone loses")? Section 10 The Registering Node may be the 6LN owning the IPv6 Address, or a 6LBR that performs the registration on its behalf in a Route-Over mesh. Having this earlier would probably have saved me some confusion :) The Registering Node SHOULD register all of its IPv6 Addresses to its 6LR, which is the 6BBR when they are connected at Layer 2. Failure to register an address may result in the address being unreachable by other parties if the 6BBR cancels the NS(Lookup) over the LLN or to selected LLN nodes that are known to register their addresses. I'm not sure I'm parsing the second sentence correctly -- what's the antecedent for "or to selected LLN nodes"? The Registering Node SHOULD also follow [RFC7772] in order to limit This is BCP 202, right? Section 11 We force a sequencing that has EDAR/EDAC occur before normal NS(DAD); does this provide a new DoS avenue by virtue of delaying the normal NS(DAD) procedure by (e.g.) dropping the EDAC messages? It might be worth a brief preface that since we're modifying the ND and DAD processes, the attacks in scope are basically limited to blocking discovery of taking over addresses from other nodes (which, to be fair, can in some cases have substantial consequences in terms of reading the "stolen" traffic!). This specification applies to LLNs and a backbone in which the individual links are protected against rogue access, e.g., by authenticating a node that attaches to the network and encrypting at the MAC layer the transmissions that may be overheard. In particular, the LLN MAC is required to provide secure unicast to/from the Backbone Router and secure Broadcast from the Backbone Router in a way that prevents tampering with or replaying the RA messages. It seems like it would be worth stating these requirements/applicability statement much earlier in the document (possibly in addition to here), e.g., in the Introduction. provide the proof-of-ownership. A possible attack over the backbone can be done by sending an NS with an EARO and expecting the NA(EARO) back to contain the TID and ROVR fields of the existing state. With that information, the attacker can easily increase the TID and take over the Binding. The 6BBR can also perform such an attack, right? It might be worth explicitly stating that we trust it to behave honestly in order for this stuff to work properly. We could also discuss how things break if the "distributed database" of registrations gets out of sync across 6BBRs/etc.. How do things degrade if a secondary 6BBR "stands back" to let a primary handle a given message but the primary 6BBR has gone offline unbeknownst to the secondary? Are there any noteworthy scaling requirements to the bridging and routing proxy modes? (I don't think so, and we just allude to "dimensioned for the number of registrations that each needs to support" in Appendix B, but it doesn't hurt to ask.) Section 15 RFC 6550 is only mentioned once, as a "non-normative example", so seems more appropriately placed in the Informative References. Section 16 It might be worth replacing RFC 6830 with draft-ietf-lisp-rfc6830bis, which is both significantly different from RFC 6830 and fairly close to done. We have "SHOULD [...] support Packet-Loss Resiliency for Router Solicitations [RFC7559]" which, per https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/ would put it in the Normative References. Likewise for RFC 7772. Appendix A By default the specification does not have a trust model, e.g., whereby nodes that associate their address with a proof-of-ownership [I-D.ietf-6lo-ap-nd] should be more trusted than nodes that do not. Such a trust model and related signaling could be added in the future to override the default operation and favor trusted nodes. Well, we kind of have a trust model: "anyone on the backbone and anyone that can authenticate to the LLN MAC is trusted equally; others are not trusted". So perhaps it's more appropriate to go with "does not have a fine-grained trust model: all nodes that can authenticate to the LLN MAC or attach to the backbone are equally trusted. It would be desirable to provide a stronger authorization model, e.g., [...]"? Future documents may extend this specification by allowing the 6BBR to redistribute Host routes in routing protocols that would operate over the Backbone, or in MIPv6, or FMIP, or the Locator/ID Separation Is there a reference for FMIP? We don't mention it elsewhere in the document, as we do for MIPv6. Appendix B We seem to cover the requirements from Appendix B of RFC 8505 out of order: B.3, B.1, B.4, B.6, then B.2. I didn't think very hard about whether there's good rhetorical reason for the current order, though. The impact if the IPv6 ND operation is limited to one of the federated LLNs, enabling the number of 6LNs to grow. The Routing nit: I don't think this is a well-formed sentence. Possibly it's just suffering from a typo (s/if/of/), though I'm not entirely sure.
- [6lo] Benjamin Kaduk's Discuss on draft-ietf-6lo-… Benjamin Kaduk via Datatracker
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)