IETF Logo Mail Archive

Re: [6lo] ND cache entries creation on first-hop routers

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Wed, 03 July 2019 20:50 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04AAE12016C; Wed, 3 Jul 2019 13:50:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Y4Nxf5v9; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=eOalTAXu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ZjEgUYSbCGt; Wed, 3 Jul 2019 13:50:28 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F42041200C7; Wed, 3 Jul 2019 13:50:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4992; q=dns/txt; s=iport; t=1562187028; x=1563396628; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=frPqTmC8QfsYNJ1xkVqgbVgEugV0mU3SIe8SQYmoYaI=; b=Y4Nxf5v9t8nsMzvfvaqIZPNt/ePJmH26gOcOeS6mdz9DDlUUTE4k0Ejp fwRbJEzFv/vCjgkwRDTDhYOOUfN6EKejXpQpaFj5wZGIsuRHAYh3MjzIH Bqyw+ZMn0neHtbMlitUypcTJzeXlShy/htiH9RHeT69qzUA+y2xRzyR7z 0=;
IronPort-PHdr: 9a23:9HW0QxD9qJ5QBVfC/Y/pUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qs03kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHwQAld1QmgUhBMCfDkiuNOLqciY3BthqX15+9Hb9Ok9QS47z
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AeAABIFB1d/5NdJa1mGgEBAQEBAgEBAQEHAgEBAQGBVAQBAQEBCwGBQyQsA4E/IAQLKAqEEoNHA45HgjYll0aBLoEkA1QJAQEBDAEBLQIBAYFLgnUCF4ILIzUIDgEDAQEEAQECAQVtijcMhUoBAQEDARIREQwBASMUAQQLAgEIGAICJgICAjAVEAIEDgUigwCBawMODwECAZo3AoE4iGBxgTKCeQEBBYUPGIISCYEMKAGEcYQkgkkXgUA/gREnDBOCTD6EHiaDCjKCJo45L40djjoJAoIWk38bgiuHHIobhA+kYwIEAgQFAg4BAQWBUgI0gVhwFWUBgkGCQYNxilNygSmKE4EwAYEgAQE
X-IronPort-AV: E=Sophos;i="5.63,448,1557187200"; d="scan'208";a="368031448"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Jul 2019 20:50:26 +0000
Received: from XCH-ALN-020.cisco.com (xch-aln-020.cisco.com [173.36.7.30]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id x63KoQOp025635 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 3 Jul 2019 20:50:26 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-020.cisco.com (173.36.7.30) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 3 Jul 2019 15:50:26 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 3 Jul 2019 15:50:22 -0500
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 3 Jul 2019 16:50:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=frPqTmC8QfsYNJ1xkVqgbVgEugV0mU3SIe8SQYmoYaI=; b=eOalTAXuaXnZ/YSkb9wkryLb803Y3zm9ePZstycCIwDd5/9wKSoSqr2j0AZ48n8+zhdPUqp4snwKxIvByAyZkNgACHdFfKIYLn6OKJAVkVbgmJXjfbZaP0NCwEObFLzuNFXSLhqqpeGarl2W+F3SkmWBq8Qc7Dn6uU+AhpwwgOM=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (20.178.250.159) by MN2PR11MB3646.namprd11.prod.outlook.com (20.178.253.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.20; Wed, 3 Jul 2019 20:50:20 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a%6]) with mapi id 15.20.2032.019; Wed, 3 Jul 2019 20:50:20 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "6lo@ietf.org" <6lo@ietf.org>, Jen Linkova <furry13@gmail.com>, "6tisch@ietf.org" <6tisch@ietf.org>, V6 Ops List <v6ops@ietf.org>, 6man <6man@ietf.org>
Thread-Topic: [6lo] ND cache entries creation on first-hop routers
Thread-Index: AQHVMOxYqZ+Ae5ReXkiJP5a4XqZLuaa4gaXggADCwICAABucoA==
Date: Wed, 03 Jul 2019 20:50:20 +0000
Message-ID: <6E814A87-4127-4EE1-9291-A5C1041E4202@cisco.com>
References: <CAFU7BAQ4xrjNn9-EUyRhyHKDDT=f381Z4T6x6qJ=ftm2D2K4cw@mail.gmail.com> <5377.1562081856@localhost> <MN2PR11MB35652B81658AF0E9F718CD52D8FB0@MN2PR11MB3565.namprd11.prod.outlook.com>, <16610.1562181091@localhost>
In-Reply-To: <16610.1562181091@localhost>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [91.69.164.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3b3c5b75-a3a5-445b-c3a6-08d6fff81017
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR11MB3646;
x-ms-traffictypediagnostic: MN2PR11MB3646:
x-microsoft-antispam-prvs: <MN2PR11MB3646A6B0C8A7DB5AA11A26D8D8FB0@MN2PR11MB3646.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00872B689F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(346002)(136003)(376002)(396003)(39860400002)(189003)(199004)(68736007)(14454004)(4326008)(25786009)(6246003)(316002)(66476007)(486006)(5660300002)(7736002)(53936002)(6116002)(6512007)(478600001)(3846002)(2906002)(6506007)(71190400001)(8936002)(102836004)(36756003)(6486002)(6436002)(256004)(26005)(76176011)(86362001)(476003)(229853002)(186003)(66574012)(71200400001)(81156014)(66946007)(33656002)(99286004)(446003)(14444005)(8676002)(305945005)(2616005)(11346002)(66556008)(54906003)(64756008)(73956011)(66446008)(76116006)(81166006)(66066001)(91956017); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3646; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 8i8jY1MbxWRUyZpwjF+GFDDFc2218FbceyAVXBdRS3z6T1jm+QdoFIEVL6lxN3CRBCnuFaktsN+oqu21irahOWp54a4IJv6/IwMZTY7aQPxLAuW+H0oM0EngW1UW1pskqfrCgZxp5HKrQ7JXhbk8cTQQVm8wceM3YK82B3ePMoPOQxoKp5dfBBQCoJbxLXuvEhvgbvHrenjjWjfMqYI2KnzUjUr+Ixv7pbHYsynXsJJZ/Wn9ZN7H1Q2Kv+sveAVBbq7z/VHrjZbsTs4eZMWqFfaKI8ns/KkUA8f125wK1pF6d1E0ArapAlJIYx+99yPSs3EKiMjp6zE61ikZUpwFxwN+kwymJXkDDQtmm5on/rKf1A+lO+kunAU4RvV/lQ/hw3Vx7u8CGUfSYUYaZdWM9AJrsi4yWI6ksP5H9oahceY=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3b3c5b75-a3a5-445b-c3a6-08d6fff81017
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2019 20:50:20.3660 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pthubert@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3646
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.30, xch-aln-020.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/arJupuEQgiEMdO-XxFgwPZM8rFg>
Subject: Re: [6lo] ND cache entries creation on first-hop routers
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 20:50:30 -0000

Hello Michael 

Please see below 

> 
> Pascal Thubert (pthubert) <pthubert@cisco.com> wrote:
>> 6LoWPAN ND is immune to the remote DOS attacks on the ND cache, the
>> ones coming from the outside of the subnet, i.e., from a place that is
>> out of touch and virtually nowhere.
> 
>> This is because in an RFC 6775/8505-only network, there is no reactive
>> operation, a packet coming from the outside of the subnet for a node
>> that is not registered to the router is just dropped. Just like an AP
>> does not copy a packet on the wireless for a MAC that is not
>> associated.
> 
> There are a few attacks on the ND cache that I can think of.
> One of them that we see on the IETF network is the script kiddies who
> sequentially scan IP addresses.  We have a lot of them, and so we flood the
> wifi with ARP queries (v4) and NS (v6).  We have mitigations for this.
> 
> In the route-over 6tisch/RPL space, we don't (as you indicate), use NS by the
> router, we know who is on our network, and we would just have no /128 routes,
> and just drop the packets.  Is this the attack that you are speak of as a
> remote DOS?

Yes, 

Scanning in v6 can hardly be used to discover addresses but it can be used as a DOS attack against the CPU because the silicon needs to punt on cache miss. It can also be used to DOS the neighbor cache. And it is hard to differentiate from legitimate new traffic.

The possibility for such an attack comes from the reactive nature of ND, which was designed when IP routing was in software and the network a happy Woodstock. Times have changed and a modern ND should protect itself and the addresses it manages (think SeND and SAVI) and should be friendly to fabrics, to wireless and to hardware forwarders. We have that on tiny devices but it’s still missing in the big irons.

> 
>> Your point below remains correct, since the attack you describe is from
>> a node that reaches the router at L2. Arguably, that attack is
>> physically much harder to perform than the DOS packet from outer
>> space.
> 
> When I mentioned attacks on the ND cache, I am referring to those that can
> occur from within the 6tisch network from malicious pledge nodes.  We have to
> limit the NCE usage by untrusted nodes so that we have space for as many
> registered nodes.
> I think you are agreeing with me above.
> 

Yes I certainly followed you there and agree. We had that discussion for 6TiSCH minimal security. My point was that this local DOS attack requires a physical presence and is much harder to achieve than the remote DOS.


> I believe that the issue that Jen is describing would for unaware leaves that
> were sleepy.

Unaware Leaves that follow the ROLL specs register their addresses and sleep. They can sleep for the whole lifetime of their registration, the router will maintain an ND entry and the network will protect the address ownership.
To your point the node must wake up and refresh the registration before it expires.

What’s left of Jen’s issue with registration is the asymmetrical routing. In the ROLL specs the router that has the registration injects the route in the MLSN and gets the traffic back so the issue does not exist. In a transit network the router would forward the registration state to a 6LBR that can answer unicast lookups from other routers, still incurring a delay, or may push a state to other routers or to a load balancer so the router with the registration gets the traffic first.

All the best,

Pascal 

> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email