IETF Logo Mail Archive

Re: [6lo] ND cache entries creation on first-hop routers

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 03 July 2019 19:11 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD39812038D; Wed, 3 Jul 2019 12:11:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sd_ykjA_OyXn; Wed, 3 Jul 2019 12:11:33 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C18321200F3; Wed, 3 Jul 2019 12:11:33 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id A7E8438192; Wed, 3 Jul 2019 15:09:37 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 62CE4B93; Wed, 3 Jul 2019 15:11:31 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
cc: "6lo@ietf.org" <6lo@ietf.org>, Jen Linkova <furry13@gmail.com>, "6tisch@ietf.org" <6tisch@ietf.org>, V6 Ops List <v6ops@ietf.org>, 6man <6man@ietf.org>
In-Reply-To: <MN2PR11MB35652B81658AF0E9F718CD52D8FB0@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <CAFU7BAQ4xrjNn9-EUyRhyHKDDT=f381Z4T6x6qJ=ftm2D2K4cw@mail.gmail.com> <5377.1562081856@localhost> <MN2PR11MB35652B81658AF0E9F718CD52D8FB0@MN2PR11MB3565.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 03 Jul 2019 15:11:31 -0400
Message-ID: <16610.1562181091@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/q_n1GHMcK1cpaw1WJdcF7_kkX2U>
Subject: Re: [6lo] ND cache entries creation on first-hop routers
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 19:11:36 -0000

Pascal Thubert (pthubert) <pthubert@cisco.com> wrote:
    > 6LoWPAN ND is immune to the remote DOS attacks on the ND cache, the
    > ones coming from the outside of the subnet, i.e., from a place that is
    > out of touch and virtually nowhere.

    > This is because in an RFC 6775/8505-only network, there is no reactive
    > operation, a packet coming from the outside of the subnet for a node
    > that is not registered to the router is just dropped. Just like an AP
    > does not copy a packet on the wireless for a MAC that is not
    > associated.

There are a few attacks on the ND cache that I can think of.
One of them that we see on the IETF network is the script kiddies who
sequentially scan IP addresses.  We have a lot of them, and so we flood the
wifi with ARP queries (v4) and NS (v6).  We have mitigations for this.

In the route-over 6tisch/RPL space, we don't (as you indicate), use NS by the
router, we know who is on our network, and we would just have no /128 routes,
and just drop the packets.  Is this the attack that you are speak of as a
remote DOS?

    > Your point below remains correct, since the attack you describe is from
    > a node that reaches the router at L2. Arguably, that attack is
    > physically much harder to perform than the DOS packet from outer
    > space.

When I mentioned attacks on the ND cache, I am referring to those that can
occur from within the 6tisch network from malicious pledge nodes.  We have to
limit the NCE usage by untrusted nodes so that we have space for as many
registered nodes.
I think you are agreeing with me above.

I believe that the issue that Jen is describing would for unaware leaves that
were sleepy.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email