Re: [dhcwg] WGLC for draft-ietf-dhc-dhcpv6-pd-relay-requirements - respond by August 17th, 2020

"Bernie Volz (volz)" <volz@cisco.com> Thu, 17 September 2020 16:25 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5CCB3A0D8E for <dhcwg@ietfa.amsl.com>; Thu, 17 Sep 2020 09:25:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.62
X-Spam-Level:
X-Spam-Status: No, score=-9.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=GTPSrahQ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=M9JU1hYP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OzuNLmbhFvo9 for <dhcwg@ietfa.amsl.com>; Thu, 17 Sep 2020 09:24:59 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3851F3A0D7C for <dhcwg@ietf.org>; Thu, 17 Sep 2020 09:24:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4660; q=dns/txt; s=iport; t=1600359899; x=1601569499; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=4zWtrRwwQwRJiyhHdqAyTvhObleMb9ICaNpLnWw42cE=; b=GTPSrahQrJcWAuyVdTg/LvQt5rjUGGiIrdgUk4CPj9ggl1ptIDXzDuaZ JR1/+I8Ut1sLLx974qgq/Nz95GxgERhh9koS68mIIApBUD47q5Q2x4/Zb Fyq1t56RyKsHs7JGPadk3V9kSvTkL0ZYSdCkhUDL5+pFPAvSxl9nE7+wm 4=;
IronPort-PHdr: =?us-ascii?q?9a23=3AE3i2fxVFYwZ2e6z9PwhaaO+ZVgnV8LGuZFwc94?= =?us-ascii?q?YnhrRSc6+q45XlOgnF6O5wiEPSBNyDuf1Bm6zdtKWzEWAD4JPUtncEfdQMUh?= =?us-ascii?q?IekswZkkQmB9LNEkz0KvPmLklYVMRPXVNo5Te3ZE5SHsutaFjC5Ha16G1aFh?= =?us-ascii?q?D2LwEgIOPzF8bbhNi20Obn/ZrVbk1IiTOxbKk0Ig+xqFDat9Idhs1pLaNixw?= =?us-ascii?q?=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BNAABEjWNf/5tdJa1fHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQFAgTsHAQELAYFRUQeBSS8sCoQvg0YDhFmJG5hzgS6BJQNVCwE?= =?us-ascii?q?BAQ0BAS0CBAEBhEsCF4IPAiQ0CQ4CAwEBCwEBBQEBAQIBBgRthVwMhXIBAQE?= =?us-ascii?q?BAgESEREMAQE3AQQHBAIBCBEEAQEBAgImAgICMBUICAIEAQ0FCBqFUAMOIAG?= =?us-ascii?q?qbwKBOYhhdoEygwEBAQWFIhiCEAmBDioBgnCDaYJBgUaCSxuCAIERQ4FPfj6?= =?us-ascii?q?BBIEWgXsqFYMAM4ItgnuQNJJykQoKgmeUWIYSgwk4iUKTepJ1n3gCBAIEBQI?= =?us-ascii?q?OAQEFgVQ6KoEtcBWDJFAXAg2OHzeDOopWdDcCBgEJAQEDCXyLHoE0AYEQAQE?=
X-IronPort-AV: E=Sophos;i="5.77,271,1596499200"; d="scan'208";a="802741386"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Sep 2020 16:24:57 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 08HGOv0P016055 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 17 Sep 2020 16:24:57 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 17 Sep 2020 11:24:57 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 17 Sep 2020 11:24:56 -0500
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 17 Sep 2020 12:24:56 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MkSCrkCxnLjcusw1cBsMOt3qehxb/vuZ7EdPYjhyQBiM3iplcVMHmX9Nsk7xWpB06tZs5+xKe7OUa0vXzbNvC5m7bK1Pd8PaWpToJRViqAzITjMOqrmhS9yWAu+JpmYJaDDG4iULr6yQ1jH8OYasVfOH8lFhQDXRpXhXZ0AhdvROn1G8vIhfw81wqKoDPy12xiZiaBl9ZMkVQ587X3jV7Yxx+Tn36fF9q9jxJ1YmfAuSPQZhm3n0llEdqu4Fd1BBMMloYsXheoOwAr//8Wr+X1yzJ3feUIHVSKJa+/dxX5/eV8F5mIYVfh635duIs9ziPzgYpjSR9p2AaIhLr6GTmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4zWtrRwwQwRJiyhHdqAyTvhObleMb9ICaNpLnWw42cE=; b=n53bMz91lsenOW5aCQR2bebWrlbkmyhAo3qYY1y8DI7ph3a6FVK6K+4Jvtl/gh5cVibQ8Fs+VwSsUXcQdKTJdzLvNhkWt9Wwo01g5QsjDJ2+JJ5s5nh8v5B3mERKz5oT/YPBiCJOlTavSQvDb2aSmSu1WGDwvWK+zXL6iuBSrYBDnjOTESxL+lQTDt8r+Nc3gEUzf93whIsdlPSYkKOCpQYsIWa3aXxZFw2art0T1b1Pqc8ruRPUb5+fVLX0g4tJ3b1RguPJdircgH5FN/P8qj4eDQY1mx8y5ShOozDwy9PgZyIl/gVfb6jJsi5Jl9czUpuuytyORhgGZDz7iZByTw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4zWtrRwwQwRJiyhHdqAyTvhObleMb9ICaNpLnWw42cE=; b=M9JU1hYPhu7TdrEzQfuDwTleM5uA74S6mScJuvQmFpcam1Wzdx0fB6iHVCbVqV5IU17PNeH//z7x0alofpzLJ8vn5z2w335oebYN4U78RmrjZ98S9IUsqr53xD8/dKhml+IZNL191RVUxByVxshJaxBZf9Sz8H+OvC2qnHUS3sg=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN6PR11MB1809.namprd11.prod.outlook.com (2603:10b6:404:102::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.14; Thu, 17 Sep 2020 16:24:55 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::4ced:474b:c85e:9533]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::4ced:474b:c85e:9533%7]) with mapi id 15.20.3370.019; Thu, 17 Sep 2020 16:24:55 +0000
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "ianfarrer@gmx.com" <ianfarrer@gmx.com>, Ole Troan <otroan@employees.org>
CC: "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [dhcwg] WGLC for draft-ietf-dhc-dhcpv6-pd-relay-requirements - respond by August 17th, 2020
Thread-Index: AdZoFVxuAu0BfSLCTG+HCqIezbKcGQHxEU2QAThRN5AAHWyhAAAdlqLgBDksDgAACEEa8AD3zgAAAAO/WKAAJeCggAB00MtdAAHQCPA=
Date: Thu, 17 Sep 2020 16:24:54 +0000
Message-ID: <BN7PR11MB2547BFE20F174B974D0442F5CF3E0@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <BN7PR11MB254783295780CA79CDA1FAB3CF4F0@BN7PR11MB2547.namprd11.prod.outlook.com> <BN7PR11MB254779A3599EFC466605CD92CF450@BN7PR11MB2547.namprd11.prod.outlook.com> <BN7PR11MB25477ED8552DF78132E2F089CF5F0@BN7PR11MB2547.namprd11.prod.outlook.com> <DFF9367A-5D78-4795-988A-FCD37F3C6377@employees.org> <BN7PR11MB25472678D6ACAB82912141A6CF5C0@BN7PR11MB2547.namprd11.prod.outlook.com> <C503DF9C-7798-43A3-9E7F-7D7E09B0D98B@gmx.com> <BN7PR11MB25475DCDA3E215609BF3D8F5CF260@BN7PR11MB2547.namprd11.prod.outlook.com> <263B0965-AF60-4008-B55C-AF9803EB419F@gmx.com> <BN7PR11MB25473F7EBE67E1B51DE7AD46CF230@BN7PR11MB2547.namprd11.prod.outlook.com> <A2A9F390-5B5A-4DAC-9E8A-7F6BA51F7ECB@employees.org> <7358EA97-7E61-45CB-8D32-3AF405B60768@gmx.com> <D7610587-E894-46D9-B3FC-18EF2B90D788@employees.org> <9E774175-356D-4E72-A3BF-3ACCA41A14FD@gmx.com>
In-Reply-To: <9E774175-356D-4E72-A3BF-3ACCA41A14FD@gmx.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmx.com; dkim=none (message not signed) header.d=none;gmx.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.73]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5b18d340-9ae6-46bd-b28c-08d85b26364d
x-ms-traffictypediagnostic: BN6PR11MB1809:
x-microsoft-antispam-prvs: <BN6PR11MB1809177CDB85E8F230773123CF3E0@BN6PR11MB1809.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RWwT9yHIapCNfp2RfvK23TLRdetFn5BBo0jSAa/aB1vflen7w/8kiSkCFk7jvTiamnRfqkN1O9eMYZDVCD4UDMs/KLOMt8O4MufqazHSED+MTwsjcmMjtNvbluN5TTeU3vrvewsyNSenD1WGM0J9X9pDyAwSdkqsJSx4TLM4f2OgpsN52q8SSVy4IkIBDMwOtaLGcEkHVhoK6OSJmZ6xTylTNRibE/BsgnqmK89qZ94W1ZWPoiGqA7AYy6V8BhubbhbO3CyRPzbmfqjgUZxoLp9FDQGAtJPxOxIc1Q5g0V+ipwCuiFFkuzeMWLrmoYectiuRDJW4g+3SsfueN9RlrGI2aOimrnAo/KU53lJrpotQIU0BQFSl3aJvnCgkFCKz
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(366004)(136003)(39860400002)(346002)(376002)(71200400001)(55016002)(110136005)(9686003)(83380400001)(66574015)(2906002)(186003)(26005)(316002)(7696005)(478600001)(52536014)(5660300002)(86362001)(8936002)(76116006)(4326008)(66446008)(64756008)(53546011)(6506007)(66946007)(66556008)(66476007)(33656002)(8676002)(518174003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 7QxHI7NrAyB7Jh6JtpoS2r23rmBhkQiVoG7DWj4P5Y+w/xi/t2iCfUwCrYuRiExlYmlf2GSmAp5dpuZwRYjzHULtLj60Hlq4w0yQgx+meFgV+TMIOLvnoR8of5+Jic8huDtBF+xoBQbYffCIf3FGBUFai3lg9TXfm7TKVlCWkny142DpRJNTN7OaaYRUNvwFfKVKz6I1pqFG1kENUKHQB4sR21ejdIsbf8SoNGk1+C8niOmQylMON5spY9+tyecu1qGnF1H56TzKqJDODa2vYX6X2OuyiQUdcrP4S5A7C1uo4QSNh5PkH9ctSNZm5JxWSNFKzjSe1LEC6apR8z5X9CcKiDKZrkeyYMpNWlHzYikKtQyHX6Q8QGr7ytP7K4Y9eI1zFa0F/sUlmju/q7T84WG/bCnt5zyusmsDD0YtwliaiW7ip0zQ/T4OIdx9G8IM1lsJFpV1GF5T7b5ox+ltE+cKt8y7dUOZBpA3yu4sZ24wqD6mld5WCTrAmDJZbA+olhnjAFCnP4lRttM72XC1q+AH3JT0vG6U6Q4Oyep09Bg6UhwDlyc/oqaT7fh3CkJLlOFfANN0tyPuMUeD+vBvvbRCk12JTekchEhu+xeTm4O/Bz6/Va1OMOXlNcp4Lsq0HIdTflPA1UmgG2oow+okpg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b18d340-9ae6-46bd-b28c-08d85b26364d
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2020 16:24:54.9612 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ji1AA06VdkFXd3vsR/gWHoUGQ8piPaUuZ5Sf9AfPUA3fpwFWeUE9GExlRzDbLD5s
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1809
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/Qc_hPYgrbvuJ8aandq1WA6ZBbUU>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-dhcpv6-pd-relay-requirements - respond by August 17th, 2020
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 16:25:01 -0000

Hi:

One thing to ask is whether this issue is worth continuing debate on this document? Removing it would probably let the document move forward ...

Regarding your answer Ian: [if - The 2 cases would be a bug in the HGW (prefix delegated but routing table not updated so default route is still used), or an attack where rogue clients deliberately send this traffic.]

- An attacker could always send lots of traffic; sure if it is sent back by the relay router, it causes more traffic but eventually the hop limit will be hit and the packet will be dropped. Though wouldn't fixing this at the CPE router (which this document does not cover) be a better place to fix it?
- If there's a bug, perhaps better to learn about it earlier and get it fixed? Someone might notice if they see their throughput drop?

I'm still wondering what a normal router would do in this case and why this needs to be different than general router behavior? Also, could the CPE use this to test connectivity over the WAN link (i.e., send a packet to itself using an address in the PD expecting it to be looped back by the next hop (relay) router)?

And, is this something that someone has actually seen occur, or just a theoretical issue that could happen.

- Bernie

-----Original Message-----
From: ianfarrer@gmx.com <ianfarrer@gmx.com> 
Sent: Thursday, September 17, 2020 11:17 AM
To: Ole Troan <otroan@employees.org>
Cc: Bernie Volz (volz) <volz@cisco.com>om>; dhcwg@ietf.org
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-dhcpv6-pd-relay-requirements - respond by August 17th, 2020

Hi,

Please see inline.

Thanks,
Ian

> On 15. Sep 2020, at 14:31, otroan@employees.org wrote:
> 
> Ian,
> 
>> [if - There’s been quite a lot of iterations on this since -01. The current working version is:
>> 
>> R-4:
>> If the relay has learned a route for a delegated prefix via a given 
>> interface, and receives traffic on this interface with a destination 
>> address within the delegated prefix (that is not an on-link prefix 
>> for the relay), then it MUST be dropped.  This is to prevent routing 
>> loops.
>> An ICMPv6 Type 1, Code 6 (Destination Unreachable, reject route to 
>> destination) error message MAY be sent back to the client.  The ICMP 
>> policy SHOULD be configurable.]
>> 
>>> 
>>> 
>>> Two questions:
>>> 
>>> 1) What is the case where this would triggered? That wouldn't be caught by uRPF (R-2)?
>> 
>> [if - The traffic is originated from a valid source prefix so uRPF 
>> (R-2) doesn't cover it. This requirement is concerned with the 
>> destination.]
> 
> Would you mind ellaborating on how exactly the setup (or attack) would be constructed for this to happen?

[if - The 2 cases would be a bug in the HGW (prefix delegated but routing table not updated so default route is still used), or an attack where rogue clients deliberately send this traffic.]

> 
>>> 2) On a multi-access link, how should this even be implemented?
>>> drop if rx-interface == tx-interface and packet source mac == next-hop mac?
>> 
>> [if - That sounds like it would cover it.]
> 
> I think it would be useful to get implementors to chime in how practical this is to implement.
> 
>>> - Is it supposed to be a silent discard or should you send a destination unreachable?
>> 
>> [if - Please see current text above.]
> 
> Ack.
> 
> Best regards,
> Ole