Re: [dhcwg] WGLC for draft-ietf-dhc-dhcpv6-pd-relay-requirements - respond by August 17th, 2020

ianfarrer@gmx.com Thu, 17 September 2020 15:17 UTC

Return-Path: <ianfarrer@gmx.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 156DD3A0CC6 for <dhcwg@ietfa.amsl.com>; Thu, 17 Sep 2020 08:17:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzPEUi8Cn4WC for <dhcwg@ietfa.amsl.com>; Thu, 17 Sep 2020 08:17:16 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A3223A0CBB for <dhcwg@ietf.org>; Thu, 17 Sep 2020 08:17:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1600355824; bh=/7JmQDmNMCzp+YPX2y8CbBG5698pDmFKZTkhvJbFA94=; h=X-UI-Sender-Class:Subject:From:In-Reply-To:Date:Cc:References:To; b=VOrlfE5TMHUex1v2eLkY+fadEKUQgPU0ItB6w+ijWRbaiBNA+J5dNSYxvvxvJadxZ /DDUdu6Ooje/V/qmJHxv6owFpitah29P+W078TcG+5ZU8oMK5+UlZz0GKQwupf5g4r r8csdSJ7xd+B4GPsgU7wSyR+dI874b1wkHgcHx/E=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.128.43] ([78.34.244.205]) by mail.gmx.com (mrgmx105 [212.227.17.174]) with ESMTPSA (Nemesis) id 1MuDXp-1kdbfp307p-00uZ9M; Thu, 17 Sep 2020 17:17:04 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.15\))
From: ianfarrer@gmx.com
In-Reply-To: <D7610587-E894-46D9-B3FC-18EF2B90D788@employees.org>
Date: Thu, 17 Sep 2020 17:16:59 +0200
Cc: Bernie Volz <volz@cisco.com>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9E774175-356D-4E72-A3BF-3ACCA41A14FD@gmx.com>
References: <BN7PR11MB254783295780CA79CDA1FAB3CF4F0@BN7PR11MB2547.namprd11.prod.outlook.com> <BN7PR11MB254779A3599EFC466605CD92CF450@BN7PR11MB2547.namprd11.prod.outlook.com> <BN7PR11MB25477ED8552DF78132E2F089CF5F0@BN7PR11MB2547.namprd11.prod.outlook.com> <DFF9367A-5D78-4795-988A-FCD37F3C6377@employees.org> <BN7PR11MB25472678D6ACAB82912141A6CF5C0@BN7PR11MB2547.namprd11.prod.outlook.com> <C503DF9C-7798-43A3-9E7F-7D7E09B0D98B@gmx.com> <BN7PR11MB25475DCDA3E215609BF3D8F5CF260@BN7PR11MB2547.namprd11.prod.outlook.com> <263B0965-AF60-4008-B55C-AF9803EB419F@gmx.com> <BN7PR11MB25473F7EBE67E1B51DE7AD46CF230@BN7PR11MB2547.namprd11.prod.outlook.com> <A2A9F390-5B5A-4DAC-9E8A-7F6BA51F7ECB@employees.org> <7358EA97-7E61-45CB-8D32-3AF405B60768@gmx.com> <D7610587-E894-46D9-B3FC-18EF2B90D788@employees.org>
To: Ole Troan <otroan@employees.org>
X-Mailer: Apple Mail (2.3445.104.15)
X-Provags-ID: V03:K1:M932iqhbH7+MHYoyaH9J9WVS939tL3LzPqNSwSZ93IFS4Dr8ekp 7CGuYH13a9rcOmwn5p6iVhputGqld7CRCm07uKp5Q+QDrdZoEKUzfdc2PhZXmeiGtYDlygG HVnya4tgmUfNdjsx73kuFtttSCVSkjH2q6R3V95sE3/UHCdQUpVJYgoHS/Y5W4abriiKmTX niJsyAtXB8OKMveEpErjA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:g/98wk4WLE8=:WioISQ34BtWB3oumyy+08S GtQL9HvRdb9brARNeJcWsffw9iznImgLjzcHfMD88QTgJjUW5w/ZDaJEsH7F6UEGZhxVLIAQS 6oxJSMJwKEzpVkwSnwHFEPCfAqWfrndGEi7n/0cFaDSaXtOT6Y44chpAz1IKXMrf7Gasb1pf1 4NRKb7VEWOEq44G1NWHSz7I6KryrmSfR1D7gP/d1gnS4SmAQqawjGiq4Gl6pnadWbJ47x3clD 7WjB6kBu8cejIiD6V7UH3ZBvqfNj1iH1NsoJxGoN3UFT5pfKzo1t3bS16G+Fn3s0sukiZfbff +Igrp7/3uj2K1TZ6V0VuZFm8g+XIP+Z2J6b3ic1K8x8iQghRvCWPBx9NtR+GGhdc6avblOi/h 1y7KhqYyeRVT2Y+pYePYDSBrInRDmBvEsuXnqfK+Oimmz+NlkUqwh8FxkwV1fsPUIT3NP3yse RAskqdTH0Pdk2tE+Vi4I4OsP4ZzjQY834DKbo1PZSQWaKN/C5ZfVcUQXHQ88B8reX9ljNlaE5 WYtS0LUOLoSAmYCEHcM5weR2Sg35W8rk/HTxgMuP4Z7bPZm/4/Zt/1qsZqzFOXe6H9SYPRphP ZB9ulZwJ22KDdxN4Ftj0JWQvIoE0K3rN3ijICuN+P+929MaEn2cg/5aSq3JlO3uz71xhpQ2FY YebfnGdt+K3wgFkmaJzze17w1UuN+aS/FsJQB0++sHLB8UxL1CxilEPp01HRjZnZYiypzcm25 OseftgJZOJhbkiGQ4YTHQE6/WCLXx4IBeLHa1rCnPD4kIaIkKnRBmyHg5xb0nuAZh9ZzdkWre joc434qwWuwFdjCPnf1VgrU/Ep6MLz5smlr/cQQPN71WeYYpVH5SVr4SAM0QmXiCgbocmnVNe Fn85U2LgshBbWedi3c7meUtU8ZZ6X92QxjnBuLRxA/R0CrqaRfcMCARNA0HBRdWlyU3UZ1Oqy lCHV9MtTenfDVO8S7pLvd5vI9C/szG0RuJI0b8qm0P/zRG+RroKYHX+OSek2auMNSwLWooT1m qmgARQ1RnTW+8oS9jfirw+xHF9EsqeSO033oqbORumss4FIQTJIHltgrdo04F0ddjQR2ayiE6 lqJo8M18qLhIv8ZAf4eRHEFVZ/ro+oe8r1B/bZTKAppGs9RZjn7CIdoTLPZn/vlUZ6ZIwCjhU fShtxxI96B2EVaeTe+J7hzXfH4viixQQTr+WV+JvbGjz2oEq6FaOeYhFJwltVQwlfOboEXtJK FabVIZ0R7URIg+XlFY3+i1dnV4WBcaekeUPvKtg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/Zqw_Th5wQbGg4nBZKcqr_skA8-M>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-dhcpv6-pd-relay-requirements - respond by August 17th, 2020
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 15:17:18 -0000

Hi,

Please see inline.

Thanks,
Ian

> On 15. Sep 2020, at 14:31, otroan@employees.org wrote:
> 
> Ian,
> 
>> [if - There’s been quite a lot of iterations on this since -01. The current working version is:
>> 
>> R-4:
>> If the relay has learned a route for a
>> delegated prefix via a given interface, and receives traffic
>> on this interface with a destination address within the
>> delegated prefix (that is not an on-link prefix for the relay),
>> then it MUST be dropped.  This is to prevent routing loops.
>> An ICMPv6 Type 1, Code 6 (Destination Unreachable, reject
>> route to destination) error message MAY be sent back to
>> the client.  The ICMP policy SHOULD be configurable.]
>> 
>>> 
>>> 
>>> Two questions:
>>> 
>>> 1) What is the case where this would triggered? That wouldn't be caught by uRPF (R-2)?
>> 
>> [if - The traffic is originated from a valid source prefix so uRPF (R-2) doesn't cover it. This requirement is concerned with the destination.]
> 
> Would you mind ellaborating on how exactly the setup (or attack) would be constructed for this to happen?

[if - The 2 cases would be a bug in the HGW (prefix delegated but routing table not updated so default route is still used), or an attack where rogue clients deliberately send this traffic.]

> 
>>> 2) On a multi-access link, how should this even be implemented?
>>> drop if rx-interface == tx-interface and packet source mac == next-hop mac?
>> 
>> [if - That sounds like it would cover it.]
> 
> I think it would be useful to get implementors to chime in how practical this is to implement.
> 
>>> - Is it supposed to be a silent discard or should you send a destination unreachable?
>> 
>> [if - Please see current text above.]
> 
> Ack.
> 
> Best regards,
> Ole