[dna] Review of draft-ietf-dna-simple-11.txt

Ted Lemon <Ted.Lemon@nominum.com> Fri, 20 November 2009 19:35 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: dna@core3.amsl.com
Delivered-To: dna@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 1B0CC3A6774 for <dna@core3.amsl.com>; Fri, 20 Nov 2009 11:35:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id y-hPDYnc0YcU for <dna@core3.amsl.com>; Fri, 20 Nov 2009 11:35:17 -0800 (PST)
Received: from exprod7og114.obsmtp.com (exprod7og114.obsmtp.com []) by core3.amsl.com (Postfix) with ESMTP id B38393A66B4 for <dna@ietf.org>; Fri, 20 Nov 2009 11:35:16 -0800 (PST)
Received: from source ([]) (using TLSv1) by exprod7ob114.postini.com ([]) with SMTP ID DSNKSwbvcYkZxeF0t8aTA+3bmod6oh+607Ph@postini.com; Fri, 20 Nov 2009 11:35:14 PST
Received: from webmail.nominum.com (webmail.nominum.com []) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client CN "webmail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 322B61B82D5 for <dna@ietf.org>; Fri, 20 Nov 2009 11:35:13 -0800 (PST)
Received: from vpna-148.vpn.nominum.com ( by exchange-01.win.nominum.com ( with Microsoft SMTP Server (TLS) id 8.1.393.1; Fri, 20 Nov 2009 11:35:12 -0800
From: Ted Lemon <Ted.Lemon@nominum.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 20 Nov 2009 14:35:08 -0500
Message-ID: <B7D0752F-2D92-4CE8-A4B0-48FECBEE647E@nominum.com>
To: <dna@ietf.org>
MIME-Version: 1.0 (Apple Message framework v1077)
X-Mailer: Apple Mail (2.1077)
X-Mailman-Approved-At: Thu, 03 Dec 2009 14:34:04 -0800
Subject: [dna] Review of draft-ietf-dna-simple-11.txt
X-BeenThere: dna@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNA working group mailing list <dna.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dna>, <mailto:dna-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dna>
List-Post: <mailto:dna@ietf.org>
List-Help: <mailto:dna-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dna>, <mailto:dna-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2009 19:35:18 -0000

Ralph asked participants in the DHC working group to review the draft, so I gave it a read.   I have some comments.   I realize that some of these comments are partially addressed in the summary message Jari sent to the list recently, but it's difficult to know what to include and what to leave out, so I just included it all.

From section 2.1:

   o  False positives are not acceptable.  A host should not conclude
      that there is no link change when there is one.

   o  False negatives are acceptable.  A host can conclude that there is
      a link change when there is none.

This seems backwards, unless there is no cost to a false negative.  If
a host concludes that there was a link change when there was none, and
as a consequence abandons the IP addresses it was using on the
previous link, that's going to create a (potentially noticeable)
hiccup while it reacquires its address.  Depending on the IP stack,
it's possible that connections might also be broken, e.g. if a syscall
returns EHOSTUNREACH due to a transient routing outage.

More, from section 4.3:

   It SHOULD also set all Neighbor
   Cache entries for the routers on its Default Router List to STALE.
   This is done to speed up the acquisition of a new default router when
   link change has occurred.

It's my impression that by default, a stale routing table entry won't
be used, so if an application writes to an open tcp connection while
the routing table entry is stale, it will get an EHOSTUNREACH, and the
connection will be dropped.  I have had this exact experience with
IPv4 DNA implementations when my WiFi router signal is flaky.  This is
much worse than taking a long time (500ms isn't really that long) to
identify a new link.

This would also be a problem in the case where you are on a WiFi
network with more than one device advertising the same SSID - when you
switch to a new beacon, arguably this is a DNA event, but it would clearly
be a mistake to break existing connections in this case.

In section 4.6, the draft seems to be saying that the DHCPv6 client
should starty soliciting before it receives an RA.  This does actually
change the DHCPv6 state machine.  In fact, the DHCPv6 protocol has a
specific message for checking in the event of a DNA event: the Confirm
message.  I think Ralph already brought this up; I mention it because
it appears to be a problem to me as well.

I also think that this section goes into a lot of extra detail that is
unnecessary and probably harmful to interoperability, since what it
says doesn't really match what RFC3315 says.  It would be better to
just refer to RFC3315 here.

Section 4.7.1 also seems to have a problem in that in this case we
have started the Confirm process before we receive an RA.  If the RA
conflicts with the address we are attempting to confirm, we may know
this to be the case before we get a reply (or no reply) from a DHCPv6
server.  This could be because the RA comes before the DHCPv6 Reply
message, or it could be because the link has in fact changed, and
there is no DHCPv6 server on the new link.  In either case, there is
no need to wait for the response from the DHCPv6 server.

Also, 4.7.1 doesn't talk about what to do if the NS and RS results
differ, and the NA is secure whereas the RA is not.  In that case it
seems to me that it would make sense to trust the NA rather than the
RA (presumably in that case a trustworthy RA would eventually follow,
since the router that responded to the NS with a secure NA will
presumably send a secure RA in response to the RS).  But there's a
window of opportunity here for a rogue RA to unseat a secure router.

There's a similar problem in section 4.7 because section 4.7 instructs
the implementor to test whether an NA comes from the same router as an
RA, but doesn't talk about what to do if the security of the two
messages differs.  So this is another opportunity for an attacker to
get in a quick DoS.

The same problem exists in section 4.9, where receipt of an NA, RA or
DHCP Reply will terminate other DNA operations, without regard to the
security level of the response that terminates the other state

Section 5 provides pseudocode for this process.  Thread C of the
pseudocode is not asynchronous, and hence not correct.  Even if it
could be made asynchronous, the protocol spec should be fully
descriptive; if it is not, conflicts between the spec and the
pseudocode will create interoperability problems, and being sure that
the two are the same is an unsolved computer science problem.  So
section 5 should be deleted.

Section 7 doesn't mention what to do in the dual-stack case.  Maybe
this is too big a can of worms...

I see that some of the issues I mention above are addressed in the
security considerations section.  This is the wrong place for this -
the handling of SEND needs to be wrapped into the spec in section 4.
Security Considerations is the wrong place to put more of the protocol