IETF Logo Mail Archive

Re: [homenet] I-D Action: draft-haddad-homenet-multihomed-00

Lorenzo Colitti <lorenzo@google.com> Wed, 24 October 2012 00:27 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1129611E8118 for <homenet@ietfa.amsl.com>; Tue, 23 Oct 2012 17:27:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.887
X-Spam-Level:
X-Spam-Status: No, score=-102.887 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FnIo7XJh6q-3 for <homenet@ietfa.amsl.com>; Tue, 23 Oct 2012 17:27:44 -0700 (PDT)
Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id 3385C11E80D7 for <homenet@ietf.org>; Tue, 23 Oct 2012 17:27:43 -0700 (PDT)
Received: by mail-oa0-f44.google.com with SMTP id n5so4896765oag.31 for <homenet@ietf.org>; Tue, 23 Oct 2012 17:27:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-system-of-record; bh=e5bncUlwxH2X3B7jvX62eTFVd7WV4kFZ9TRqugaYslw=; b=X8lUuP8OzVCLzJIqlf/TWSEcezzg4Vvrf21RJVnBnD/DfyZjMlzRu0pEPqoesTvSSG uNrYBQ9ybaiBaMAXj51BOul8kqam978iA4ww6HhVw/wA10RzN3cy6adN94+EPj1ZbXHZ j+Mwi6/Yly2ayV1T19kx4L//XETOY5U8dxTXyC7bhj1HCH+wXIq8qoOSFQQUxaCKHiFR qHYgN40iFqDRqk79qI9C6SCJ/dVLEZsEeQLqFXMM6zzXNOp9E7ngSvjNcV20N3ryjU6a AVcVbEuKunIXyYNjbj+lDvDy5Go7Cf0RiuWOpBALeySboWEb8XaY89YN/RnWZcqgt1NN YyCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-system-of-record:x-gm-message-state; bh=e5bncUlwxH2X3B7jvX62eTFVd7WV4kFZ9TRqugaYslw=; b=fwgNbPZ4WiDmeSMtUqL+ywIdTtbS4xEcuUcqZizeXZqD1jiKlylO2615mwr/Gt6XMR TB980kFkgaLwPYOLdfIcVnn7fQdp24DP243BzkrsnG/Twy+cYLzni+IALp0L00tevyHZ z9sCzHqgJzQnCl31IXwL+GFBtBFORwxE5XQxQeReBz8F/zW5I9XrMqyobeYDziUI0orh EvydB/fZPAJp1q8t5EA3k6CE703HvKeT7yey7pHqx1gdUKXFfXR2kVbJhI1LPn0NFSIt NXmGSWgJmdoK8qdMdMB5IIO3JJAU2Qzpyt+LtG2M6JjwdII4X/vec9DAeqvNbMf15gdN h6zg==
Received: by 10.60.14.165 with SMTP id q5mr12999377oec.28.1351038463517; Tue, 23 Oct 2012 17:27:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.176.106 with HTTP; Tue, 23 Oct 2012 17:27:23 -0700 (PDT)
In-Reply-To: <5086B5A7.3040706@mtcc.com>
References: <201210011801.q91I1tfW056624@gateway1.orleans.occnc.com> <506A07D1.8050605@gmail.com> <10328E81-3C94-455B-9A37-B421200A5C38@ecs.soton.ac.uk> <EMEW3|19238916f7ff9a0ada655caf80bba8cao9AAbJ03tjc|ecs.soton.ac.uk|10328E81-3C94-455B-9A37-B421200A5C38@ecs.soton.ac.uk> <7F6EA97D-5DA8-4872-A647-D879B1955824@gmail.com> <49FCFE49-9DFB-44D2-ADAD-636A3C80F906@ecs.soton.ac.uk> <EMEW3|09bc323dc12a06be7c21e18f2752cd05o9LECn03tjc|ecs.soton.ac.uk|49FCFE49-9DFB-44D2-ADAD-636A3C80F906@ecs.soton.ac.uk> <7F4B245F-9355-4134-9176-EB7DB1634469@apple.com> <77A8749D-DF81-4816-8277-CB69861E524A@fugue.com> <C3720598-400C-4B83-9CEC-878B3FA8109E@ecs.soton.ac.uk> <EMEW3|3e5d3f7836c5b4ddbd99d74df88ecc6ao9LJ8r03tjc|ecs.soton.ac.uk|C3720598-400C-4B83-9CEC-878B3FA8109E@ecs.soton.ac.uk> <5085905A.8030206@mtcc.com> <52E31542-3B7C-4EC1-9B2C-3C9D8E6B3BB1@apple.com> <50859C1B.7070707@mtcc.com> <CAKD1Yr0v3NdN+QCj=jFiZcv0ox1S-YAj29dZyMd6kAWAv723dg@mail.gmail.com> <5086B5A7.3040706@mtcc.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 24 Oct 2012 09:27:23 +0900
Message-ID: <CAKD1Yr04WTU0ez_bFiAOtXR5N+qs4ApC=103tMT9vfhbrxLxEg@mail.gmail.com>
To: Michael Thomas <mike@mtcc.com>
Content-Type: multipart/alternative; boundary="e89a8fb1f468b2244004ccc327af"
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQmVg55Oceaz1fv7Y1VidEwUIhYHonMh3r+xtZ1LIHqgvCAhsud8pjZa30OXCObdnLHif+aZCUbIs536O6IlTzxqYURZUuTyCsp97jqJYFm8wPLuicGK6Ps9lzeOMm+VnJmaB4Gaa7XySm9q9jy/GBmbqEsO8wxQald39Kr3gYOGWgn50PQcGO2fBpqkAYJMYFiPEVtn
Cc: homenet@ietf.org, james woodyatt <jhw@apple.com>
Subject: Re: [homenet] I-D Action: draft-haddad-homenet-multihomed-00
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2012 00:27:45 -0000

On Wed, Oct 24, 2012 at 12:20 AM, Michael Thomas <mike@mtcc.com> wrote:

> On 10/22/2012 08:35 PM, Lorenzo Colitti wrote:
>
>  On Tue, Oct 23, 2012 at 4:18 AM, Michael Thomas <mike@mtcc.com <mailto:
>> mike@mtcc.com>> wrote:
>>
>>     No, sorry. Corporate VPN's using v6 and the lack of a coherent source
>> address selection mechanism causes breakage in bizarre and unpredictable
>> ways. You are not going to get the results you hope for if your mac uses an
>> ISP prefix to get back inside the corpro firewall, uRPF if nothing else.
>> SLAAC changes a lot of things over v4.
>>
>>
>> VPN clients already modify the routing table to ensure traffic going
>> through the VPN goes through the VPN, to enforce policies around split
>> tunneling, and so on. Mine even monitors the routing table for changes so
>> it can act on them.
>>
>
> Routing is irrelevant.


Sorry, but no. Routing is not irrelevant:

   Rule 5: Prefer outgoing interface.
   If SA is assigned to the interface that will be used to send to D and
   SB is assigned to a different interface, then prefer SA.  Similarly,
   if SB is assigned to the interface that will be used to send to D and
   SA is assigned to a different interface, then prefer SB.

The choice of outgoing interface is a routing decision and thus the routing
table can be used to influence source address selection.


> Can you explain why this behaviour, combined with the "prefer matching
>> interface" rule in RFC 3484, is not sufficient? If not, then there is no
>> problem to solve here.
>>
>
> Your ISP gives you 2001:xxxx:: via SLAAC. Your employer gives you
> 2000::, but also has 2001:yyyy::. You connect to a server on 2001:yyyy::.


You missed the "your employer configures your routing table to point
2000::/64 and 2001:yyyy::/64 to the tunnel interface" step. Your employer
has to configure your routing table today for IPv4 (either a default route
or more-specific routes to private addresses for split tunneling). In IPv6
said employer needs to give you more specifics.


> Your 3484 v6 stack picks 2001:xxxx for the source address.


Nope. A routing lookup tells the kernel that the tunnel interface will be
used to send to that destination, and the RFC3484 stack will pick 2000:: as
the source address due to rule 5 above (note that you don't need to invoke
5.5 in RFC 6724 to make this work; RFC3484 is sufficient).


> Hilarity ensues:

1) the packet gets rejected via uRPF
> 2) the return packet splats against the inside firewall since it's not
> allowed outside
> 3) the packet makes it outside unarmored with sad faces from the security
> team


As James said, none of this happens.

Now - if we want to make this in a routed network where the VPN tunnel is
not terminated on the device itself, then RFC 3484/RFC6724 are not
sufficient. But that problem not substantially different to the "multihomed
with two ISPs problem", which we are trying to solve anyway. I believe this
can be solved properly using source/destination routing.

v2.23.0 | Report a Bug | By Email