IETF Logo Mail Archive

Re: 6renum alive again? [A common problem with SLAAC in "renumbering" scenarios]

Tim Chown <Tim.Chown@jisc.ac.uk> Thu, 21 February 2019 10:51 UTC

Return-Path: <tim.chown@jisc.ac.uk>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A620130E89 for <ipv6@ietfa.amsl.com>; Thu, 21 Feb 2019 02:51:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jisc.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KtxJ1HBlXT1y for <ipv6@ietfa.amsl.com>; Thu, 21 Feb 2019 02:51:42 -0800 (PST)
Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [207.82.80.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 358741276D0 for <ipv6@ietf.org>; Thu, 21 Feb 2019 02:51:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=mimecast20170213; t=1550746300; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rl8/WbD1lSM/ZpY2SSmIElbZqZAc1LyZUhdyqgOVF74=; b=eppXxbcQgwYb5hLNIPXpHN8UjDp69zL1WD44FY7sDIVvlfSRbQU1iZNv/l0x5HiO/CDi+WbXTE9J01UXmRXlv9BsITS34BPc9+xKrjlJjWHC/ZQy8LW5JS6hF8r4JOdZun/w2Yb/cRXNIyl7F7MjJ2cemLGNXD1BHycJp5vGpJ8=
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01lp2055.outbound.protection.outlook.com [104.47.2.55]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-116-dcQM2HmJOve0FgWt-0Vkiw-1; Thu, 21 Feb 2019 10:51:36 +0000
Received: from AM0PR07MB4177.eurprd07.prod.outlook.com (52.133.54.140) by AM0PR07MB4753.eurprd07.prod.outlook.com (52.135.150.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.11; Thu, 21 Feb 2019 10:51:34 +0000
Received: from AM0PR07MB4177.eurprd07.prod.outlook.com ([fe80::617a:4c8b:34ae:efcb]) by AM0PR07MB4177.eurprd07.prod.outlook.com ([fe80::617a:4c8b:34ae:efcb%4]) with mapi id 15.20.1665.006; Thu, 21 Feb 2019 10:51:34 +0000
From: Tim Chown <Tim.Chown@jisc.ac.uk>
To: 神明達哉 <jinmei@wide.ad.jp>
CC: Fernando Gont <fgont@si6networks.com>, 6man WG <ipv6@ietf.org>
Subject: Re: 6renum alive again? [A common problem with SLAAC in "renumbering" scenarios]
Thread-Topic: 6renum alive again? [A common problem with SLAAC in "renumbering" scenarios]
Thread-Index: AQHUyVTE7JrhZmpe4Uidl84NC7arA6XqFCeA
Date: Thu, 21 Feb 2019 10:51:34 +0000
Message-ID: <2C53C4C2-8980-4887-ABF3-160F7D311325@jisc.ac.uk>
References: <60fabe4b-fd76-4b35-08d3-09adce43dd71@si6networks.com> <CAHL_VyCN8kU7qnLOphfGR25-xGBe_p6WeGTkKVXwU5uy5aJ8Dg@mail.gmail.com> <65DB4854-97D2-4C31-A691-2CD93812EF93@consulintel.es> <CAHL_VyCMpCcGkEQu+RV1GRf2QLB-HD0+AOOBV0YhfQ5sbydVzQ@mail.gmail.com> <8CE7A0CD-97D9-46A0-814D-CAF8788F9964@consulintel.es> <e3e0bf2273e04f15b792665d0f66dfe5@boeing.com> <4c5fab33-2bff-e5b5-fc1d-8f60a01a146d@go6.si> <b4525832-9151-20bf-7136-31d87ba6c88d@huitema.net> <463f15cf-2754-e2e8-609d-dc0f33448c6c@go6.si> <ff649810-7242-7bc2-d36f-3f998f7bdd71@asgard.org> <9CDF41CA-83B4-4FC4-B995-EF79727C5458@steffann.nl> <CAO42Z2wA+vLmU7+sU6xLK7TO6pWfNQA5shs9zp=PqANCihLmBQ@mail.gmail.com> <BAB3061A-1808-4C0E-AA1B-2D7DD5BA63FC@employees.org> <bbd8b761-403a-5b3f-3f04-dc3bfdea116e@foobar.org> <6F3036C6-50A1-43C6-B554-31293B69E59D@employees.org> <433607c1-dbc6-a42e-cb17-dc209e33bdaa@si6networks.com> <12EA4FAE-BE3D-4CFE-9837-DF052F79A998@employees.org> <3f38c28b-76c5-6f07-c271-777f1374737a@gmail.com> <bb630d79-d134-5109-ebc1-3b6a2f1463b3@si6networks.com> <CAJE_bqfeAzS6ac5AVgQ6v8gNCUncmqshewLmkyoV1rYMGFwaxQ@mail.gmail.com>
In-Reply-To: <CAJE_bqfeAzS6ac5AVgQ6v8gNCUncmqshewLmkyoV1rYMGFwaxQ@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.102.3)
x-originating-ip: [2001:a88:d510:1101:c0d1:a0e8:70b4:49f1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2a4473a4-e1e6-4ae6-8728-08d697ea8bd1
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600110)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:AM0PR07MB4753;
x-ms-traffictypediagnostic: AM0PR07MB4753:
x-microsoft-exchange-diagnostics: 1; AM0PR07MB4753; 20:MMuRuMxcm5kSvlS2VH4GwBFOqqjbSHp0FOYp0PqpXrhuMynK5QyV6PGHAgfvcfRZlaDW5chJiQXXq2qKJicBBM3VXRoyFKv9mM7EbSgLFPFhLW5Xy50L69cCRTcWuWwUS7uBcyY4ky6UlsQZby6ibO65i+9TYRL+fdRJzcWQbqA=
x-microsoft-antispam-prvs: <AM0PR07MB4753BC93BD8BB1892F845AD5D67E0@AM0PR07MB4753.eurprd07.prod.outlook.com>
x-forefront-prvs: 09555FB1AD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(136003)(39850400004)(366004)(396003)(189003)(199004)(8676002)(81156014)(229853002)(2616005)(54906003)(786003)(8936002)(316002)(256004)(76176011)(99286004)(476003)(33656002)(6116002)(81166006)(36756003)(236005)(486006)(11346002)(186003)(50226002)(68736007)(14444005)(5660300002)(54896002)(25786009)(6512007)(4326008)(53936002)(6246003)(6486002)(93886005)(6916009)(446003)(6506007)(46003)(6436002)(83716004)(53546011)(478600001)(72206003)(102836004)(14454004)(86362001)(97736004)(71200400001)(71190400001)(66574012)(57306001)(82746002)(74482002)(2906002)(105586002)(7736002)(106356001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4753; H:AM0PR07MB4177.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 7juH1jcXhtEST7X59HDeOeMWazHdbxPs/wIOgdDU6Okzhwl+8wb6jX92LbgDEh9PxvdAmIcwdSHqErqySb8LB48kv3lWzN6EgOL0ckkyjPrjMSJH9HTKyQYMnzoknXjFcIkVT1DfCdSlBhu1wipiZsN2XXYR/CI2xoUAmoPy0iiBBA4HdbTv52Gtu0vC3Hq/lDHH2yfrccUY5MQ8REQetdNzH9e7w2prrom4E6n5ywdHoJcAz1S0lPbLXlrWhujCT7dfIwYDRDvKsGwAkmrQAl6oDvTg4sogVxLDjAseSIJArYR9hJNAPbraZMFOE7GA78gvUEb7T0aZt7atlRPpA9V/Cj6C7anOwHT2gFomEnoSnVRPyr5dS41Fu48f6TK2W0sgPiqUyHoe/QnnMn1tYluEQqDZDrV0aqc/MsP+nFw=
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a4473a4-e1e6-4ae6-8728-08d697ea8bd1
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2019 10:51:34.2339 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4753
X-MC-Unique: dcQM2HmJOve0FgWt-0Vkiw-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/alternative; boundary="_000_2C53C4C289804887ABF3160F7D311325jiscacuk_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/-OvNTy1PUOY3UGWkk3T8zaBdA3c>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 10:51:45 -0000

On 20 Feb 2019, at 19:44, 神明達哉 <jinmei@wide.ad.jp<mailto:jinmei@wide.ad.jp>> wrote:

At Wed, 20 Feb 2019 02:03:52 -0300,
Fernando Gont <fgont@si6networks.com<mailto:fgont@si6networks.com>> wrote:

> 10.1.  Address Configuration
>
>    o  RA Prefix Lifetime Limitation
>
>       Section 5.5.3 of [RFC4862] states "If the received Valid Lifetime
>       is greater than 2 hours or greater than RemainingLifetime, set the
>       valid lifetime of the corresponding address to the advertised
>       Valid Lifetime."  So when renumbering, if the previous
>       RemainingLifetime is longer than two hours, it is impossible to
>       reduce a prefix's lifetime to less than two hours.  This
>       limitation is to prevent denial-of-service attacks.
>
> This seems a flaw in RFC4862 to me. Me, I think ND security boils down
> to: modulo some basic sanity checks, you trust the RAs, or you don't.
> There's not much of a point in sanitizing the Prefix Lifetimes and then
> honoring Router Lifetimes of 0, or even blindly trusting RAs that would
> make you configuring addresses from invalid prefixes, RAs that might
> override your preferred router with one with higher preference, etc.

I don't remember precisely how we decided to introduce this
restriction in RFC2462 (it first appeared in 2462, not 4862), but I'm
at least pretty sure everyone understood that "ND security boils down:
you trust the RAs, or you don't".  It should be just that it's not
necessarily always all-or-nothing (with which we would never have to
worry about neighbor cache exhaustion or bother to introduce RA guard,
for example) but about providing a safety net when its benefit is
deemed to outweigh the cost.  In the case of the "two hour rule", I
guess (again, I don't remember the precise discussion at that time)
the consensus was that the resulting address stability against
operational errors or minor mischief is worth adding the additional
complexity to the protocol; no one naively assumed that's a strong
security measure against determined attacks.

As usual in such a case, different people can have a different sense
of balance, so it's not surprising if someone disagrees with this
consensus.  So I don't think it's necessarily a "flaw" in the spec
simply because you have a different view on this particular tradeoff.
On the other hand, it's possible that we now might reach a different
conclusion if we had this discussion today: people may revise their
opinions, actual experiments and/or technology evolution may suggest
revising the original tradeoff considerations, etc.  If you think
that's the case, you can always start revising the spec with a "The
two hour rule in SLAAC is considered harmful" draft.

The two hour rule way predates RFC 6104/6105 and the "RA Guard" functionality common in at least enterprise switches today.  And it says "two hours unless the RA is authenticated", so the "impossible" quoted above isn't strictly true, but in practice, we also see how widespread the required SeND deployment to do that is...).

With RA Guard on the table, whether you'd want to relax the two hour rule would presumably depend on how important you feel it is to protect against misconfigurations of genuine RAs.

Tim

v2.23.0 | Report a Bug | By Email