RE: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt

Greg Daley <> Sun, 19 January 2014 22:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 753371A1F20 for <>; Sun, 19 Jan 2014 14:50:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.045
X-Spam-Status: No, score=-0.045 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RELAY_IS_203=0.994, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NR-C9N0SbzPo for <>; Sun, 19 Jan 2014 14:50:29 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 20C501AE05F for <>; Sun, 19 Jan 2014 14:50:28 -0800 (PST)
Received-SPF: None ( no sender authenticity information available from domain of identity=mailfrom; client-ip=;; envelope-from=""; x-sender=""; x-conformance=spf_only
Received-SPF: None ( no sender authenticity information available from domain of identity=helo; client-ip=;; envelope-from=""; x-sender=""; x-conformance=spf_only
Received: from unknown (HELO ([]) by with ESMTP; 20 Jan 2014 09:56:23 +1100
Received: from ([]) by ([fe80::68b7:8880:fefb:f742%12]) with mapi id 14.02.0347.000; Mon, 20 Jan 2014 09:50:12 +1100
From: Greg Daley <>
To: 'Mark ZZZ Smith' <>, 'Ing-Wher Chen' <>, "" <>
Subject: RE: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt
Thread-Topic: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt
Thread-Index: AQHPDmY2hGYF66RRbk+N6Vv6p523J5qDMmwwgAATMeCABOYbYIABVfwAgAMsKbA=
Date: Sun, 19 Jan 2014 22:50:12 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US, en-AU
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 19 Jan 2014 22:50:32 -0000

Hi Mark, 

When we were looking at accelerating DAD for mobile nodes a while ago, I investigated the state held by MLD and wrote a draft.
(Now expired

A much better solution was found (now RFC 4429), but the consistent state keeping by the MLD querier (and other routers) is still present (particularly for MLDv2).

(I am now thinking out loud, so please bear with me)

The difference is that the solicited nodes' address was not identical to an address binding and that (after listener state synchronization) only the non-presence of an MLD listener on the solicited nodes address could be used to prove the address was absent.  For relatively sparse links and subnets this would allow the router to state explicitly that the address was not in use.

For ND cache protection, the presence of any MLD listener on the solicited nodes' activates the group, and no-listeners means there isn't even a reason to transmit the neighbour solicitation.

Unless the router maintains additional ND cache state, it cannot distinguish between an activated group and which of the addresses is active, and thus a subset of the addresses (e.g. the globally routable equivalent of a Link-local address with a particular solicited nodes [and anything with the same IID lower order bits]).

Is this sufficient protection, or does there have to be more specific state gathered in the ND cache, perhaps through the discussed draft?


Greg Daley

-----Original Message-----
From: Mark ZZZ Smith [] 
Sent: Saturday, 18 January 2014 7:58 PM
To: Greg Daley; 'Ing-Wher Chen';
Subject: Re: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt

----- Original Message -----
> From: Greg Daley <>
> To: 'Ing-Wher Chen' <>; "" 
> <>
> Cc: 
> Sent: Friday, 17 January 2014 1:14 PM
> Subject: RE: New Version Notification for 
> draft-halpern-6man-nd-pre-resolve-addr-00.txt
> Hi Helen,

> 3/ Monitor the solicited nodes' addresses in the MLD querier router, 
> and do not transmit an NS from off-link for an incomplete address 
> unless someone is listening.

So I've been thinking for the last few months that this method could be a useful further mitigation to off-link ND cache attacks for routers. I've been writing something up which I've been planning to finish and post in the next week or so.

I think it could be fairly effective - there are a total possible 2^24 solicited-node multicast groups on a link, where as there will only be as many present ones as there are IIDs with unique lower 24 bits. For most subnets I think that will number in the order of 10s or 100s, and perhaps on rare occasions in the low 1000s. So NSes would only be necessary for e.g. 1000/2^24 portion of the unicast address space, otherwise the packets that would trigger them can be dropped (or perhaps sent to an RFC6018 greynet collector).

A neighbor cache attack is likely to be still be possible for the 2^40 portions of unicast address space covered by each of the the present solicited-multicast groups, however Fernando's Stable/Opaque IID draft would make them harder to find, even though it will increase the number of them, as there is an unique Opaque IID per prefix.

All routers listening to MLD track group membership, not just the MLD querier, so all routers on the link could implement this method.