RE: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt

[Greg Daley <gdaley@au.logicalis.com>]

Hi Mark, 

When we were looking at accelerating DAD for mobile nodes a while ago, I investigated the state held by MLD and wrote a draft.
(Now expired http://tools.ietf.org/html/draft-daley-ipv6-mcast-dad-02)

A much better solution was found (now RFC 4429), but the consistent state keeping by the MLD querier (and other routers) is still present (particularly for MLDv2).

(I am now thinking out loud, so please bear with me)

The difference is that the solicited nodes' address was not identical to an address binding and that (after listener state synchronization) only the non-presence of an MLD listener on the solicited nodes address could be used to prove the address was absent.  For relatively sparse links and subnets this would allow the router to state explicitly that the address was not in use.

For ND cache protection, the presence of any MLD listener on the solicited nodes' activates the group, and no-listeners means there isn't even a reason to transmit the neighbour solicitation.

Unless the router maintains additional ND cache state, it cannot distinguish between an activated group and which of the addresses is active, and thus a subset of the addresses (e.g. the globally routable equivalent of a Link-local address with a particular solicited nodes [and anything with the same IID lower order bits]).

Is this sufficient protection, or does there have to be more specific state gathered in the ND cache, perhaps through the discussed draft?

Sincerely, 

Greg Daley



-----Original Message-----
From: Mark ZZZ Smith [mailto:markzzzsmith@yahoo.com.au] 
Sent: Saturday, 18 January 2014 7:58 PM
To: Greg Daley; 'Ing-Wher Chen'; ipv6@ietf.org
Subject: Re: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt





----- Original Message -----
> From: Greg Daley <gdaley@au.logicalis.com>
> To: 'Ing-Wher Chen' <ing-wher.chen@ericsson.com>; "ipv6@ietf.org" 
> <ipv6@ietf.org>
> Cc: 
> Sent: Friday, 17 January 2014 1:14 PM
> Subject: RE: New Version Notification for 
> draft-halpern-6man-nd-pre-resolve-addr-00.txt
> 
> Hi Helen,
> 
<snip>

> 
> 3/ Monitor the solicited nodes' addresses in the MLD querier router, 
> and do not transmit an NS from off-link for an incomplete address 
> unless someone is listening.
>

So I've been thinking for the last few months that this method could be a useful further mitigation to off-link ND cache attacks for routers. I've been writing something up which I've been planning to finish and post in the next week or so.

I think it could be fairly effective - there are a total possible 2^24 solicited-node multicast groups on a link, where as there will only be as many present ones as there are IIDs with unique lower 24 bits. For most subnets I think that will number in the order of 10s or 100s, and perhaps on rare occasions in the low 1000s. So NSes would only be necessary for e.g. 1000/2^24 portion of the unicast address space, otherwise the packets that would trigger them can be dropped (or perhaps sent to an RFC6018 greynet collector).

A neighbor cache attack is likely to be still be possible for the 2^40 portions of unicast address space covered by each of the the present solicited-multicast groups, however Fernando's Stable/Opaque IID draft would make them harder to find, even though it will increase the number of them, as there is an unique Opaque IID per prefix.

All routers listening to MLD track group membership, not just the MLD querier, so all routers on the link could implement this method.

Regards,
Mark.