questions / comments on draft-kohno-ipv6-prefixlen-p2p-02
Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org> Sat, 31 July 2010 02:58 UTC
Return-Path: <ipng@69706e6720323030352d30312d31340a.nosense.org>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D5723A635F for <ipv6@core3.amsl.com>; Fri, 30 Jul 2010 19:58:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2nJhtT+S+oB for <ipv6@core3.amsl.com>; Fri, 30 Jul 2010 19:58:03 -0700 (PDT)
Received: from smtp2.adam.net.au (smtp2.adam.net.au [202.136.110.251]) by core3.amsl.com (Postfix) with ESMTP id 0A6B53A6803 for <ipv6@ietf.org>; Fri, 30 Jul 2010 19:58:03 -0700 (PDT)
Received: from 114-30-99-20.ip.adam.com.au ([114.30.99.20] helo=opy.nosense.org) by smtp2.adam.net.au with esmtp (Exim 4.63) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1Of2HL-00049B-Hb for ipv6@ietf.org; Sat, 31 Jul 2010 12:28:27 +0930
Received: from opy.nosense.org (localhost.localdomain [IPv6:::1]) by opy.nosense.org (Postfix) with ESMTP id 4DEA43B31E for <ipv6@ietf.org>; Sat, 31 Jul 2010 12:29:58 +0930 (CST)
Date: Sat, 31 Jul 2010 12:29:58 +0930
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
To: ipv6@ietf.org
Subject: questions / comments on draft-kohno-ipv6-prefixlen-p2p-02
Message-ID: <20100731122958.6dee4c79@opy.nosense.org>
X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; x86_64-unknown-linux-gnu)
X-Location: Lower Mitcham, South Australia, 5062
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Jul 2010 02:58:04 -0000
Hi, I've read through this update to the draft, and have a few questions / comments. o Ethernet point-to-point links " This may include Ethernet links which are configured to be point-to- point. In such cases, there is no need to support Neighbor Discovery for address resolution, and other general scenarios like the use of stateless addresss autoconfiguration are not relevant." If the second sentence applies to the Ethernet scenario, then how do the routers on each of this link know what destination MAC address to put in the Ethernet frames? It would seem to me that there are at least three possible options: - static configuration of destination MAC addresses Impractical IMHO for the operational overhead it creates (error prone including typos, breaks if interface module is changed etc., chances of these errors go up if the changes are occurring in the early hours of the morning) - Enabling ND NS/NA for destination MAC address discovery with a /127 prefix length, the neighbor cache exhaustion attack has been mitigated, so I don't think there is any harm in having ND NS/NA occur on these links. It also allows ICMP Destination Unreachables to be generated if the remote IPv6 address becomes unavailable - Switch off link layer address recognition on the Ethernet interfaces a.k.a. "promiscuous mode". This would make the Ethernet link a true layer 2 point-to-point link. A neat trick might be to re-purpose the address fields in the Ethernet headers to carry different information e.g. MPLS label stack, similar to how DLCIs were re-purposed in MPLS over frame relay. o Link local addressing Are link local addresses required on this link? How is it generated, and what is its prefix length? o Generating ICMP Destination Unreachables As mentioned earlier, one of the consequences of using a /127 is that the ND neighbor cache is now not vulnerable to exhaustion DoS attacks, because the address space assigned to the link is so small. Wouldn't it be better to switch NS/NA/NUD back on for these links (i.e. all p2p, not just Ethernet), so that they can now generate ICMP Destination Unreachables, which is a MUST according to RFC4861? o Applicability to customer PPP p2p links How can /127s be applied to customer PPP/PPPoE point-to-point links. They're just as vulnerable to the issues this draft is addressing, and as there's likely going to be many magnitudes more of them compared to SONET/SDH/Ethernet point-to-point links between routers upstream of the network edge, they'll also possibly be a large target for attackers. As an example, I'm working on a scenario where there are probably no more than 200 to 300 inter-router point-to-point links upstream of the network edge, but there are over 150K+ PPP sessions attaching customers to that network. Being able to protect those 150K+ PPP sessions from these issues would be very valuable. Regards, Mark.