IETF Logo Mail Archive

Re: [v6ops] IPv6 link-local traffic questions

Gyan Mishra <hayabusagsm@gmail.com> Sat, 14 March 2020 17:38 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B40443A087E; Sat, 14 Mar 2020 10:38:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g_tm6zGpRO_m; Sat, 14 Mar 2020 10:38:30 -0700 (PDT)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C37543A087C; Sat, 14 Mar 2020 10:38:30 -0700 (PDT)
Received: by mail-il1-x12c.google.com with SMTP id p1so12219666ils.12; Sat, 14 Mar 2020 10:38:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yF9FXEox+szDDTYkBnmz6rea0a+cg0hXBzgwq4DC+1Q=; b=hXs8BaYlGsZeQQxMyqol9SX/Kw+LaFBclV+JhpiDFpbygPAmlqBqC7xmWllhkAvqbK Makv0V6Rr78XKTIKjkr64ROOdphliWJiB2NhLJ4jRU3hVAYE0V+pqpp3LKiiSV8SVLWq iLra1Ba7H1AFwiDrRgSXpIES594aEPM47BQ6JPuSrTENcvP4/gtd/kbQEFugke6eB0ec ulf3yr0Ow+yZvxZhUT+LqgzKOjwkCrizDzoDaoLuvwn1K5BHaXWmGxfoWMKd2EmY5a79 57kykziOE0USV2r36HmDZSBNMDV7256623YK/Aba9vRmucFuDOWi+brrJzmPpimU9ZgF lWMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yF9FXEox+szDDTYkBnmz6rea0a+cg0hXBzgwq4DC+1Q=; b=thodsGoA9kPj5OIbMYt53PUOrN4JQABk+kn721HHh0ELgxNpkKCuweH+vOu11cuieE YP3dA5pWlq7k6xOJIiFEO4sTwu3caj4EtVWRxzjxg/MxK90sqNGvTXJzcWejgLxYr3X/ iy70LXDCXUDapl/I3ZiNbyn4FxmbXpBKbB7BhLWtmhchVeg2UKZPx2Of2hCSDRx4LBSX CKvSdQGByexQU11QeSKd7EtiPYLvX11TXYZty6MO7MOMr6yT3mlIMeq3V5/YoqFz3kKH CCT4WXbvK9Um97KNSxjV7QZ1MtHjbTb/kJhphBJr/KNd4gIVE+5pBTMFbRRdD2i77CeW TnaQ==
X-Gm-Message-State: ANhLgQ22mHIXVHY36PYzItuTSX93f1nYFMJSGeNT8VBeBVPRVN4tkgVm lukNytYfFsHaOwhdNtIGqI7Z14nasqxVUEMYCFk=
X-Google-Smtp-Source: ADFU+vtxFWatpKiPo0pcMYTvO3F3GSJ20U8FE/7KHAiA+EJFn8z6zq+4EGUn081e7DyhK3b4Dz4Kj8oyYykiIvDnvpA=
X-Received: by 2002:a92:8352:: with SMTP id f79mr15109189ild.58.1584207509803; Sat, 14 Mar 2020 10:38:29 -0700 (PDT)
MIME-Version: 1.0
References: <20200312000016.GO54522@faui48f.informatik.uni-erlangen.de> <CAFU7BAT-LP5TC9dpYw+5j8T8H_8XMF=tcY-Qsbg5=MOgUYNk+A@mail.gmail.com> <CABNhwV1uCFHCO9r3NK7QeqZ4gvrquoD_534LXoykaf59S48rpA@mail.gmail.com> <1584173474.2857.102.camel@biplane.com.au> <CABNhwV3VCPmcaGNyf=9dX4vcrsSreRGgkRDh0zQD+VLqG-g63Q@mail.gmail.com>
In-Reply-To: <CABNhwV3VCPmcaGNyf=9dX4vcrsSreRGgkRDh0zQD+VLqG-g63Q@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Sat, 14 Mar 2020 13:38:19 -0400
Message-ID: <CABNhwV0D71380ZPWTLHu-LM=sz1OK6aB0du=g7uW-gxLdfGvsg@mail.gmail.com>
Subject: Re: [v6ops] IPv6 link-local traffic questions
To: Toerless Eckert <tte@cs.fau.de>, Tony Przygienda <tonysietf@gmail.com>, kauer@biplane.com.au
Cc: 6man <6man@ietf.org>, V6 Ops List <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000df56c705a0d40dfd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/4tpa45ZZrDZfDseBhs16eJ8KnO4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2020 17:38:33 -0000

Toreless & Tony

I read through the draft for BIER over IPv6.

https://tools.ietf.org/html/draft-xie-bier-ipv6-encapsulation-06

So since the BIER header bitmask that denotes the BFERs in the Domain to
replicate the multicast packets is encoded in the DestOp processed by the
BFER, the packets should not be forwarded past the BFER is my guess is with
ttl 255.  With IPv6 ND with ttl 255 example the packet can be forwarded
past the adjacent node but I have not seen that happen.  I believe Jen
Linkova on this thread has seen that. Since the BFER dest options has to
have the BIER bit mask encoding or the packet is dropped I believe is your
security protection from forwarding past the BIER with 255 ttl if you
decided to go that route.

Under BIERv6 packet processing should help if ttl 255 is used to prevent
forwarding outside of bier domain

A packet having a 'BIER Specific Handling' indication but not having
   a BIER option is supposed to be a wrong packet or an ICMPv6 packet,
   and the process can be refered to the example in section 3.2
<https://tools.ietf.org/html/draft-xie-bier-ipv6-encapsulation-06#section-3.2>.

   A packet not having a 'BIER Specific Handling' indication but having
   a BIER option SHOULD be processed normally as unicast forwarding
   procedures, which may be a behavior of drop, or send to CPU, or other
   behaviors in existing implementations.


Under 5.3 security considerations should also help with ttl 255 and
forwarding outside of BIER domain

For a router incapable of BIERv6, such BIERv6 packet will not be
   processed by the procedure described in this document, but be
   processed as normal IPv6 packet with unknown option, and the existing
   security considerations for handling IPv6 options apply.  Possible
   way of handling IPv6 packets with BIER option may be send to CPU for
   slow path processing, with rate-limiting, or be discarded according
   to the local policy.

   For a router capable of BIERv6, such BIERv6 packet MUST NOT be
   forwarded, but should be processed as a normal IPv6 packet with
   unknown option, or additionally and optionally be countered and
   logged if the router is capable of doing so.


Kind regards

Gyan

On Sat, Mar 14, 2020 at 10:31 AM Gyan Mishra <hayabusagsm@gmail.com> wrote:

>
> Makes sense.
>
> Thanks
>
> Gyan
>
> On Sat, Mar 14, 2020 at 4:12 AM Karl Auer <kauer@biplane.com.au> wrote:
>
>> On Sat, 2020-03-14 at 02:07 -0400, Gyan Mishra wrote:
>> > I always wondered why RFC 4862 states that ND & RD packets have TTL
>> > 255.
>>
>> >From RFC4861:
>>
>>    "By setting the Hop Limit to 255, Neighbor Discovery
>>     is immune to off-link senders that accidentally or
>>     intentionally send ND messages.  In IPv4, off-link
>>     senders can send both ICMP Redirects and Router
>>     Advertisement messages."
>>
>> RFC4861 also requires RA and NA packets with any other TTL value to be
>> silently discarded by any receiving node.
>>
>> I can't find my original source, but my notes in a training course I
>> developed a while ago have this to say about why:
>>
>>    "Why does 255 mean “local source”? Because routers
>>     decrement the hop limit on packets passing through
>>     them, and discard packets where the hop count
>>     decrements to zero. It is impossible to decrement
>>     a one-byte counter to 255 without passing through
>>     zero, because 255 is the maximum value such a counter
>>     can have. So the value 255 means that the packet must
>>     have been generated on the local link."
>>
>> Probably would be better expressed as "must have originated on the
>> local link".
>>
>> Regards, K.
>>
>> --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Karl Auer (kauer@biplane.com.au)
>> http://www.biplane.com.au/kauer
>> http://twitter.com/kauer389
>>
>> GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
>> Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D
>>
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
> --
>
> Gyan  Mishra
>
> Network Engineering & Technology
>
> Verizon
>
> Silver Spring, MD 20904
>
> Phone: 301 502-1347
>
> Email: gyan.s.mishra@verizon.com
>
>
>
> --

Gyan  Mishra

Network Engineering & Technology

Verizon

Silver Spring, MD 20904

Phone: 301 502-1347

Email: gyan.s.mishra@verizon.com

v2.23.0 | Report a Bug | By Email