IETF Logo Mail Archive

RE: Liaison from BBF

"Wojciech Dec (wdec)" <wdec@cisco.com> Tue, 10 November 2009 01:29 UTC

Return-Path: <wdec@cisco.com>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2EF3B3A6A26 for <ipv6@core3.amsl.com>; Mon, 9 Nov 2009 17:29:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.493
X-Spam-Level:
X-Spam-Status: No, score=-9.493 tagged_above=-999 required=5 tests=[AWL=1.106, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2ckOs06JnNG for <ipv6@core3.amsl.com>; Mon, 9 Nov 2009 17:29:38 -0800 (PST)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id 256FF3A68C2 for <ipv6@ietf.org>; Mon, 9 Nov 2009 17:29:37 -0800 (PST)
Authentication-Results: ams-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjYAAKtQ+EqQ/uCWe2dsb2JhbACbfQEBFiQGqRWXU4Q+BIFo
X-IronPort-AV: E=Sophos;i="4.44,712,1249257600"; d="scan'208";a="54010024"
Received: from ams-core-1.cisco.com ([144.254.224.150]) by ams-iport-1.cisco.com with ESMTP; 10 Nov 2009 01:30:03 +0000
Received: from xbh-ams-102.cisco.com (xbh-ams-102.cisco.com [144.254.73.132]) by ams-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nAA1U3jq001174; Tue, 10 Nov 2009 01:30:03 GMT
Received: from xmb-ams-111.cisco.com ([144.254.74.86]) by xbh-ams-102.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 10 Nov 2009 02:30:03 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: Liaison from BBF
Date: Tue, 10 Nov 2009 02:29:59 +0100
Message-ID: <A16B9A4922C4A544A94565E870362B50A552AE@XMB-AMS-111.cisco.com>
In-Reply-To: <60C093A41B5E45409A19D42CF7786DFD4DEDE9C26C@EUSAACMS0703.eamcs.ericsson.se>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Liaison from BBF
Thread-Index: AcphTaDjP3GoDl4hSZO8gFBVNP6WTwARDmGAAAQ35MA=
References: <60C093A41B5E45409A19D42CF7786DFD4DEDE9BC10@EUSAACMS0703.eamcs.ericsson.se><200911091500.nA9F0PSm002116@cichlid.raleigh.ibm.com> <60C093A41B5E45409A19D42CF7786DFD4DEDE9C26C@EUSAACMS0703.eamcs.ericsson.se>
From: "Wojciech Dec (wdec)" <wdec@cisco.com>
To: David Allan I <david.i.allan@ericsson.com>, Thomas Narten <narten@us.ibm.com>
X-OriginalArrivalTime: 10 Nov 2009 01:30:03.0766 (UTC) FILETIME=[53D84160:01CA61A5]
Cc: ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 01:29:40 -0000

I'd like to put forward some additional points which should perhaps be
concise enough to clarify the liaison and questions a bit more. 
There are actually two issues, out of which the duplicate MAC address
issue is IMO a far less tractable problem (as it needs to be solved at
L2 for anything to work).
1. Within a shared L2 domain with constrained forwarding (aka NBMA), for
two users A & B with *different* MAC addresses, user B may spoof the LL
address of user A and thus lead possibly to a DoS attack (on a FCFS
basis). Similarly user B may try to spoof the LL address of N users
(again on an FCFS basis). Does SAVI propose to solve this problem and if
so how?

2. A duplicate MAC address in a shared broadcast domain is a
possibility. 
At L2, this problem is tractable by any one of
a) denying the dupe addresses access to the network service on a FCFS
basis (common practice today)
b) assigning each duped MAC to a different broadcast domain
c) MAC address translation (MAC NAT). 
Solution c) requires some form of ALGs (for v4 and v6). Eg In the v6
case any EUI-64 derived LL addresses will still be the same and thus an
ND ALG appears needed. What is the IETF's opinion about this type of
solution (c), if any?

Regards,
Woj.

> -----Original Message-----
> From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On 
> Behalf Of David Allan I
> Sent: 10 November 2009 00:31
> To: Thomas Narten
> Cc: ipv6@ietf.org
> Subject: RE: Liaison from BBF
> 
> HI Thomas:
> 
> Unfortunately having just changed jobs I'm having trouble 
> exactly recreating all my sources of information...
> 
> The following was one anecdotal example offered during our 
> discussions in the spring..."...in a real nationwide telco 
> today with approximately 3.5million DSL ports there is about 
> 300-400 duplicate MAC@ alarms active on the DSLAMs at any 
> time, and this is only where 2 of the same MAC@ appear on the 
> same DSLAM (384-1000 users each)..."
> 
> TO take it back up a notch...
> 
> In a perfect world where all MACs were properly unique and 
> all implementations correctly constructed link local via 
> EUI-64 we'd all be happy campers, it works as intended. 
> Unfortunately that is not the case and we seem to have a 
> hierarchy of grief.....
> 
> 1) Some carriers have deployed MAC address translation in the 
> Access node/DSLAM to ensure MAC uniqueness. This means ALG 
> functionality is required for Ethernet OAM and other 
> protocols, and while fixing MAC uniqueness, does not address 
> duplicates in link local construction unless NAT of the lower 
> 64 bits of LLA is included in the mix.
> 
> 2) Our liaisons with IEEE on the subject and some proposals 
> to the forum focus on the fact that uniquness only needs to 
> exist in a given Ethernet broadcast domain, hence keeping a 
> few extra VLANs in the back pocket to shift duplicate 
> customers to solves the problem, and my math suggested this 
> would inflate VID usage by a corresponding few percent. Issue 
> being this then breaks down if the link local address is not 
> constructed from the MAC, and RFCs have been trotted out at 
> the BBF on NOT using the EUI-64 specifically to defeat 
> traffic analysis attacks. This being an expected deployment 
> scenario when wireless media in the home is considered and an 
> emerging class of FMC capable terminals is deployed. 
> 
> So a solution analogous to DAD appears to be needed, that 
> originates with the edge router, where if the detected 
> duplicate does not subsequently behave in a prescribed manner 
> service may then be denied in the interest of the common 
> good. As DAD is already deployed that would appear to be a 
> path of least resistance vs waiting years for a roll out of a 
> fix. However if my memory serves correctly, unicast from the 
> edge router would be a desirable form and I am unsure if that 
> is supported in standards or implementations...
> 
> Cheers
> D
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Thomas Narten [mailto:narten@us.ibm.com]
> Sent: Tuesday, November 10, 2009 12:00 AM
> To: David Allan I
> Cc: ipv6@ietf.org
> Subject: Re: Liaison from BBF
> 
> Sorry, I still don't get it. We need more detail!
> 
> Two things stand out:
> 
> > If two devices happen to have the same Ethernet MAC address as a 
> > consequence of incompetent manufacture, the link-local 
> address derived 
> > for that interface will also be non-unique, provided it is derived 
> > from the EUI-64 identifier. This has been identified as an 
> > inconveniently frequent scenario (impacting ~4% of access 
> nodes at any 
> > given time)
> 
> this 4% figure seems *very* high. Can you please provide more 
> details on how you reached that number?
> 
> Also, if you have two devices on the same link sharing the 
> same MAC address, you have problems. Period. Having duplicate 
> IP addresses is only one symptom. If you fix that problem, 
> but still have duplicate MAC addresses in use, it is not 
> clear to me that your network will function correctly. Have 
> you done the analysis to be sure that the duplicate MAC 
> address scenario is something that is solvable in practice?
> 
> > When numerous hosts share an Ethernet broadcast domain, the 
> BNG/edge 
> > router needs to support a mechanism that ensures duplicate 
> link-local 
> > addresses can be handled correctly without necessarily depending on 
> > cooperative action by the hosts
> > 
> > it is explicitly required to do something to make this happen
> 
> Again, it is not clear to me what "handling correctly" even means.
> 
> Finally, the charts say you are worried about a "malicious user"
> sending out bogus ND packets. ND simply can't deal with this 
> sort of hostile environment, and there is no easy way to fix 
> this. Is that what you are asking this group to fix?
> 
> For that matter, ARP doesn't address this problem either. Is 
> there a new problem that shows up with IPv6 that didn't exist 
> with IPv4? And if not, what is wrong with using the IPv4 
> solutions (assuming they exist)?
> 
> Thomas
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email