RE: Liaison from BBF
"Wojciech Dec (wdec)" <wdec@cisco.com> Tue, 10 November 2009 01:29 UTC
Return-Path: <wdec@cisco.com>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2EF3B3A6A26 for <ipv6@core3.amsl.com>; Mon, 9 Nov 2009 17:29:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.493
X-Spam-Level:
X-Spam-Status: No, score=-9.493 tagged_above=-999 required=5 tests=[AWL=1.106, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2ckOs06JnNG for <ipv6@core3.amsl.com>; Mon, 9 Nov 2009 17:29:38 -0800 (PST)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id 256FF3A68C2 for <ipv6@ietf.org>; Mon, 9 Nov 2009 17:29:37 -0800 (PST)
Authentication-Results: ams-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjYAAKtQ+EqQ/uCWe2dsb2JhbACbfQEBFiQGqRWXU4Q+BIFo
X-IronPort-AV: E=Sophos;i="4.44,712,1249257600"; d="scan'208";a="54010024"
Received: from ams-core-1.cisco.com ([144.254.224.150]) by ams-iport-1.cisco.com with ESMTP; 10 Nov 2009 01:30:03 +0000
Received: from xbh-ams-102.cisco.com (xbh-ams-102.cisco.com [144.254.73.132]) by ams-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nAA1U3jq001174; Tue, 10 Nov 2009 01:30:03 GMT
Received: from xmb-ams-111.cisco.com ([144.254.74.86]) by xbh-ams-102.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 10 Nov 2009 02:30:03 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: Liaison from BBF
Date: Tue, 10 Nov 2009 02:29:59 +0100
Message-ID: <A16B9A4922C4A544A94565E870362B50A552AE@XMB-AMS-111.cisco.com>
In-Reply-To: <60C093A41B5E45409A19D42CF7786DFD4DEDE9C26C@EUSAACMS0703.eamcs.ericsson.se>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Liaison from BBF
Thread-Index: AcphTaDjP3GoDl4hSZO8gFBVNP6WTwARDmGAAAQ35MA=
References: <60C093A41B5E45409A19D42CF7786DFD4DEDE9BC10@EUSAACMS0703.eamcs.ericsson.se><200911091500.nA9F0PSm002116@cichlid.raleigh.ibm.com> <60C093A41B5E45409A19D42CF7786DFD4DEDE9C26C@EUSAACMS0703.eamcs.ericsson.se>
From: "Wojciech Dec (wdec)" <wdec@cisco.com>
To: David Allan I <david.i.allan@ericsson.com>, Thomas Narten <narten@us.ibm.com>
X-OriginalArrivalTime: 10 Nov 2009 01:30:03.0766 (UTC) FILETIME=[53D84160:01CA61A5]
Cc: ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 01:29:40 -0000
I'd like to put forward some additional points which should perhaps be concise enough to clarify the liaison and questions a bit more. There are actually two issues, out of which the duplicate MAC address issue is IMO a far less tractable problem (as it needs to be solved at L2 for anything to work). 1. Within a shared L2 domain with constrained forwarding (aka NBMA), for two users A & B with *different* MAC addresses, user B may spoof the LL address of user A and thus lead possibly to a DoS attack (on a FCFS basis). Similarly user B may try to spoof the LL address of N users (again on an FCFS basis). Does SAVI propose to solve this problem and if so how? 2. A duplicate MAC address in a shared broadcast domain is a possibility. At L2, this problem is tractable by any one of a) denying the dupe addresses access to the network service on a FCFS basis (common practice today) b) assigning each duped MAC to a different broadcast domain c) MAC address translation (MAC NAT). Solution c) requires some form of ALGs (for v4 and v6). Eg In the v6 case any EUI-64 derived LL addresses will still be the same and thus an ND ALG appears needed. What is the IETF's opinion about this type of solution (c), if any? Regards, Woj. > -----Original Message----- > From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On > Behalf Of David Allan I > Sent: 10 November 2009 00:31 > To: Thomas Narten > Cc: ipv6@ietf.org > Subject: RE: Liaison from BBF > > HI Thomas: > > Unfortunately having just changed jobs I'm having trouble > exactly recreating all my sources of information... > > The following was one anecdotal example offered during our > discussions in the spring..."...in a real nationwide telco > today with approximately 3.5million DSL ports there is about > 300-400 duplicate MAC@ alarms active on the DSLAMs at any > time, and this is only where 2 of the same MAC@ appear on the > same DSLAM (384-1000 users each)..." > > TO take it back up a notch... > > In a perfect world where all MACs were properly unique and > all implementations correctly constructed link local via > EUI-64 we'd all be happy campers, it works as intended. > Unfortunately that is not the case and we seem to have a > hierarchy of grief..... > > 1) Some carriers have deployed MAC address translation in the > Access node/DSLAM to ensure MAC uniqueness. This means ALG > functionality is required for Ethernet OAM and other > protocols, and while fixing MAC uniqueness, does not address > duplicates in link local construction unless NAT of the lower > 64 bits of LLA is included in the mix. > > 2) Our liaisons with IEEE on the subject and some proposals > to the forum focus on the fact that uniquness only needs to > exist in a given Ethernet broadcast domain, hence keeping a > few extra VLANs in the back pocket to shift duplicate > customers to solves the problem, and my math suggested this > would inflate VID usage by a corresponding few percent. Issue > being this then breaks down if the link local address is not > constructed from the MAC, and RFCs have been trotted out at > the BBF on NOT using the EUI-64 specifically to defeat > traffic analysis attacks. This being an expected deployment > scenario when wireless media in the home is considered and an > emerging class of FMC capable terminals is deployed. > > So a solution analogous to DAD appears to be needed, that > originates with the edge router, where if the detected > duplicate does not subsequently behave in a prescribed manner > service may then be denied in the interest of the common > good. As DAD is already deployed that would appear to be a > path of least resistance vs waiting years for a roll out of a > fix. However if my memory serves correctly, unicast from the > edge router would be a desirable form and I am unsure if that > is supported in standards or implementations... > > Cheers > D > > > > > > -----Original Message----- > From: Thomas Narten [mailto:narten@us.ibm.com] > Sent: Tuesday, November 10, 2009 12:00 AM > To: David Allan I > Cc: ipv6@ietf.org > Subject: Re: Liaison from BBF > > Sorry, I still don't get it. We need more detail! > > Two things stand out: > > > If two devices happen to have the same Ethernet MAC address as a > > consequence of incompetent manufacture, the link-local > address derived > > for that interface will also be non-unique, provided it is derived > > from the EUI-64 identifier. This has been identified as an > > inconveniently frequent scenario (impacting ~4% of access > nodes at any > > given time) > > this 4% figure seems *very* high. Can you please provide more > details on how you reached that number? > > Also, if you have two devices on the same link sharing the > same MAC address, you have problems. Period. Having duplicate > IP addresses is only one symptom. If you fix that problem, > but still have duplicate MAC addresses in use, it is not > clear to me that your network will function correctly. Have > you done the analysis to be sure that the duplicate MAC > address scenario is something that is solvable in practice? > > > When numerous hosts share an Ethernet broadcast domain, the > BNG/edge > > router needs to support a mechanism that ensures duplicate > link-local > > addresses can be handled correctly without necessarily depending on > > cooperative action by the hosts > > > > it is explicitly required to do something to make this happen > > Again, it is not clear to me what "handling correctly" even means. > > Finally, the charts say you are worried about a "malicious user" > sending out bogus ND packets. ND simply can't deal with this > sort of hostile environment, and there is no easy way to fix > this. Is that what you are asking this group to fix? > > For that matter, ARP doesn't address this problem either. Is > there a new problem that shows up with IPv6 that didn't exist > with IPv4? And if not, what is wrong with using the IPv4 > solutions (assuming they exist)? > > Thomas > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- RE: Liaison from BBF Mikael Abrahamsson
- Liaison from BBF David Allan I
- Re: Liaison from BBF Thomas Narten
- Re: Liaison from BBF Mikael Abrahamsson
- RE: Liaison from BBF Manfredi, Albert E
- RE: Liaison from BBF Mikael Abrahamsson
- RE: Liaison from BBF Manfredi, Albert E
- RE: Liaison from BBF Wes Beebee (wbeebee)
- Re: Liaison from BBF Phil Bedard
- RE: Liaison from BBF Manfredi, Albert E
- RE: Liaison from BBF David Allan I
- RE: Liaison from BBF David Allan I
- RE: Liaison from BBF Hemant Singh (shemant)
- RE: Liaison from BBF David Allan I
- RE: Liaison from BBF Hemant Singh (shemant)
- RE: Liaison from BBF Wojciech Dec (wdec)