IETF Logo Mail Archive

Re: [v6ops] IPv6 link-local traffic questions

Gyan Mishra <hayabusagsm@gmail.com> Sat, 14 March 2020 06:08 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E2EC3A0FDE; Fri, 13 Mar 2020 23:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m09MJqPFG7po; Fri, 13 Mar 2020 23:08:16 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E635C3A0FDD; Fri, 13 Mar 2020 23:08:15 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id w9so11806761iob.12; Fri, 13 Mar 2020 23:08:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=V+VUBS4bxdDxWqWmLbNw3vsp1vdyh00nh5lwQm8cRy4=; b=NP0u+HC3WDSJuvMQZWS+j+nlfDWj15y6HZj54Z4QvWMo3Z8TmX0ZC/oIOHRR59orkz HTWLQ0xHa89b+DaznAqo3NvRTd+GGGcza5BLISGMrMxcOn/jW4K6DwgNoXDzdTqN5fZo 2LnhiZ9PLKwntdl5igG8rFr2cdrXQVHjhh2cpPj2FydncLkXlxoB+bpKyctiaXgotdNV srbzfe+rld2CpufSINhvaoBof9ficTmLkq9ubvXHBTssS/OevRMfQLFv1mHVkq1HghNE lJ72vHGF3NfkZkHWd1JEjzVAMOGRztoY3I+0Cvv9giCJlKRgm2TT4s9jTFGpLDrgIbmH 07wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=V+VUBS4bxdDxWqWmLbNw3vsp1vdyh00nh5lwQm8cRy4=; b=p1Po89Lu0nLspsuN4+Fk6IVM8UFeBVygEWmK9GWfEbskP1jRqslNABvFzCQ3r634x/ qTueGPr/ViwChNiEtI7iwyk/DGqNsTBnvubE1lzIT2V+vFvyoAaGEYdz4ZVpouQkiE1o lfMvUmkw8OLdk5imgcSArud4QytBTMyHGpN2DKjynTRWA9JUy0qHVK5Z8MUfpzScUHNG cjn0sPvOiHm2tzkMGXyuWmX1e4aiAqsx1OXtuCgL/7Y/4fjDB0ljTynb0+GZlxqdQzRJ 4NqQB0vKC4/axH1nE1oE7385gn0HFjHxmv0xXjOCvDFUo8/qhfbm+Vlqu6wIlopfDsh3 yxkQ==
X-Gm-Message-State: ANhLgQ0POssDoujS8TTNGk0VlyuZbQfVKUuvkFTdMd/KrtKI4/TpKF8s VhgD7Jgilj3qXLh+tiuuhXnJ0ioAFWS74P3HRHY=
X-Google-Smtp-Source: ADFU+vsmFD0G6moEDSB/PMtl6zlowDPnd5I2P9qEI+o3csahnCnm3w+EvqznsPMNHQ9X9PRJ33aWrWq0i01gQxzLXI0=
X-Received: by 2002:a5d:9697:: with SMTP id m23mr15622383ion.45.1584166095010; Fri, 13 Mar 2020 23:08:15 -0700 (PDT)
MIME-Version: 1.0
References: <20200312000016.GO54522@faui48f.informatik.uni-erlangen.de> <CAFU7BAT-LP5TC9dpYw+5j8T8H_8XMF=tcY-Qsbg5=MOgUYNk+A@mail.gmail.com>
In-Reply-To: <CAFU7BAT-LP5TC9dpYw+5j8T8H_8XMF=tcY-Qsbg5=MOgUYNk+A@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Sat, 14 Mar 2020 02:07:34 -0400
Message-ID: <CABNhwV1uCFHCO9r3NK7QeqZ4gvrquoD_534LXoykaf59S48rpA@mail.gmail.com>
Subject: Re: [v6ops] IPv6 link-local traffic questions
To: Jen Linkova <furry13@gmail.com>
Cc: Toerless Eckert <tte@cs.fau.de>, V6 Ops List <v6ops@ietf.org>, 6man <6man@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005bbf8605a0ca691a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/A-s9CP1Q4swifVug1LqWAR6opfM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2020 06:08:19 -0000

Jen

I always wondered why RFC 4862 states that ND & RD packets have TTL 255.
We have run into so many PSIRT bugs with ND which makes it more problematic
having the TTL 255.

Since ND & RD packets would always be local scope in your response to
Toreless you mentioned that GTSM that ND using 255 is kind of an example of
GTSM in the sense that the TTL is set to 255 for a direct neighbor
adjacency.  I think though the security issues of TTL 255 with ND/RD
packets seem to make security a bigger issue then just leaving TTL=1.

Gyan

On Wed, Mar 11, 2020 at 8:34 PM Jen Linkova <furry13@gmail.com> wrote:

> On Thu, Mar 12, 2020 at 11:01 AM Toerless Eckert <tte@cs.fau.de> wrote:
> >
> > Sorry for cross posting, but this is both ops and arch questions.
> >
> > I was trying to find any generic description that/if link-local IPv6
> > traffic MUST/SHOULD use Hop-count 1, but could not find one in
> > rfc8200 or rfc4291 and its updates. Instead, text like
> > MUST set Hop-limit to 1 is repeated in various RFCs using link-local
> > IPv6 traffic.
>
> I believe it depends what you are trying to achieve. If you want to
> make sure that the traffic never leaves the network - then hop limit =
> 1 helps. But using link-local sources/destinations would help even
> better if the routers comply with RFC4291 Section 2.5.6
> If you want to make sure those packets are not sent by a malicious
> party from outside - hop limit shall be 255.
> For example, see RFC4861 Section 3.1
>
> > Am i overlooking something ? Or is this intentional in the IPv6
> architecture ?
> >
> > If intentional, i guess it means: Any RFC introducing some type of
> link-local
> > traffic can specify Hop-limit requirements for its traffic. As in
> > "our WG likes 42 as the Hop-limit" (silly to me, but should be fine with
> > IPv6 architecture then, right ?).
> >
> > In one of my draft document reviews using such link-local IPv6 traffic,
> > EricV brought up the Q if that traffic shouldn't use RFC5082 instead
> > of Hop-Count 1 too. But given how we do not seem to have architectural
> > recommendations for TTL=1 (unless, quite likely i overlook something),
> > and given how i am not aware of any actual use of GTSM, i am quite
> > weary to go down that route. Aka: Would like learn of actual uses of
> > GTSM with IPv6.
>
> Neighbor Discovery.
>
> > There is an additional set of consideration re. link-local traffic
> > when trying to use it as a HW accelerated tunneling mechanism across
> links,
> > a use we both have in ANIMA, and maybe get the same in BIER (probably
> > other WGs too, not sure).
> >
> > In implementations, i have seen quite a range of issues with
> > accelerated forwarding planes across link-local addressed tunnels,
> > and when using non-link-local addresses (loopback addresses),
> > the HW plane forwarding might have issues doing HW forwarding, because
> > usually TTL=1 is only used for control plane traffic. Of course,
> > this is not a good architectural argument, but if given architectural
> > leeway to even choose 42, maybe GTSM/255 is easier to be supported
> > across various HW accelerated forwarding planes than 1.
> >
> > Opinions and experiences welcome!
>
> If you control the router I'd say 'link-local source/destination,
> HL=255 AND RFC4291 would be the best option.
>
> I did see a few devices somewhere far away sending me ICMPv6 (packet
> too big) from their link-local addresses but it was not very common
> case.
>
> --
> SY, Jen Linkova aka Furry
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>


-- 

Gyan  Mishra

Network Engineering & Technology

Verizon

Silver Spring, MD 20904

Phone: 301 502-1347

Email: gyan.s.mishra@verizon.com

v2.23.0 | Report a Bug | By Email