IETF Logo Mail Archive

Re: [v6ops] IPv6 link-local traffic questions

Mark Smith <markzzzsmith@gmail.com> Sat, 21 March 2020 03:22 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E13C03A1100; Fri, 20 Mar 2020 20:22:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.598
X-Spam-Level:
X-Spam-Status: No, score=-0.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q5krm7Qs6pYM; Fri, 20 Mar 2020 20:22:04 -0700 (PDT)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22BE43A1001; Fri, 20 Mar 2020 20:22:04 -0700 (PDT)
Received: by mail-ot1-x32d.google.com with SMTP id 22so2629903otf.0; Fri, 20 Mar 2020 20:22:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q4E8ZQ4ZRCsZBqBnPZqjTVc170jcPI1OCQl/avje3e4=; b=F4p6K172wm7HeT6tD300EO0mrFb7WvjG2US/F0t067jARqVgpaSzTCm32CBuwW6s7u mPedORWusy2/xF9ZgjXGG6kEy5XcHJ4k+tPtFbhP+j8bv8XCgR2vRHQGi0IgARJpEwgE 7/zV9mwVN8gLUbwQ9aMTZnAxayVVovvCA6X5r8KArOo3d4FskdhaW0Yi7XJKuu/OAqGS Cseqw9+fAbIMOYHSsviLMalt/MvBW2WbhhpPmgmDkD+F/7xBVEkqzMo48SNhDE8wJtg9 KkPwu8JG5OAabrXXph97R8WNJI3NGiDN0Hus2vthnKTjDI/+YPnaubqX5+nuTR4Savj3 1JAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q4E8ZQ4ZRCsZBqBnPZqjTVc170jcPI1OCQl/avje3e4=; b=Iq9ULCLtgtrSWzNxAIbguBiNc/3/7fD0tUE3VNUg2nySL8hHudVe99pw8uCc9q6MLK SVHqeyDq88baiCUmrTWBXdnSXDleCp2f4Qb6auENtjNDrXJbV769KKlBk+2sBSL4O407 aldWetjdaKbvv/Eyvgp1CMUAFiEjtTW6KwC0cOWSdBUUeng4WSKq581xxxNRU/xacwD6 584X4WT/DArcTO5Q8vDQ1OKiQq9/Dl8T/Vtvwi0Fh35V9Lv6Lbo+CHuL6rfWd+2X0M1K upeEgjxmtUXSZyRkGMn4N/7CIlWUzVew0j7bS2oZPoyrfn5m7TR3lDwTB+hqtiyCpEK2 IVBA==
X-Gm-Message-State: ANhLgQ1eK0iJLhz9EW6YXosO6A4WDf9cysYuKBe/9//x5t8iO8cmYs3b NFJ7cCQRKsasfwWiSy9/e1TX7jfnFWJund0kEFg=
X-Google-Smtp-Source: ADFU+vtpPrkqetxWR6x8qR86KJrMhUhcvDQl+XdmalKaESA3ed8AK8zJR548iADQxyXxp2/yo6q9dF6v8xStyxZGEYI=
X-Received: by 2002:a05:6830:4035:: with SMTP id i21mr8917755ots.348.1584760923138; Fri, 20 Mar 2020 20:22:03 -0700 (PDT)
MIME-Version: 1.0
References: <20200312000016.GO54522@faui48f.informatik.uni-erlangen.de> <CAFU7BAT-LP5TC9dpYw+5j8T8H_8XMF=tcY-Qsbg5=MOgUYNk+A@mail.gmail.com> <CABNhwV1uCFHCO9r3NK7QeqZ4gvrquoD_534LXoykaf59S48rpA@mail.gmail.com> <1584173474.2857.102.camel@biplane.com.au> <CABNhwV3VCPmcaGNyf=9dX4vcrsSreRGgkRDh0zQD+VLqG-g63Q@mail.gmail.com> <CABNhwV0D71380ZPWTLHu-LM=sz1OK6aB0du=g7uW-gxLdfGvsg@mail.gmail.com> <CA+wi2hMPk6init=1Q1+S0SzTCzOqSDbMNpsD4rUBB0VEo1BkfA@mail.gmail.com> <CABNhwV3Z=YPvU3=X4WOxF1+JRBMovucOdVDa67g1Tv4Yo7+G+A@mail.gmail.com>
In-Reply-To: <CABNhwV3Z=YPvU3=X4WOxF1+JRBMovucOdVDa67g1Tv4Yo7+G+A@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sat, 21 Mar 2020 14:21:51 +1100
Message-ID: <CAO42Z2w5qeW+O=Xzy6Kwu=4=bh5tNi+H_jd=d6hW9cOxFUzpzg@mail.gmail.com>
Subject: Re: [v6ops] IPv6 link-local traffic questions
To: Gyan Mishra <hayabusagsm@gmail.com>
Cc: Tony Przygienda <tonysietf@gmail.com>, V6 Ops List <v6ops@ietf.org>, 6man <6man@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e0ad8e05a154e718"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/AlVettLe5KsbLPRjyMfXPKsqLg8>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Mar 2020 03:22:08 -0000

On Sat, 21 Mar 2020, 14:00 Gyan Mishra, <hayabusagsm@gmail.com> wrote:

>
>
> On Fri, Mar 20, 2020 at 9:59 PM Tony Przygienda <tonysietf@gmail.com>
> wrote:
>
>> Yepp, that's personally I prefer on multicast TTL=1 (and also on ISIS &
>> e.g. on expired draft where we were carrying ISIS natively over IP). The
>> cost of a frame running away unintended multiple-hops in a control protocol
>> without a tunnel are simply NOT fun.  The cost of such a thing (and it
>> happened MORE than once) outweighs IMO the minor security advantage.
>>
>> If you read v6 BIER drafts you should read
>> https://datatracker.ietf.org/doc/draft-zhang-bier-bierin6/ which has
>> been published much, much earlier ...
>>
>> --- tony
>>
>> TTL security is a necessity for ND with limited risk of run away ND
>> packets as it’s  minimal bandwidth usage.
>>
>
>    With a multicast stream the risk is much greater if forwarded multiple
> hops past the BFER PE as stated and maybe a high data rate stream so
> undesirable to ever happen.
>
>  ND is the only protocol I know of that uses TTL security.
>
> I would go with TTL=1.
>

Can you guarantee a received packet with a Hop Count value of 1 hasn't been
forwarded?

You can when the received packet has a Hop Count of 255.


> If security is a concern in the v6 tunnel, is it possible to add
> cryptography to BIER or even setting security TLV in the BIER header
> encoded in the DO on the BFIR and then validate the TLV encoding on the
> BFER destination endpoint.
>
>
>
>> On Sat, Mar 14, 2020 at 10:38 AM Gyan Mishra <hayabusagsm@gmail..com
>> <hayabusagsm@gmail.com>> wrote:
>>
>>>
>>> Toreless & Tony
>>>
>>> I read through the draft for BIER over IPv6.
>>>
>>> https://tools.ietf.org/html/draft-xie-bier-ipv6-encapsulation-06
>>>
>>> So since the BIER header bitmask that denotes the BFERs in the Domain to
>>> replicate the multicast packets is encoded in the DestOp processed by the
>>> BFER, the packets should not be forwarded past the BFER is my guess is with
>>> ttl 255.  With IPv6 ND with ttl 255 example the packet can be forwarded
>>> past the adjacent node but I have not seen that happen.  I believe Jen
>>> Linkova on this thread has seen that. Since the BFER dest options has to
>>> have the BIER bit mask encoding or the packet is dropped I believe is your
>>> security protection from forwarding past the BIER with 255 ttl if you
>>> decided to go that route.
>>>
>>> Under BIERv6 packet processing should help if ttl 255 is used to prevent
>>> forwarding outside of bier domain
>>>
>>> A packet having a 'BIER Specific Handling' indication but not having
>>>    a BIER option is supposed to be a wrong packet or an ICMPv6 packet,
>>>    and the process can be refered to the example in section 3.2 <https://tools.ietf.org/html/draft-xie-bier-ipv6-encapsulation-06#section-3.2>.
>>>
>>>    A packet not having a 'BIER Specific Handling' indication but having
>>>    a BIER option SHOULD be processed normally as unicast forwarding
>>>    procedures, which may be a behavior of drop, or send to CPU, or other
>>>    behaviors in existing implementations.
>>>
>>>
>>> Under 5.3 security considerations should also help with ttl 255 and
>>> forwarding outside of BIER domain
>>>
>>> For a router incapable of BIERv6, such BIERv6 packet will not be
>>>    processed by the procedure described in this document, but be
>>>    processed as normal IPv6 packet with unknown option, and the existing
>>>    security considerations for handling IPv6 options apply.  Possible
>>>    way of handling IPv6 packets with BIER option may be send to CPU for
>>>    slow path processing, with rate-limiting, or be discarded according
>>>    to the local policy.
>>>
>>>    For a router capable of BIERv6, such BIERv6 packet MUST NOT be
>>>    forwarded, but should be processed as a normal IPv6 packet with
>>>    unknown option, or additionally and optionally be countered and
>>>    logged if the router is capable of doing so.
>>>
>>>
>>> Kind regards
>>>
>>> Gyan
>>>
>>> On Sat, Mar 14, 2020 at 10:31 AM Gyan Mishra <hayabusagsm@gmail.com>
>>> wrote:
>>>
>>>>
>>>> Makes sense.
>>>>
>>>> Thanks
>>>>
>>>> Gyan
>>>>
>>>> On Sat, Mar 14, 2020 at 4:12 AM Karl Auer <kauer@biplane.com.au> wrote:
>>>>
>>>>> On Sat, 2020-03-14 at 02:07 -0400, Gyan Mishra wrote:
>>>>> > I always wondered why RFC 4862 states that ND & RD packets have TTL
>>>>> > 255.
>>>>>
>>>>> >From RFC4861:
>>>>>
>>>>>    "By setting the Hop Limit to 255, Neighbor Discovery
>>>>>     is immune to off-link senders that accidentally or
>>>>>     intentionally send ND messages.  In IPv4, off-link
>>>>>     senders can send both ICMP Redirects and Router
>>>>>     Advertisement messages."
>>>>>
>>>>> RFC4861 also requires RA and NA packets with any other TTL value to be
>>>>> silently discarded by any receiving node.
>>>>>
>>>>> I can't find my original source, but my notes in a training course I
>>>>> developed a while ago have this to say about why:
>>>>>
>>>>>    "Why does 255 mean “local source”? Because routers
>>>>>     decrement the hop limit on packets passing through
>>>>>     them, and discard packets where the hop count
>>>>>     decrements to zero. It is impossible to decrement
>>>>>     a one-byte counter to 255 without passing through
>>>>>     zero, because 255 is the maximum value such a counter
>>>>>     can have. So the value 255 means that the packet must
>>>>>     have been generated on the local link."
>>>>>
>>>>> Probably would be better expressed as "must have originated on the
>>>>> local link".
>>>>>
>>>>> Regards, K.
>>>>>
>>>>> --
>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>> Karl Auer (kauer@biplane.com.au)
>>>>> http://www.biplane.com.au/kauer
>>>>> http://twitter.com/kauer389
>>>>>
>>>>> GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
>>>>> Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> v6ops mailing list
>>>>> v6ops@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>>>
>>>> --
>>>>
>>>> Gyan  Mishra
>>>>
>>>> Network Engineering & Technology
>>>>
>>>> Verizon
>>>>
>>>> Silver Spring, MD 20904
>>>>
>>>> Phone: 301 502-1347
>>>>
>>>> Email: gyan.s.mishra@verizon.com
>>>>
>>>>
>>>>
>>>> --
>>>
>>> Gyan  Mishra
>>>
>>> Network Engineering & Technology
>>>
>>> Verizon
>>>
>>> Silver Spring, MD 20904
>>>
>>> Phone: 301 502-1347
>>>
>>> Email: gyan.s.mishra@verizon.com
>>>
>>>
>>>
>>> --
>
> Gyan  Mishra
>
> Network Engineering & Technology
>
> Verizon
>
> Silver Spring, MD 20904
>
> Phone: 301 502-1347
>
> Email: gyan.s.mishra@verizon.com
>
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email