IETF Logo Mail Archive

Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Tue, 22 March 2016 00:42 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 640B412D1A5 for <ipv6@ietfa.amsl.com>; Mon, 21 Mar 2016 17:42:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level:
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_NAME_FM_MR_MRS=1.499, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6WwrP-i24t6W for <ipv6@ietfa.amsl.com>; Mon, 21 Mar 2016 17:42:02 -0700 (PDT)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 619A412D190 for <ipv6@ietf.org>; Mon, 21 Mar 2016 17:42:02 -0700 (PDT)
Received: by mail-yw0-x22e.google.com with SMTP id h129so235447414ywb.1 for <ipv6@ietf.org>; Mon, 21 Mar 2016 17:42:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=30XDWx7KuPQcJ5XqMs66pCICRNs0VQLym3wLQTnudWI=; b=ZV3Epu6jWYDGCokqUXxO1VBjZay2V80cg/f6NdZGv4NZx/WHgo4CVISIlHkN+yhTyf HJT7RMA01r5gk8WZVfI+VEvDrRmPbLMVpqilTOm2gyNdhD2aj8yUOPy2eQz551d/vAD/ dQh6ufXYjyPqmdudrjT2mbNuERYX3J/7tHtfJ4OwDO4qZK7Idg0c98MDfUacvjZ2ImtL i39hMJarAgoSijXwIi5xPuOsGhWaHVsMGuDUw2l0YOdA3vpPG28duHZHyJYMHK0JH9sN bZTnddiIyEv4pWhI77nhJlG2a5LCux1dndBRD8Dl6TvhKDX6CYgUSI4QSEttGL+Mpq9i cebA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=30XDWx7KuPQcJ5XqMs66pCICRNs0VQLym3wLQTnudWI=; b=AdMAKGwGBIC/rpf0sJHjITkDGcrDhjE/chzhkE0bvecAvetArvZZ0R74wvyXXhx5JB FAJbC8QLNl1hj6HLFk1EWRbkgY22NSAgTi2SkTsrjcg60EAQtp3goOoY2+dwG7OYVgKQ Q1h3ZSeh/xm8fNH0C120PatP+bvla6fcYKGAWi2/JVEesdOPGvw0m1cppNIeqCz3v0ZX 9+rpxUZODxw3lYlu3ZZPIIsW9xTkQKaRhxPLxeohe5DaG73ZofUFU7T5AOrmqcv4t/Xp EbifFAoXr+J7Lf4TJuDuD8vFPy4YZX/AhU1Eys9Ai9WRnKZo84pZU3cztQ76BwBwXYh2 lC6g==
X-Gm-Message-State: AD7BkJJZ6uxo4FqzCSEHWSGGVDIYKwj0/eT1Q93Vkpd1GJj00rLxKIz8MNpcHDSD8LRSC2T3Hb2FsQFVn6o1mg==
X-Received: by 10.129.88.198 with SMTP id m189mr15052947ywb.342.1458607321642; Mon, 21 Mar 2016 17:42:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.145.80 with HTTP; Mon, 21 Mar 2016 17:41:32 -0700 (PDT)
In-Reply-To: <56EBCC78.6030206@forthnet.gr>
References: <6AC58C26-01B6-4C16-851F-0C1228CDD2AF@employees.org> <CAJE_bqfeLxURYwMDcjMtSnyb2WBeYu_5Yq_2Yyo_O9sqHRn+og@mail.gmail.com> <73EEC8CE-EDC8-45FC-AE4F-F390F965304F@employees.org> <CAPK2DezV9vKYrHCAJJ_bFQZa02MCJMPdX7=BtL-tPzOj+da6vQ@mail.gmail.com> <CAJE_bqd316puXTvku3hMMGnThOV3JGMbLK_erQJDd6ic-BNJgA@mail.gmail.com> <CAPK2DezfW5khZyW-2wNfZ04=BSV2xq57Z52WDCoeivt4J9tvig@mail.gmail.com> <CAJE_bqfLtPmFBqZXDCfnnxZHUvzQFbicV0dweS23VjL_oEbDVg@mail.gmail.com> <CAPK2Dew4AVuZ9ssQnwSfbGu7vfS1f__8tgNWk9WFhEep7wPdGA@mail.gmail.com> <56EA8D27.3060704@forthnet.gr> <CAPK2DeyT-K1LR3+dAuLiuS2L=xr7Q4e2N-QZAoWHRC_cQSFKzw@mail.gmail.com> <CAKD1Yr142AT1UKfdQG4D9HaROJKKJN8Zj+ywj3sp9T-qNq7wNQ@mail.gmail.com> <56EAAD36.20901@si6networks.com> <CAKD1Yr1RH2r7H7Zq5y7ZRLx1v87jNWHy5n_eQDLWL9kfL7L2mg@mail.gmail.com> <CAPK2DewGU4sM4yqN-bgc7zQ77F_ednZ8X0-VyQRmD_aoZCgapA@mail.gmail.com> <1C086B9C-C1FD-4C53-823D-0A58A2DDE607@employees.org> <56EBCC78.6030206@forthnet.gr>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Tue, 22 Mar 2016 09:41:32 +0900
Message-ID: <CAPK2Dez6kD4WQf9tEuWj5ccX_v53bSw-gzwy_+KQ6Z=F68tjEA@mail.gmail.com>
Subject: Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis
To: Tassos Chatzithomaoglou <achatz@forthnet.gr>
Content-Type: multipart/alternative; boundary="001a11492cb645fd21052e987b1a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/B0WIPQ9lQZYCkpi4F40T8I1Bvw0>
Cc: 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 00:42:04 -0000

Hi Tassos,
Thanks for your comments.
I put my answers inline below with "=>".

On Fri, Mar 18, 2016 at 6:38 PM, Tassos Chatzithomaoglou <achatz@forthnet.gr
> wrote:

> otroan@employees.org wrote on 18/3/2016 10:44 πμ:
> > Paul,
> >
> >> I took a look at the draft of
> https://www.ietf.org/id/draft-ietf-v6ops-dhcpv6-slaac-problem-06.txt.
> >>
> >> From Case 4 (all RA flags are set, that is, M=1, A=1, O=1) in A.2.2,
> >> Fedora 21 and Centos 7 let the DNS of the RAs have higher priority, but
> >> MAC OS-X lets the DNS of DHCPv6 have higher priority.
> >> In the current implementations, there is no consistency to handle RDNSS
> options from RA and DHCPv6.
> >>
> >> Thus, I suggest the following text with the preference for DHCPv6
> because
> >> there is no a stong rationale, but there must be somehow a guidance to
> handle this case:
> >>
> >> The DNS options from Router Advertisements and DHCP SHOULD be
> >> stored into the DNS Repository and Resolver Repository so that
> >> information from DHCP appears there first and therefore takes
> >> precedence. This document recommends that the DNS information
> >> from DHCP should have higher priority than that of RA for
> >> DNS queries to handle the case of the coexistence of RA and DHCP.
> >>
> >> If anyone does not object this text, I will revise the draft with it.
> > I would prefer this document focused solely on specifying the RA DNS
> options, and did not stray into more general configuration complexity.
> >
> > getting information from multiple sources is a more general problem in
> IPv6, and I don't want us to "solve" (if that's possible) that problem in
> this document.
> >
> > "the less you say, the less likely you are to say something wrong". ;-)
> >
> > Best regards,
> > Ole
> >
> So we leave the DHCP/RA preference choice to the implementers?
>
 => Since this issue  is not standardized yet, we will leave it to the
implementers.


>
> Something else that doesn't seem ok to me.
> > However, the security of these RA options for DNS configuration does
> >    not affect ND protocol security [RFC4861].  This is because learning
> >    DNS information via the RA options cannot be worse than learning bad
> >    router information via the RA options.  Therefore, the vulnerability
> >    of ND is not worse and is a subset of the attacks that any node
> >    attached to a LAN can do.
>
> I do not agree with the statement "learning DNS information via the RA
> options cannot be worse than learning bad router information via the RA
> options".
> I believe that bad router exploitation is at a local level, while bad
> DNS exploitation is at a global level. So while the origin of the attack
> can be the same (a node attached to the LAN), the easiness/effectiveness
> of the attack can be greater in the case of DNS.
>
>  => By the invalid RDNSS addresses, the DNS query messages from
      IPv6 hosts can be generated and sent toward those addresses over the
link
      to which the hosts are attached. However, in the aspect of IPv6
hosts,
      the vulnerability level for ND service seems still the same.


>
> Also, i have spotted a few more places for further clarification:
>
> > Step (c): For each RDNSS address, if it already exists in the DNS
> >       Server List, then...
>
> Step (c): For each RDNSS address, if it already exists in the DNS
>       Server List and the RDNSS option's Lifetime field is not set to
> zero, then....
>
>  => This clarification looks good. I will reflect this in the revision.


> > Step (d): For each RDNSS address, if it does not exist in the DNS
> >       Server List, register the RDNSS address and Lifetime with the DNS
> >       Server List and then insert the RDNSS address in front of the
> >       Resolver Repository.
>
> ...and then insert the RDNSS address as the first one in the Resolver
> Repository.
>
>   => This clarification looks good, too. I will reflect this in the
revision.


 Thanks.

 Best Regards,
 Paul


> --
> Tassos
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>



-- 
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Assistant Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
<http://cpslab.skku.edu/people-jaehoon-jeong.php>

v2.23.0 | Report a Bug | By Email