IETF Logo Mail Archive

Re: Robustness principle and multicast source address

Mark Smith <markzzzsmith@gmail.com> Tue, 20 November 2018 01:45 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81734124C04 for <ipv6@ietfa.amsl.com>; Mon, 19 Nov 2018 17:45:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pURcTewLmOzl for <ipv6@ietfa.amsl.com>; Mon, 19 Nov 2018 17:45:38 -0800 (PST)
Received: from mail-ot1-x329.google.com (mail-ot1-x329.google.com [IPv6:2607:f8b0:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC92D128C65 for <ipv6@ietf.org>; Mon, 19 Nov 2018 17:45:38 -0800 (PST)
Received: by mail-ot1-x329.google.com with SMTP id t5so291121otk.1 for <ipv6@ietf.org>; Mon, 19 Nov 2018 17:45:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NLZ5Atxd4SE8Pp5q3DIA+fN1MOLV+gV/fw2yzW//t5Y=; b=Ydw7vrMQUPFEA83ZFo2nzA513XjvJAgvjjvlTuY3AFFst/9/+xbFeH5z1/EZaeIlat gB60nrrbFJYHcGfKgTDsBZYYhwra4az84kwcn1bK1mK1/knnK1F9oWVP3kuQqCGH+9T5 Y10hHutnIToJ/imrM7cPwjM6W1+r69kdKJJ9rtNQhjEkCz4LCUhd9aq14fD6/w8KzvfT IQRkJWUyctCu4iYHpePRa7yAGrbPcD9IWAH+l+INj0EPso2uBIPo5HBRZldgAGHvc6bM GLwvverYXB/LsGCfzLXOYZ10hlCaZihSojxM8E7vJ8Qkv4g8CC5BkxeZfQx63hltGlZh fOZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NLZ5Atxd4SE8Pp5q3DIA+fN1MOLV+gV/fw2yzW//t5Y=; b=VaTer8RvzDXKu5X0Mph7BhRk2mqsWk0B4w88zhQu9QIAIKB9oA29xrI30sIPX/mYV8 e/uSZM3rAqnlKkeijjKewco01jurDmuAbWxyYGACKAhKXHsSiho1y2YhKEmrdHSm8WyY +zfrORxkywsR1Lvk0jJt5ODJqIvupG3R/XJa4qk8gBnZoY6+05UFwuZzSRHue/y2rcSD mlCEJP9oF4CwVtCeLaKAd6zJVT5tTNqAmQ01zYwGvOnarfVN5DaqCbFvS7Cxg/IZs266 Y282SkfVMGXDwY4RNW2BJluw90sG/GoYj4AGUvjG2vh2kM9l4fQGUU5So1MtI6o43U+h vQBQ==
X-Gm-Message-State: AA+aEWYUVU8ME5DOTExsiYZyRGr2BK4DRkBRUZGg6urCLCfvq5AZ2b4b g1xu0kTjhCM60yiNlO8xBbBYx8laZRCfxEpqSTE=
X-Google-Smtp-Source: AFSGD/XZSDtqSSH+EmxX3+8mxuz6PHzoWhWCtgiIBL0NrsmudbUrIgfpLTDUcgKUxUvEmawB2qANrvjzTlcRot9zRNU=
X-Received: by 2002:a9d:7059:: with SMTP id x25mr50450otj.35.1542678337997; Mon, 19 Nov 2018 17:45:37 -0800 (PST)
MIME-Version: 1.0
References: <CAFU7BAQH-vYkpk0cuhdvTZFEQXKx4DnDzVObN7xY84CWBTQbPg@mail.gmail.com>
In-Reply-To: <CAFU7BAQH-vYkpk0cuhdvTZFEQXKx4DnDzVObN7xY84CWBTQbPg@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Tue, 20 Nov 2018 12:45:11 +1100
Message-ID: <CAO42Z2zapn43gnjD_SLFt+q7ZiqykFT9gEyhandSpCgo7-TN_w@mail.gmail.com>
Subject: Re: Robustness principle and multicast source address
To: Jen Linkova <furry13@gmail.com>
Cc: 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/G5YC56h2No03gtuynQwyiMIetmA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 01:45:41 -0000

Hi Jen,

On Thu, 15 Nov 2018 at 17:32, Jen Linkova <furry13@gmail.com> wrote:
>
> The section 2.7 of RFC4921 says:
>
> Multicast addresses must not be used as source addresses in IPv6
> packets or appear in any Routing header.
>
> (https://tools.ietf.org/html/rfc4291#section-2.7)
>
> Does it mean that any packets with multicast source MUST be dropped by
> the receiver? Or shall Postel's Law still apply?
>

I'd be saying MUST, and silently.

A multicast source address fundamentally doesn't really make sense. A
multicast address represents a group of addresses, so a multicast
address in a single packet's source address field suggests the single
packet somehow has multiple sources, which suggests multiple devices
built parts of the single packet. IPv6 doesn't support multi-source
multi-part single packets! (Has any protocol?)

Source addresses are also commonly used as destination addresses for
responses, so a multicast source address where a unicast address
should be can mean a link layer flooded multicast instead of unicast
response. (For IPv4, RFC1122 specifies that received, link-layer
broadcast IPv4 packets that do not have an IPv4 broadcast or multicast
address should be silently ignored, mitigating this scenario.)

With old enough Ethernet switch firmware that supports translational
bridging, the I/G bit in the Ethernet source address field actually
means there is a source route information field, following the
destination address
(https://www.cisco.com/c/en/us/support/docs/ibm-technologies/token-ring/24501-trb-rif.html).
If there isn't, the switch might drop the packet, which some server
colleagues of mine found out when they tried to use the Linux IPtables
ClusterIP extension, as it tries to use "multicast" source Ethernet
addresses.


> In particular (practical question...): shall an NA packet from the
> multicast source be dropped (if one applies the NA validation rules
> from https://tools.ietf.org/html/rfc4861#section-7.1.2 such packet
> would be still a valid advertisement...)
>

This draft did specify some more stringent NA source address
validation, as well as other validation e.g. Source Link Layer Address
option does not contain a multicast link layer address.

"Security Assessment of Neighbor Discovery (ND) for IPv6"
https://tools.ietf.org/html/draft-ietf-opsec-ipv6-nd-security-00




Regards,
Mark.

> --
> SY, Jen Linkova aka Furry
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email