RE: Route Information Options in Redirect Messages (updated)

"Templin, Fred L" <Fred.L.Templin@boeing.com> Mon, 06 February 2017 19:51 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08B9F1294A3 for <ipv6@ietfa.amsl.com>; Mon, 6 Feb 2017 11:51:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3qrvLizH0Hqn for <ipv6@ietfa.amsl.com>; Mon, 6 Feb 2017 11:51:43 -0800 (PST)
Received: from phx-mbsout-01.mbs.boeing.net (phx-mbsout-01.mbs.boeing.net [130.76.184.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64B96129469 for <ipv6@ietf.org>; Mon, 6 Feb 2017 11:51:43 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id v16Jpgk4035488; Mon, 6 Feb 2017 12:51:43 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (xch15-06-08.nw.nos.boeing.com [137.136.238.222]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id v16JpW6o035266 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=OK); Mon, 6 Feb 2017 12:51:32 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 6 Feb 2017 11:51:31 -0800
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1178.000; Mon, 6 Feb 2017 11:51:31 -0800
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Lorenzo Colitti <lorenzo@google.com>
Subject: RE: Route Information Options in Redirect Messages (updated)
Thread-Topic: Route Information Options in Redirect Messages (updated)
Thread-Index: AdJ8F7CvYW0JrWzvRzOTQSlLsXA0KQEQ3FuAABT6DsA=
Date: Mon, 6 Feb 2017 19:51:31 +0000
Message-ID: <6fe9d373c94b42d68c5607bcb95a6f63@XCH15-06-08.nw.nos.boeing.com>
References: <9910b4acd87044e89fad83bb5c795b77@XCH15-06-08.nw.nos.boeing.com> <CAKD1Yr2m-cOWZUn67DNJGi-Ofm_t5LEjKuCP1zaCGhXDCfE1ew@mail.gmail.com>
In-Reply-To: <CAKD1Yr2m-cOWZUn67DNJGi-Ofm_t5LEjKuCP1zaCGhXDCfE1ew@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: multipart/alternative; boundary="_000_6fe9d373c94b42d68c5607bcb95a6f63XCH150608nwnosboeingcom_"
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/HRcLdz0oS9W5X9kc6fUhJdRokQA>
Cc: james woodyatt <jhw@google.com>, IPv6 List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 19:51:46 -0000

Hi Lorenzo – see below for responses:

From: Lorenzo Colitti [mailto:lorenzo@google.com]
Sent: Sunday, February 05, 2017 5:27 PM
To: Templin, Fred L <Fred.L.Templin@boeing.com>
Cc: IPv6 List <ipv6@ietf.org>rg>; james woodyatt <jhw@google.com>
Subject: Re: Route Information Options in Redirect Messages (updated)

I'm not sure about the security reliability and reliability of this scheme. The first things that come to mind are:

What happens if the whole network is renumbered? Fundamentally, the entity that is authoritative for the larger prefix (i.e., the one sending the prefix redirect) is the one that controls routing to that prefix. What happens if that entity realizes that the prefix is no longer valid, and that thus the sub-prefixes are also no longer redirected? How does it withdraw those redirects?

FLT>>> The renumbering event itself would be no different than renumbering for
FLT>>> any DHCPv6 PD scenario – I guess it would entail a DHCPv6 “reconfigure”
FLT>>> exchange. But, once a prefix is renumbered, there are a couple of ways
FLT>>> that previous redirections could be cancelled. First, the redirection target
FLT>>> could send unsolicited Redirects with Route Lifetimes set to 0 for the
FLT>>> previous prefixes (in which case, the source will again allow future traffic
FLT>>> to flow through a default router). Second, the redirection target can
FLT>>> send “Destination Unreachable” messages to the source, which can then
FLT>>> infer that the redirected routes are no longer valid and delete the
FLT>>> redirected route. Our draft is currently silent on Destination Unreachables,
FLT>>> but ‘draft-templin-aerolink’ talks about them and we could adopt some
FLT>>> of that text.

Second: security. I get the feeling that a lot of work needs to be done here to cover all the corner cases. One obvious example is: suppose I have 2001:db8:1:1:/64 on link, and then some host sends an unsolicited RIO announcing that it is responsible for 2001:db8:1:1:/64, or for both 2001:db8:1:1::/65 and 2001:db8:1:1:8000::/65. What happens? Hopefully the host doesn't get to MITM all the traffic on the link.

FLT>>> Please check the Security Considerations section and let us know if you
FLT>>> have any comments on what appears there. To your point, though, a
FLT>>> Node A having received a prefix redirect with next hop Node B will
FLT>>> never accept a redirect from Node C claiming to own the prefixes
FLT>>> that are legitimately owned by Node B.

Even assuming that a router actually legitimately redirects a sub-prefix to a given node for a certain lifetime, what's to stop that node claiming that sub-prefix even after the original lifetime has expired? Should the host receiving the prefix redirect enforce that the prefix lifetime can never increase?

FLT>>> RIOs include a Route Lifetime which gives a number of seconds before
FLT>>> the prefix expires. If the node that is the owner of the prefix wishes
FLT>>> to extend the Route Lifetimes, it can send unsolicited Redirects to its
FLT>>> (redirected) correspondents. But, once Route Lifetime expires the
FLT>>> correspondent discards the prefix and allows future packets to once
FLT>>> again flow through a default router.

More in general it looks like this document is trying to reinvent a fair amount of stuff that's already covered in detail, and more robustly, in homenet. Why not use those solutions instead?

FLT>>> Please have a look at the use cases. The three that I have mentioned are
FLT>>> 1) enterprise mobile devices (e.g., cellphones, tablets, etc.), 2) Airplanes
FLT>>> in civil aviation networks, and 3) Unmanned Air Vehicles in unmanned
FLT>>> air traffic management networks. Others have mentioned other use
FLT>>> cases, and I think we will find that there are still many others. About
FLT>>> reinventing homenet, I think you would find that these concepts have
FLT>>> been around a lot longer than homenet.
FLT>>>
FLT>>> Thanks - Fred

On Wed, Feb 1, 2017 at 8:14 AM, Templin, Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote:
An updated version of "Route Information Options in Redirect Messages" is now
available (see below). This version addresses 6man list comments posted in the
1/9/2017 - 1/12/2017 timeframe, and re-aligns the work from intarea to 6man.
It also expands on several aspects of the proposal that were not covered in the
intarea draft. Please (re-)review and post comments to the list.

Fred and James

-----Original Message-----
From: I-D-Announce [mailto:i-d-announce-bounces@ietf.org<mailto:i-d-announce-bounces@ietf.org>] On Behalf Of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Sent: Monday, January 30, 2017 2:33 PM
To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>
Subject: I-D Action: draft-templin-6man-rio-redirect-01.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.


        Title           : Route Information Options in Redirect Messages
        Authors         : Fred L. Templin
                          James Woodyatt
        Filename        : draft-templin-6man-rio-redirect-01.txt
        Pages           : 7
        Date            : 2017-01-30

Abstract:
   The IPv6 Neighbor Discovery protocol provides a Redirect function
   allowing routers to inform recipients of a better next hop on the
   link toward the destination.  This document specifies a backward-
   compatible extension to the Redirect function to allow routers to
   include routing information that the recipient can associate with the
   next hop.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-templin-6man-rio-redirect/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-templin-6man-rio-redirect-01

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-templin-6man-rio-redirect-01


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org<mailto:I-D-Announce@ietf.org>
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org<mailto:ipv6@ietf.org>
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------