Re: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address
Jen Linkova <furry13@gmail.com> Thu, 17 September 2020 08:37 UTC
Return-Path: <furry13@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 783F13A0ADF for <ipv6@ietfa.amsl.com>; Thu, 17 Sep 2020 01:37:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lueNOpsvN3ii for <ipv6@ietfa.amsl.com>; Thu, 17 Sep 2020 01:37:01 -0700 (PDT)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC9133A0AE2 for <ipv6@ietf.org>; Thu, 17 Sep 2020 01:37:00 -0700 (PDT)
Received: by mail-qt1-x830.google.com with SMTP id y11so1221789qtn.9 for <ipv6@ietf.org>; Thu, 17 Sep 2020 01:37:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Ud5KWL+/i60rxloTY9CCLVbVwsZ7uwfIEbGO5Ar41Fg=; b=s1Kv8l09ybmmXlvMrE1G1qMHlvBEy8J7cv+5K4Caq+nwi9kZdMJsHiQ3T3llpJiy8D g2Hov0jIP/1uulp4RiPLg2Pog8hXXzYldtbkklIcUQ8WOwiHZij+xpUEG9eqZF68WsDv LUXYlAG9cZUjw1y29mI+Gr4NuFCm3RL+9p2hIhxx6YVpprMg8JgiAINiXO7OQzEC6CsW 3vUtpE0kVto0QouJ2E4nFXlsyiRlYaY0FUTA6XLooQlLKGzMNjbqXh7UxRuZY7Yx0AjQ WZ3P4WsNE1wIQnjqyVvVUGy2627XXVPTaa/P9qxkLALPoS59WUsa3NJg1Z4NUVCeT6p3 4vUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Ud5KWL+/i60rxloTY9CCLVbVwsZ7uwfIEbGO5Ar41Fg=; b=kVyDHMYgIEhDhhYaAC3cf9ULTeDiejiXA6F/zc2uAJuC9BfQUYNb4DsYPiXTqW7IFK FanvcCMPs69sBL6bupu56C8xFQkFdaxefAH7qfY2By0W9ZnR4PoXpLbcsPiSEbuBtQOo wsT+ZInxwTch4eOomusgbHH58YM6MtvNsgbHBCck/xJ+FjVdmWpHfxbOfhepQooserxR ZNvAPqFdjjd8pKplw6en+GgnUjO0fR3U0ScERNXWxvilIN6SWutuwQBXDbpzbpjHlx7+ SPHbQs1XSwbot1PlllsPv1wKnJ9b4oCK0Ye1ndyhVxZY3zacyPf5x71c8vgQXD0iaBeT JRTQ==
X-Gm-Message-State: AOAM531dC1Ezn52BNIBUHbasufq9M4GsSH5jLEq8DLdXRWdzkAfyOB/K nKiiKz0Ge7YDWcdr6vzHYWXPNOpx4dZZaMyn8qM=
X-Google-Smtp-Source: ABdhPJymY4rgPjQX/lp1Aq68Iyc6BcrLlgZ2EJcGxSxsSlxy3vyolYlmZ5Ck6f3G4swpXwoPPi+iJbe6bz62Uu4kOMI=
X-Received: by 2002:ac8:4245:: with SMTP id r5mr26933880qtm.52.1600331819708; Thu, 17 Sep 2020 01:36:59 -0700 (PDT)
MIME-Version: 1.0
References: <7120052452e644dcbf60485cb4224128@huawei.com> <CAFU7BATTpJtAPeKCJtapQCbwD2FFrYOH_ErfuPcZnO8uYar_kA@mail.gmail.com> <9cd9fb5962d44046871e7185ab344e34@huawei.com>
In-Reply-To: <9cd9fb5962d44046871e7185ab344e34@huawei.com>
From: Jen Linkova <furry13@gmail.com>
Date: Thu, 17 Sep 2020 18:36:48 +1000
Message-ID: <CAFU7BARs4N8X_DOe7CcRUKddo++qtDj9hWmreE3trCqO_q0rZg@mail.gmail.com>
Subject: Re: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/IYAiNL1dA3HrIQ2FHn_hwgBFBaI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 08:37:03 -0000
On Wed, Sep 16, 2020 at 7:28 PM Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote: > If addresses is promoted to "Preferred", then DAD has passed. We all know how "reliable" DAD is. AFAIR during Berlin IETF we got ~25% false negatives for DAD on the IETF WiFi. >Then there is no way to shut up any host (from both duplicates). Not sure what you mean...Could you please elaborate? > Very bad things would happen: > Only one would win the fight for neighbor cache record on the router. > > 1-way MITM: other one would sent upstream normal, but return traffic would go to first host. Let's not call it MITM unless the first host is malicious and intends to forward traffic back to the second host. > 2-way MITM at the same time: You could not assume what host (first or second) is more valuable - second one could be the important server after reboot. >Then other one would get all requests to applications (DB, File Server, Web) from outside of the subnet. At least to collect passwords, and may be much more... depends on application type. > > > > My problem: router could not see duplicity (and help) if at least legal host would not be persuasive to claim neighbor cache entry on the router. I believe you need to define 'the legitimate' first. The grand draft follows the approach of the Optimistic DAD RFC4429: the host which got the address first is the rightful owner. The newcomer should not cause any disruption. > Override flag set does permit for router to understand that address has achieved Preferred status (not optimistic) - action could be taken now. I feel like I need to read your draft first so we can establish some common ground for the discussion. Has it been submitted and I missed it? If you could provide a link, it would be highly appreciated. > In general, I do not respect this story about "first-come/first-serve" (I propose to block both). So far I'm afraid we disagree on this topic. As an operator I have a strong preference on minimizing the disruption for the existing elements. When I'm adding a new element to the network and there is smth wrong with it (e.g. a duplicated address), I want the new element to malfunction, not smth else. > > -----Original Message----- > From: Jen Linkova [mailto:furry13@gmail.com] > Sent: 16 сентября 2020 г. 5:29 > To: Vasilenko Eduard <vasilenko.eduard@huawei.com> > Cc: ipv6@ietf.org > Subject: Re: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address > > > > On Tue, Sep 15, 2020 at 10:55 PM Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote: > > > I did believe that your draft has already passed last call, I was late. Hence, I did not make one important comment. > > > > That's perfectly fine - as the IESG asked for both drafts (v6ops-nd-cache-init and 6man-grand) to be merged, there will be another WGLC for 6man-grand. > > > > > Meanwhile, I was working on my draft how to block MITM in ND. I am very unhappy about the leakage of information - you probably remember. > > > I have almost finished - MITM blocked except very corner cases of host-to-host communication (no routers). > > > But after many discussions with co-author we have found 1 hole that has been patched in this way: > > > > > > * Section 7.2.6 (Sending unsolicited NA) of [ND], add at the end: > > > A node SHOULD send Neighbor Advertisement message with Override flag set to the all-routers multicast address after respective address would change state to preferred. > > > > > > There is the section later that explains interoperability with all ND-related extensions. Interoperability to GRAND is explained in this way: > > > [Gratuitous ND] operates as intended in the combination with [Optimistic DAD]. > > > [Gratuitous ND] is effectively replaced by this document for the case when address is progressed to preferred, because stronger form of unsolicited NA (with override bit set) is proposed. > > > > > > May be I am asking too much (you better know IETF practices). > > > 1. Could you consider to set Override flag after address progressed to Preferred? I need SHOULD. > > > 2. Could you consider to recommend to send at least 1 unsolicited NA after address would go to preferred? I need SHOULD. > > > > Setting O=1 would drastically increase the risk of disruption for a 'rightful' address owner, in case of duplicated addresses. > > If a host configures a new preferred address while the same address is in use by another host: > > - [without GRAND] the rightful owner continues to receive its traffic (and, potentially, some packets which actually belong to the new host). The new host does not have connectivity. > > - [with GRAND] the same > > - [ GRAND + O=1] the rightful owner losing the connectivity, and the new host starts receiving traffic for its own flows and some traffic which belongs to the rightful address owner. > > > > -- > > SY, Jen Linkova aka Furry -- SY, Jen Linkova aka Furry
- I-D Action: draft-ietf-6man-grand-02 - override f… Vasilenko Eduard
- Re: I-D Action: draft-ietf-6man-grand-02 - overri… Jen Linkova
- RE: I-D Action: draft-ietf-6man-grand-02 - overri… Vasilenko Eduard
- RE: I-D Action: draft-ietf-6man-grand-02 - overri… Vasilenko Eduard
- Re: I-D Action: draft-ietf-6man-grand-02 - overri… Jen Linkova
- Re: I-D Action: draft-ietf-6man-grand-02 - overri… Jen Linkova
- RE: I-D Action: draft-ietf-6man-grand-02 - overri… Vasilenko Eduard
- RE: I-D Action: draft-ietf-6man-grand-02 - overri… Vasilenko Eduard