IETF Logo Mail Archive

RE: [Int-area] Route Information Options in Redirect Messages

"Christian Huitema" <huitema@huitema.net> Tue, 10 January 2017 19:34 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 548E51297F7 for <ipv6@ietfa.amsl.com>; Tue, 10 Jan 2017 11:34:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.757
X-Spam-Level:
X-Spam-Status: No, score=-3.757 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.156, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5d2fNgY7rQiP for <ipv6@ietfa.amsl.com>; Tue, 10 Jan 2017 11:34:20 -0800 (PST)
Received: from mx36-42.antispamcloud.com (mx36-42.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3420129810 for <ipv6@ietf.org>; Tue, 10 Jan 2017 11:34:20 -0800 (PST)
Received: from xsmtp24.mail2web.com ([168.144.250.190] helo=xsmtp04.mail2web.com) by mx36.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from <huitema@huitema.net>) id 1cR2BW-0007B1-Td for ipv6@ietf.org; Tue, 10 Jan 2017 20:34:20 +0100
Received: from [10.5.2.13] (helo=xmail03.myhosting.com) by xsmtp04.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1cR2BV-0006tL-Ju for ipv6@ietf.org; Tue, 10 Jan 2017 14:34:18 -0500
Received: (qmail 17091 invoked from network); 10 Jan 2017 19:34:16 -0000
Received: from unknown (HELO icebox) (Authenticated-user:_huitema@huitema.net@[172.56.38.224]) (envelope-sender <huitema@huitema.net>) by xmail03.myhosting.com (qmail-ldap-1.03) with ESMTPA for <brian.e.carpenter@gmail.com>; 10 Jan 2017 19:34:15 -0000
From: Christian Huitema <huitema@huitema.net>
To: "'Templin, Fred L'" <Fred.L.Templin@boeing.com>, 'Brian E Carpenter' <brian.e.carpenter@gmail.com>, '6man WG' <ipv6@ietf.org>, 'INT Area' <int-area@ietf.org>
References: <b0d15d2e8b3e414abf4e87c60d39e252@XCH15-06-08.nw.nos.boeing.com> <32fbea25-01c9-aa32-e70f-3e1282f56294@gmail.com> <5cd024891c204a9bb37dcc23796c36c6@XCH15-06-08.nw.nos.boeing.com>
In-Reply-To: <5cd024891c204a9bb37dcc23796c36c6@XCH15-06-08.nw.nos.boeing.com>
Date: Tue, 10 Jan 2017 11:34:13 -0800
Message-ID: <016f01d26b78$870895a0$9519c0e0$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKeae7mTqXBJ6n75yoSm6nUsujvkwJ1WP8UAkBARrSfdG2IUA==
Content-Language: en-us
Subject: RE: [Int-area] Route Information Options in Redirect Messages
X-Originating-IP: 168.144.250.190
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.10)
X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlVTHAar8Je/lORhy3PZJU8LERWeKKG4PAQY Nyavp7c49Nd7AN7sevoJn7jQtAGeOfdTugiLDom8V25hond3K4RsO76XSTAwtV4mg4i2ouCDa4AU hvIWAV5xUW/+gAh4vXrc3vlP8pRiJgjg3CVCjOFCRcOb18WfxGyg6Om6u4YYm3qZJQMepvPPpzcv WDN4JaM5hjoyEb9Oq0NWpyO3vrfYvxyiiU8VkSVtodr6VFoM0T3dKxLhoxcmaInYbR5vlqGudzLe k2TYFBStSOMccbr5Uz0sPgnpAk2KA2vJwMd1uWhCmLzOxTAcQmFWVARhgNqBNFD3an3wiMp49rVr ybSBCDRZgQnFYkq0SOLrmvxpFxQRCdMNhge1Unb77YyuZq4bWWffs2Yib4Zd08Wtmt5fRBdQ80wr wyng3wNtDYr6IWSdEOMftBjsWb6BDQzjSsEw7+KMtoemwN8keIAcPKMBBQ67muZNm3G2c8/Pjjqy k0k0bdVHmDm5y9NcoZdM30MpNkbYYJ8YZ7d5zi74j6F/pxvnk7PJGygctl3LC86in/6DwZpjxPTx I2S/vwoydU3rc+Iv2rc9L0aEB794CHU7QkUmTDfMv/tVj9RPDK26f1ZS3ljmeFVRIgA8pd5GE2NV TgVI3tePcP+0TP9kyYEYBZFdS8D5uDWm/DZ32iizeAeYUOp7A73HI6oJg7w/VodqDS3jhFVyYvjB Ar8iUjNZzB9tfY+mOJVw0e2xMRa7D2P5RYOa/miinTReZ5OdasFBlor8ikxQTKPsYxS4ne8t3mZf Rol6mHiNmEqclWWZ59BqLkXGaznuCfaQ1w/JpOE=
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
X-Recommended-Action: accept
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/JspKI6tRNwtZwgPMLrcqaZKFyW8>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jan 2017 19:34:22 -0000

On Tuesday, January 10, 2017 9:55 AM, Fred Templin wrote:
> ... 
> What is being proposed in the document I submitted is the inclusion of
> RIOs in Redirect messages for a *prefix* that is not on-link, as opposed
> to a singleton destination. So, the same SHOULD in the paragraph above
> would seem to apply also to prefix redirection the same as for ordinary
> destination redirection.

Fred, I am reading the security section of your draft. I think it needs a
bit more work.

Currently, the RIO are only expected in router advertisements. RA are
somewhat special, and there is often specific code in switches to check RA
and prevent RA spoofing -- e.g., RA-Guard. Allowing the option in Redirect
messages could very well bypass the RA specific checks. Doesn't that open
the path for new attacks? Should you not say something about that in the
security section? How about specific mitigations, such as sanity checks when
processing redirect messages?

-- Christian Huitema

v2.23.0 | Report a Bug | By Email