IETF Logo Mail Archive

Re: draft-ietf-6man-slaac-renum: Heuristics to deprecate stale information

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 12 August 2022 18:35 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A87BC14CF13 for <ipv6@ietfa.amsl.com>; Fri, 12 Aug 2022 11:35:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.707
X-Spam-Level:
X-Spam-Status: No, score=-6.707 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YloDu188t7Ry for <ipv6@ietfa.amsl.com>; Fri, 12 Aug 2022 11:35:36 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38E8DC14CF0C for <ipv6@ietf.org>; Fri, 12 Aug 2022 11:35:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 5BF391801A; Fri, 12 Aug 2022 14:54:52 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ycBmrgODHIGx; Fri, 12 Aug 2022 14:54:47 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id C21AC18017; Fri, 12 Aug 2022 14:54:47 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1660330487; bh=5zYK0fzyrAbQ2qZIkdFsGERkUM2LdaluSBjS23nIimU=; h=From:To:Subject:In-Reply-To:References:Date:From; b=UrBnECyjjvPF7DPSg5VlaUyFjeyQOJTE5DofltgLzvZGYAZ579jk8Jq1ArL+jz1tS wTmkwdreQ7/2zwxRN1AfvO0sbe8iFIQJUmNH3uyIt2BUZLAZ6Xlagee7h8dghCMuZJ ZzakbB069GzxGebkNPN7mfEv82bqhzjZLfXwi6vlvj82NVtW93M+lnJBFIfIyvw2Xk dEmXO8Pe+DzPY9rqmTpfRCOBZjNMcC2TdfVnfhgPWi31/iXVxdnRlBE9EoYdbT7mQy 0KnbOK5C8bAUxCTS93vSBe5Vfy1RoG8othhs1VKzeN0fil3ucND3JtyyEdWjPmcigE 3YTEzafntxn7w==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 0FC9A632; Fri, 12 Aug 2022 14:35:29 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Ted Lemon <mellon@fugue.com>, fgont@si6networks.com, ipv6@ietf.org
Subject: Re: draft-ietf-6man-slaac-renum: Heuristics to deprecate stale information
In-Reply-To: <01E08955-E0BF-44B8-839B-4148BD76A819@fugue.com>
References: <4d3c116d0461477e9afa4b56c43688fe@huawei.com> <01E08955-E0BF-44B8-839B-4148BD76A819@fugue.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 12 Aug 2022 14:35:29 -0400
Message-ID: <21348.1660329329@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/SMUS_GZxIa_WNTAxQTiqFSLbITU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2022 18:35:40 -0000

Ted Lemon <mellon@fugue.com> wrote:
    > RS, they seem low-cost. I am somewhat concerned that a cleverly-timed
    > attack while a router is known to be down could result in bogus
    > prefixes being preferred on the link until the router comes back, and
    > that this could break connections on the link that would otherwise
    > survive. But this seems like a fairly useless denial-of-service attack.

If I understand the attack you are thinking about,  it would depend on the
addresses expiring from the nodes while the router is down and can not renew
the prefix lifetimes.

The attacker deprecates the addresses, by impersonating the router, and
nodes kill connections.    One answer, I think, is that any existing sockets
that are using those addresses can just continue to use them.
New connections/sockets would not use those addresses.

I know that my browsers all seem to notice when there is an address change
and they restart connections.  I'm not entirely sure if this is just based
upon opening the routing socket and listening, or if there is a lower
overhead mechanism... I'd sure like to be able to toggle a socket option on a
bind()/connect()'ed socket (both TCP and UDP) to get an error if the
addresses involved go into deprecated state.

The sockets might actually break if they are connections to the Internet, but
they would break anyway in that case.  If they are just across the link, then
they would just continue working.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email