IETF Logo Mail Archive

Re: draft-ietf-6man-slaac-renum: Heuristics to deprecate stale information

Fernando Gont <fgont@si6networks.com> Fri, 12 August 2022 21:33 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D1A6C157B3B for <ipv6@ietfa.amsl.com>; Fri, 12 Aug 2022 14:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F0LjW_dbj8vZ for <ipv6@ietfa.amsl.com>; Fri, 12 Aug 2022 14:33:40 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3311C14F734 for <ipv6@ietf.org>; Fri, 12 Aug 2022 14:33:39 -0700 (PDT)
Received: from [IPV6:2001:67c:27e4:c::1000] (unknown [IPv6:2001:67c:27e4:c::1000]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 5B1DD280172; Fri, 12 Aug 2022 21:33:31 +0000 (UTC)
Message-ID: <ec05eb36-5fe6-8abc-feeb-046f0bcb2bec@si6networks.com>
Date: Fri, 12 Aug 2022 18:33:27 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: Ted Lemon <mellon@fugue.com>, Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>
Cc: fgont@si6networks.com, ipv6@ietf.org
References: <4d3c116d0461477e9afa4b56c43688fe@huawei.com> <01E08955-E0BF-44B8-839B-4148BD76A819@fugue.com>
From: Fernando Gont <fgont@si6networks.com>
Subject: Re: draft-ietf-6man-slaac-renum: Heuristics to deprecate stale information
In-Reply-To: <01E08955-E0BF-44B8-839B-4148BD76A819@fugue.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/T4dJ1QB2w2Mz5TwjR7qEpRX0bUU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2022 21:33:43 -0000

Hi, Ted,

On 12/8/22 13:52, Ted Lemon wrote:
> FWIW, I would like to see the points made in item 1 addressed in
> slaac-renum. 

Regarding #1, nodes that change their address or that "disappear", I'd 
say that's not really renumbering.

That said, we could clarify in a separate section noting that, e.g.:

   When the Router Lifetime of a router expires, Neighbor Discovery
   information advertised by such router should be disassociated with
   said router -- hence the faith of such information will depend on
   whether such information is advertised by other routers.

Thoughts?




> These heuristics seem straightforward, and with unicast
> RS, they seem low-cost. I am somewhat concerned that a cleverly-timed
> attack while a router is known to be down could result in bogus
> prefixes being preferred on the link until the router comes back, and
> that this could break connections on the link that would otherwise
> survive. But this seems like a fairly useless denial-of-service
> attack.

At the end of the day, you trust the link, or you don't.

An attacker that wants to e.g. cause connections to be reset could do 
things such as:

* Spoof RAs from every router advertising the victim prefix, with a PIO
   valid lifetime of 0, which would make the corresponding addresses
   invalid, and cuase the connections using such addresses to be reset.

* Perform a MITM attack (via spoofed NS, NA, Redirects, or RA), and then
   do traditional TCP RST attacks.

  etc.


> I don’t agree with point 2, mostly because I don’t understand why
> this is good and Eduard’s draft doesn’t say, at least not in section
> 6.5. I’m not entirely clear on what is being said—are we talking
> about prefixes acquired via prefix delegation?

What Eduard is saying wrt #2 is that RFC9096 recommends CPE routers to 
record delegated prefixes on stable storage, but the same recommendation 
should probably apply to routers in general (not just CPE).

In that light, we could borrow the relevant section from RFC9096, such 
that it applies to all routers.

Thoughts?


> I also agree with point 3—it would be good to specify this behavior
> in the document.

Fair enough. I'll craft some text and send it to the list for review.

As always, thanks a lot for your input!

Regards,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar
PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01

-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

v2.23.0 | Report a Bug | By Email