Re: draft-ietf-6man-slaac-renum: Heuristics to deprecate stale information
Fernando Gont <fgont@si6networks.com> Fri, 12 August 2022 21:33 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D1A6C157B3B for <ipv6@ietfa.amsl.com>; Fri, 12 Aug 2022 14:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F0LjW_dbj8vZ for <ipv6@ietfa.amsl.com>; Fri, 12 Aug 2022 14:33:40 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3311C14F734 for <ipv6@ietf.org>; Fri, 12 Aug 2022 14:33:39 -0700 (PDT)
Received: from [IPV6:2001:67c:27e4:c::1000] (unknown [IPv6:2001:67c:27e4:c::1000]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 5B1DD280172; Fri, 12 Aug 2022 21:33:31 +0000 (UTC)
Message-ID: <ec05eb36-5fe6-8abc-feeb-046f0bcb2bec@si6networks.com>
Date: Fri, 12 Aug 2022 18:33:27 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: Ted Lemon <mellon@fugue.com>, Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>
Cc: fgont@si6networks.com, ipv6@ietf.org
References: <4d3c116d0461477e9afa4b56c43688fe@huawei.com> <01E08955-E0BF-44B8-839B-4148BD76A819@fugue.com>
From: Fernando Gont <fgont@si6networks.com>
Subject: Re: draft-ietf-6man-slaac-renum: Heuristics to deprecate stale information
In-Reply-To: <01E08955-E0BF-44B8-839B-4148BD76A819@fugue.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/T4dJ1QB2w2Mz5TwjR7qEpRX0bUU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2022 21:33:43 -0000
Hi, Ted, On 12/8/22 13:52, Ted Lemon wrote: > FWIW, I would like to see the points made in item 1 addressed in > slaac-renum. Regarding #1, nodes that change their address or that "disappear", I'd say that's not really renumbering. That said, we could clarify in a separate section noting that, e.g.: When the Router Lifetime of a router expires, Neighbor Discovery information advertised by such router should be disassociated with said router -- hence the faith of such information will depend on whether such information is advertised by other routers. Thoughts? > These heuristics seem straightforward, and with unicast > RS, they seem low-cost. I am somewhat concerned that a cleverly-timed > attack while a router is known to be down could result in bogus > prefixes being preferred on the link until the router comes back, and > that this could break connections on the link that would otherwise > survive. But this seems like a fairly useless denial-of-service > attack. At the end of the day, you trust the link, or you don't. An attacker that wants to e.g. cause connections to be reset could do things such as: * Spoof RAs from every router advertising the victim prefix, with a PIO valid lifetime of 0, which would make the corresponding addresses invalid, and cuase the connections using such addresses to be reset. * Perform a MITM attack (via spoofed NS, NA, Redirects, or RA), and then do traditional TCP RST attacks. etc. > I don’t agree with point 2, mostly because I don’t understand why > this is good and Eduard’s draft doesn’t say, at least not in section > 6.5. I’m not entirely clear on what is being said—are we talking > about prefixes acquired via prefix delegation? What Eduard is saying wrt #2 is that RFC9096 recommends CPE routers to record delegated prefixes on stable storage, but the same recommendation should probably apply to routers in general (not just CPE). In that light, we could borrow the relevant section from RFC9096, such that it applies to all routers. Thoughts? > I also agree with point 3—it would be good to specify this behavior > in the document. Fair enough. I'll craft some text and send it to the list for review. As always, thanks a lot for your input! Regards, -- Fernando Gont e-mail: fernando@gont.com.ar PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01 -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
- draft-ietf-6man-slaac-renum: Heuristics to deprec… Vasilenko Eduard
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Ted Lemon
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Michael Richardson
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Ted Lemon
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Fernando Gont
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Fernando Gont
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Ted Lemon
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Ted Lemon
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Fernando Gont
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Ted Lemon
- RE: draft-ietf-6man-slaac-renum: Heuristics to de… Vasilenko Eduard
- RE: draft-ietf-6man-slaac-renum: Heuristics to de… Vasilenko Eduard
- RE: draft-ietf-6man-slaac-renum: Heuristics to de… Vasilenko Eduard
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Ted Lemon
- network identification was: Re: draft-ietf-6man-s… Fernando Gont
- RE: draft-ietf-6man-slaac-renum: Heuristics to de… Vasilenko Eduard
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Jan Zorz - Go6
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Ted Lemon
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Fernando Gont
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Ted Lemon
- RE: draft-ietf-6man-slaac-renum: Heuristics to de… Vasilenko Eduard
- RE: draft-ietf-6man-slaac-renum: Heuristics to de… Vasilenko Eduard
- RE: draft-ietf-6man-slaac-renum: Heuristics to de… Pascal Thubert (pthubert)
- PIO Lifetimes (was: Re: draft-ietf-6man-slaac-ren… Fernando Gont
- Re: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Ted Lemon
- RE: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Vasilenko Eduard
- RE: draft-ietf-6man-slaac-renum: Heuristics to de… Vasilenko Eduard
- Re: draft-ietf-6man-slaac-renum: Heuristics to de… Pascal Thubert (pthubert)
- Multi-router-multi-prefix (was:Re: draft-ietf-6ma… Fernando Gont
- Re: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Ted Lemon
- RE: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Loba Olopade
- Re: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Fernando Gont
- RE: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Loba Olopade
- Re: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Fernando Gont
- RE: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Vasilenko Eduard
- RE: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Vasilenko Eduard
- RE: Multi-router-multi-prefix (was:Re: draft-ietf… Pascal Thubert (pthubert)
- Re: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Ted Lemon
- RE: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Vasilenko Eduard
- Re: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Pascal Thubert (pthubert)
- RE: PIO Lifetimes (was: Re: draft-ietf-6man-slaac… Loba Olopade