IETF Logo Mail Archive

Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05

Mikael Abrahamsson <swmike@swm.pp.se> Thu, 09 May 2019 09:08 UTC

Return-Path: <swmike@swm.pp.se>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31DE8120108 for <ipv6@ietfa.amsl.com>; Thu, 9 May 2019 02:08:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=swm.pp.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uDoB3ZHo6QEF for <ipv6@ietfa.amsl.com>; Thu, 9 May 2019 02:08:06 -0700 (PDT)
Received: from uplift.swm.pp.se (swm.pp.se [212.247.200.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1A70120020 for <ipv6@ietf.org>; Thu, 9 May 2019 02:08:05 -0700 (PDT)
Received: by uplift.swm.pp.se (Postfix, from userid 501) id 69B48B2; Thu, 9 May 2019 11:08:03 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1557392883; bh=iBwPZK0KSgKuWEN8DlzRBo3hJ+pZxb/y8ay/gjaVyXQ=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=AViFdsBlwuDGhK94ZiajBMrkWFKouIqIJT7F8++SuJ5B9qnXeh2bvhrqf41n2H45r yOqR1eDpX4rL66sUHcyVqYwiS+40yRABO3Ji0gXDgW4Q+1vPiBtiXU9PMsJdbMAYyZ CiQSQdHC5g6xVnPWjYzPPFXiq/bn926QBod1AK0I=
Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id 67DA6B1; Thu, 9 May 2019 11:08:03 +0200 (CEST)
Date: Thu, 09 May 2019 11:08:03 +0200
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Ole Troan <otroan@employees.org>
cc: 6man WG <ipv6@ietf.org>
Subject: Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05
In-Reply-To: <F8BFFCAD-E58E-4736-8A1C-56579B6F6032@employees.org>
Message-ID: <alpine.DEB.2.20.1905091054560.1824@uplift.swm.pp.se>
References: <F8BFFCAD-E58E-4736-8A1C-56579B6F6032@employees.org>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/UjES_ZObNEH2CFo1V72ygzeMdiM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 May 2019 09:08:08 -0000

On Mon, 29 Apr 2019, Ole Troan wrote:

> At the 6man meeting at IETF 104 in Prague there was support to close the working group last call and advance
> draft-ietf-6man-ipv6only-flag-05 to the IESG.
>
> This call is to confirm that decision on the mailing list.
>
> Please give objections and comments to this decision to the mailing list, by 2019-05-13.

Having discussed the objections to this draft with multiple people, I 
propose to enhance the document with some text regarding mitigation of the 
rouge RA with bit=1.

The main objections I have seen are:

An attaching host will not start IPv4 operations until it has received 
(and decided it's received all of them) RA answers to its initial RS 
message, because before this it doesn't know what the flag will be. This 
will increase attachment times before a working setup can be had on IPv4 
only links. I think this is a valid concern.

Problematic text:

"   A host that receives only RAs with the flag set to 1 SHOULD NOT
    attempt any IPv4 operations, unless it subsequently receives at least
    one RA with the flag set to zero.  As soon as such an RA is received,
    IPv4 operations MAY be started.
"

This text can be changed so that IPv4 and IPv6 operations MAY be started 
simultaneously and then the presence of this flag means IPv4 DHCP timers 
etc can be agressively backed off and IPv4 LL operations SHOULD NOT be 
performed.


Secondly, In the security section:

"   o  An attack would not succeed if the dual stack hosts had active
       IPv4 configuration.  As specified in Section 7, a dual stack host
       will ignore the flag if it has active IPv4 configuration."

There needs to be text that handles the (today not mentioned) case of a 
device that attaches to a link, wait to see if the flag is set (doesn't 
perform IPv4 operations), and then trusts it. A mitigation section can be 
added that to mitigate this problem, presence of IPv4 can be verified by 
trying IPv4 operations and if no DHCP answer is seen in a timely fashion 
and RA with bit=1 then IPv4 operations SHOULD be ceased. This still 
doesn't handle the case where a host actually should have configured 
itself an IPv4 LL and talked to other IPv4 LL hosts to do something 
useful, but I think this is a quite rare event that the IPv6 only flag=1 
is seen on a network without DHCPv4 and it's desired that IPv4 LL 
operations should exist? Anyhow, text on this case can be part of a 
section as well.

Thoughts?

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se

v2.23.0 | Report a Bug | By Email