IETF Logo Mail Archive

Re: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt

Erik Nordmark <nordmark@acm.org> Sat, 18 January 2014 05:02 UTC

Return-Path: <nordmark@acm.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 909EC1ADE71 for <ipv6@ietfa.amsl.com>; Fri, 17 Jan 2014 21:02:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hHy1Vd4Bip3E for <ipv6@ietfa.amsl.com>; Fri, 17 Jan 2014 21:02:20 -0800 (PST)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) by ietfa.amsl.com (Postfix) with ESMTP id 43BC91ADDD1 for <ipv6@ietf.org>; Fri, 17 Jan 2014 21:02:20 -0800 (PST)
Received: from [10.0.1.44] (184-23-158-201.dsl.dynamic.sonic.net [184.23.158.201]) (authenticated bits=0) by d.mail.sonic.net (8.14.4/8.14.4) with ESMTP id s0I51tr5017233 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Fri, 17 Jan 2014 21:01:56 -0800
Message-ID: <52DA0AC3.3090607@acm.org>
Date: Fri, 17 Jan 2014 21:01:55 -0800
From: Erik Nordmark <nordmark@acm.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Greg Daley <gdaley@au.logicalis.com>, 'Ing-Wher Chen' <ing-wher.chen@ericsson.com>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Re: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt
References: <20140111004402.10451.90724.idtracker@ietfa.amsl.com> <BF6E0BD839774345977891C597F8B50C5CE74C@eusaamb109.ericsson.se> <72381AF1F18BAE4F890A0813768D992817FCA84E@sdcexchms.au.logicalis.com>
In-Reply-To: <72381AF1F18BAE4F890A0813768D992817FCA84E@sdcexchms.au.logicalis.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Sonic-ID: C;mtH9pv1/4xGuvoIY+v0w6Q== M;bgwrp/1/4xGuvoIY+v0w6Q==
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2014 05:02:22 -0000

Greg,

In addition to your concern about multicast snooping environments, the 
DAD packets are not reliably delivered. If e.g. there is a short WiFi 
drop, the spanning tree is reconverging, etc then the single transmitted 
DAD packet will not be received.

Thus as best this will collect some entries in the neighbor cache.

It isn't at all clear when a node should discard entries from its 
neighbor cache. That is potentially problematic when there are lots of 
devices that pick new temporary IPv6 addresses each time they power on 
since that will force routers to sooner or later discard entries from 
the neighbor cache. The routers would have to guess which addresses 
might still be assigned to the hosts.

Thus all in all this is not a robust approach to the problem.

    Erik


On 1/16/14 6:14 PM, Greg Daley wrote:
> Hi Helen,
>
> I've got a couple of issues with the draft apart from IPR.
>
> It seems that principal assumption is that off-link flooding can occur due to sending packets to unknown host destinations on a subnet, and reuses the mandatory DAD-NS transmission as a proof-of-life for an address to avoid packets being transmitted on the link.
>
> Firstly, I think there could be simpler mitigation techniques for this:
> 1/ Mandate DHCP for global prefixes - which ensures that the devices send packets to routers on the link to keep their address (and limit unregistered address lookups)
> 2/ Treat on-link generated ND Cache entries (or entries which have previously been REACHABLE) as different to off-link generated (rate limit).
>
> In that case, the ND resolution behaviour for incomplete off-link is reduced and live communications cannot be impacted. There is still a potential DoS issue for initiating communications to quiet servers, but if the on-link server has ever talked to the router it could still have a STALE NCE.
>
> Secondly, the proposal assumes that DAD-NS packets are visible to all devices on the link, whereas they aren't in a Multicast-snooped environment.
>
> This implicitly requires that the router is assigned to an all-multi interface on the switch infrastructure, which it may be (but this isn't stated).  It also negates the general applicability of this to hosts (rather than routers).
>
> Neighbour Solicitation messages for incomplete entries (per RFC 4861 S7.2.2) will be dropped by the snooping switches if there is no Multicast subscriber for the solicited nodes' multicast address.  Not only is this a mitigation of the potential attack, but also indicates an alternative for non-snooping networks:
>
> 3/ Monitor the solicited nodes' addresses in the MLD querier router, and do not transmit an NS from off-link for an incomplete address unless someone is listening.
>
>
> So I guess my comment is that we have two other potential solutions for mitigating transmission of off-link initiated NS's ( 1- Use DHCP bindings and 3 - MLD Solicited Nodes'), and some fair ideas for mitigating resource challenges in the ND engine (2), and decreased applicability in multicast snoop environments.
>
> Can you tell us why we should use this encumbered solution?
>
> Sincerely,
>
> Greg Daley
> gdaley@au.logicalis.com
>
>
>
>
> -----Original Message-----
> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Ing-Wher Chen
> Sent: Tuesday, 14 January 2014 9:53 AM
> To: ipv6@ietf.org
> Subject: RE: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt
>
> Please note that we're actively working with Ericsson's legal department on an IPR disclosure regarding the draft.
>
> Thanks,
> Helen
>
> -----Original Message-----
> From: Ing-Wher Chen
> Sent: Monday, January 13, 2014 2:37 PM
> To: 'ipv6@ietf.org'
> Subject: FW: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt
>
> Hello,
>
> The informational draft below documents Ericsson's solution, deployed since early 2013, regarding Mikael's concern in the recent discussion about ND denial-of-service attacks.  The draft also elaborates on Lorenzo's point regarding discovering neighbors based on DAD-NS packets.
>
> Thanks,
> Helen
>
> -----Original Message-----
> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
> Sent: Friday, January 10, 2014 4:44 PM
> To: Joel Halpern; Ing-Wher Chen; Joel Halpern; Ing-Wher Chen
> Subject: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt
>
>
> A new version of I-D, draft-halpern-6man-nd-pre-resolve-addr-00.txt
> has been successfully submitted by I. Chen and posted to the IETF repository.
>
> Name:		draft-halpern-6man-nd-pre-resolve-addr
> Revision:	00
> Title:		Triggering ND Address Resolution on Receiving DAD-NS
> Document date:	2014-01-10
> Group:		Individual Submission
> Pages:		7
> URL:            http://www.ietf.org/internet-drafts/draft-halpern-6man-nd-pre-resolve-addr-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-halpern-6man-nd-pre-resolve-addr/
> Htmlized:       http://tools.ietf.org/html/draft-halpern-6man-nd-pre-resolve-addr-00
>
>
> Abstract:
>     This draft proposes a new optional event to trigger address
>     resolution using IPv6 Neighbor Discovery.  This helps optimize router
>     performance, and can help mitigate certain potential ND-related
>     denial-of-service attacks.  Upon receiving a DAD-NS message, the
>     neighbor solicitation message used to detect duplicate addresses, if
>     the target address encoded in the DAD-NS is not a duplicate address,
>     the receiving device responds by triggering address resolution for
>     the target address in the DAD-NS, in preparation for expectant future
>     communication with the sending device.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email