IETF Logo Mail Archive

Re: [v6ops] SLAAC security concerns

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Wed, 05 August 2020 05:58 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D8FE3A09D5; Tue, 4 Aug 2020 22:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Ik1FTWN+; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=y4mqUaeL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u_85Izeu-Pvk; Tue, 4 Aug 2020 22:58:53 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 192093A09B4; Tue, 4 Aug 2020 22:58:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10979; q=dns/txt; s=iport; t=1596607133; x=1597816733; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Obwcbocc7mj6YCILO6wE4JQynDEInwzLpKfqxvC7DT0=; b=Ik1FTWN+Pz1UHEsEgq1ENslvQLxw/hevwQHcBzuoo+HeeVDb8/gyBdmX aAHgWQ7XjSQBR1AOR+VstKGzy4nl0z4iAkHP7lFM5jm3qJbZGsD6zNKjO nYNI8dvilQiffvGICo8ofXuy2azADacDYh23ZRncm5/qpkrap23wqppqw A=;
IronPort-PHdr: 9a23:W/6lMh95t5U80f9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+7ZRCN/u1kh1KPW4jHuLpIiOvT5qbnX2FIoZOMq2sLf5EEURgZwd4XkAotDI/gawX7IffmYjZ8EJFEU1lorGqjOENYXsDzew6arni79zVHHBL5OEJ8Lfj0HYiHicOx2qiy9pTfbh8OiiC6ZOZ5LQ69qkPascxFjA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D1AQCQSSpf/4QNJK1gGwEBAQEBAQEBBQEBARIBAQEDAwEBAYIKgVIjLgdvWC8shDWDRgONUoECiQKJcoRsglMDVQsBAQEMAQEYAQoKAgQBAYRMAheCDQIkOBMCAwEBCwEBBQEBAQIBBgRthVwMhXIBAQQBARARHQEBJgYLAQ8CAQgYJwMCAgIfBgsUEQEBBA4FGweDBAGBfk0DLgEOqCUCgTmIYXaBMoMBAQEFgTMBg3gNC4IOAwaBOIJwg1+GPxqBQT+BESccghg1PoIaQgEBgRldgwAzgi2PVjqCaYZfgx6YVU8KgmKVEoR5Ax6CfIlOkzGNYpFbkhECBAIEBQIOAQEFgWojKhqBE3AVOyoBgj5QFwINjh+DcYUUhUJ0NwIGAQcBAQMJfI8oAQE
X-IronPort-AV: E=Sophos;i="5.75,436,1589241600"; d="scan'208,217";a="521906387"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Aug 2020 05:58:52 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 0755wpku006032 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 5 Aug 2020 05:58:52 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 5 Aug 2020 00:58:51 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 5 Aug 2020 00:58:51 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 5 Aug 2020 00:58:51 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UQ48yjJi1QH4VfKRzNJt5GRgb8QQn4Be4+WsX3kYo2b/fNjVhRziD9rs5igbk6oI3WM7ttZRcGWgT24qG2v5AxjJ0hhZQutlTLHPsNsQYWUxLy/q0WBCbWDVNoX/UQg5OR98LTGUwbbKdQLgDe6MNzG6Sgt/9AqoQokaztcGujy2XfUppby41hUq4CdrqtRVaMb9uQtfitVJd8iKi+ilnAlpW+tyzsrC9h1JJC0Tll+t++lXIBXeSB6BIL+/6d/JcIyp3YR1jrBRTsyeM6S+1KyM4NwxCSLy6Dv5F++De6oq3yXvqScnqccnRfIwtfv7pciS3pl3ffa/ce5oRsfdNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Obwcbocc7mj6YCILO6wE4JQynDEInwzLpKfqxvC7DT0=; b=Bo78AHu+ebtHbF/eeeWNBYMjmyz8vAYO7RQK/DxDYidSwIVjfz7ABMOkANUpJtPzq2a1FpM6HQWBSJq6DjX3YqXmQM2sAPoUDYQOwH7gkfe3ZD6o50QtOsYbc8TjjwQk8lXjTbaLSjANMLh97NiW96jSczdCWIwAefAtgbLzhsgIFfhaQwI/QxqcQvVziBhg4NBQNstL85ID085RrvCEjVsJKDu/0s6MkLjEiWEnVOjljEYaS/WE8m8HxzAeX3S4jhVP0mftiB7LTHqEDw3vTVruCYc7FD2NEels0cz47ZnvUrKTR6hi7DBHWzFDTXhf8iOiLkCGOMzYltNrfgjkjg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Obwcbocc7mj6YCILO6wE4JQynDEInwzLpKfqxvC7DT0=; b=y4mqUaeLegrEBdVxuLaFQoZZt9RrNxfnMlezHRzPv/NwYPTolb6s8Rg6PkY3WYTR4QSQ/O0IG7zNpBs8yqK5uXk5j16a1TXW2adeD2ToOv/Ekw2Hm68qYkOGdXcydsrcbeYPa5s53YntDxKLs7M5deBh524v3pauca1Cfv4TZFI=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (2603:10b6:208:ea::31) by MN2PR11MB3679.namprd11.prod.outlook.com (2603:10b6:208:f1::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.20; Wed, 5 Aug 2020 05:58:48 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::a53e:5801:92cc:3204]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::a53e:5801:92cc:3204%5]) with mapi id 15.20.3239.022; Wed, 5 Aug 2020 05:58:48 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Mark Smith <markzzzsmith@gmail.com>
CC: Gert Doering <gert@space.net>, Michael Richardson <mcr+ietf@sandelman.ca>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Subject: Re: [v6ops] SLAAC security concerns
Thread-Topic: [v6ops] SLAAC security concerns
Thread-Index: AdZqh2IDVN0JAX5fTSutty/fgHiG3AAEFP4AAAf3rAAADXn38g==
Date: Wed, 05 Aug 2020 05:58:48 +0000
Message-ID: <6F523F5D-99F0-40D9-82DA-723D6FE54D95@cisco.com>
References: <f52c4463862f44b5ba2a9d41db86d231@huawei.com> <20200804194448.GA2485@Space.Net>, <CAO42Z2x_AE=W2gQd4t3nZPVvGCxT3u0L0BCGJPZ0RFo+2m8Xbg@mail.gmail.com>
In-Reply-To: <CAO42Z2x_AE=W2gQd4t3nZPVvGCxT3u0L0BCGJPZ0RFo+2m8Xbg@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: space.net; dkim=none (message not signed) header.d=none;space.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2a01:cb15:25e:cc00:583c:413:57fb:c8a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5a4e2f78-f431-4df3-523f-08d839049f49
x-ms-traffictypediagnostic: MN2PR11MB3679:
x-microsoft-antispam-prvs: <MN2PR11MB3679240486C9E8411BE07FB8D84B0@MN2PR11MB3679.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9+XE0zSZRwI3dOYxXaC9nX6ULF//MtRsSyVvRvBSCLiphUvXHuyKh8w3LKynvLFUOqEgJ2tpHv1kYeIt+1PEEDzjKxwtCWFFGVJY5XGEMya1g7UNhM8cvYzJlzJURhSMmdpdX/5JlSKLXLWPSkTOisJlVSC4/oG3d8hK82WP3TF8gH9Nooex6ua0YTuAtokZE6GSHPScFA8P9L74f4gL33xqgIbKAn3uSJ8rPDSfR2huZ7Ztb72EY4oxAjltIvcLbGYOTPbmMwisRjSK8IMJkqTVis6P+scdQoxVhiZiNcovC+sxwPA35AqwXYKhq41c9YtSIgiUS+N9UYlvzc0zFQFRJTPERREcKPLYaaJxE7iwjjjqkjVZH3atgttTBtGTlrX4JhCAy0PGTVDKCcBUPawLcMFXN7dmRfz8xtv/d+SWkSNI4dLlGZHyrLlLnpt9WYVz2ElXNZPxKNX40dwxkw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB3565.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(39860400002)(366004)(376002)(346002)(66574015)(83380400001)(6916009)(76116006)(15650500001)(66946007)(91956017)(316002)(186003)(64756008)(66476007)(66446008)(66556008)(6512007)(6506007)(4326008)(966005)(8676002)(6486002)(2906002)(54906003)(5660300002)(86362001)(478600001)(71200400001)(36756003)(8936002)(2616005)(33656002)(244885003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: KoUJFUKMRjUR663nyPkPAtuBsAYkkL9oWrsNc0BGUeBi1dv2OoWkamNVa2+dMLg1qqY89T5kl1ZerzWt15nrqAzrGo6p5gsZOQfeKXafhUNO+eVuFfKjgdH9IHcJDMkJvrMKwfBciiahjH5Q4sw3EfTRtqORDMDGeWT8B7aoTgsJ0N+vqq9WSCvtGo1MDxRwzayfJ4rEcW4ONZZ7OIn0jzm24ugzavz9UDBsnaNbLAqo+JIewFPX1eeWcmVCCfiz4KgxyfwQERXhSCgGVXpISVlSjfjtkkjEogDQ0Czb1ZUFSosA8CJweseYHBC7pDtHetzyw9MGEhQ7/biGL5xmhi2GvjasEKAZsgDRIB+Sw7q88arXOAdDBUqoDprfNorzr+23CBsJ336uGYOevXfw14mD3hOodAXowChfe5gmhhU6ItKa2i+fZJ1uktRojHCJHrXJ+ce1wTXedCSPKIpSy3nIVwLn16xbnwIYAKJPYwITj9b5IApQk6qf2RTJv/sPBHgugRtvD+NoCFkE9Cs6kXEjvlHhfBVnKSbNb5N/31K20Vhh6MTk6Mvf9KhekGHaYOOzj4iHcI7mhu06PQ4eKDAPkX+SZeiFJKlOrvrxNJ42b88CfRksRIT6Z4Ssd6evPFdRTEi3UVs5yt7HkJ3nkr2d3qusVVJQW3MubxRFDmHANWV+JXe0qrpJNIqowosWoTjsfxXhPwTRwOLqkXkYeg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_6F523F5D99F040D982DA723D6FE54D95ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB3565.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a4e2f78-f431-4df3-523f-08d839049f49
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Aug 2020 05:58:48.6181 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SAMECy+nLR/xR/osSnYgRWCLBJbG252KZ6roEZjvJJHpPH/NXhJj26s4pR0BI3cFxhHN7cf7+7BxFt5e6sb7HQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3679
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/YBPFowlMazxEDonkCS3gKOhswnE>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2020 05:58:56 -0000

True, there are pros and cons and engineering trade offs as usual. That’s why we are here.

It doesn’t mean that this particular benefit is the most important consideration in all situations. The distributed approach has large consequences in usage of broadcast, security (DOS. SAVI, hijacking) and reactivity (Lookup reactive to outstanding packets) that make it unsuitable in many modern forms of l2 networks.

 In fact DHCP in the IPv4 world has survived quite successfully through the years without being the major pain point that broadcast storms have been.

The state in a centralized ND database can be synchronized. It’s not that hard. Routing protocols do that all the time. In fact a route type 2 in eVPN is exactly that.

Bottom line is that there may be a very large number of small deployments such as home where stateless ND and the associated multicast are quite fine. But there is  also a growing number of larger networks (enterprise, Conference wireless, distributed  Fabrics. cloud) where it’s completely Ill-suited.

So yes, we need an ND solution that uses only unicast, has inherent SAVI and ownership control, scales to large numbers of devices and is not an easy target for remote DoS.

Keep safe,

Pascal

Le 5 août 2020 à 01:34, Mark Smith <markzzzsmith@gmail.com> a écrit :




On Wed, 5 Aug 2020, 05:44 Gert Doering, <gert@space.net<mailto:gert@space.net>> wrote:
Hi,

On Tue, Aug 04, 2020 at 06:00:39PM +0000, Vasilenko Eduard wrote:
> I believe that Multicast is so basic function of SLAAC that it does not make sense to delete it.

Have I heard "delete multicast" here?

Yes, please!

There is too many broken switch vendors out there that show again and
again that "implementing multicast is hard", breaking IPv6 ND in the
process.

The motivation for going to multicast "back in the dark ages" might have
been honorable, but in today's networks, it just adds needless complications.

Multicast also shifts and distributes state away from a central device.

A central device is a much bigger consequence point of failure, and is a harder thing to make redundant due to having to invent a state synchronisation and load selection or distribution method mechanism between a primary and one or more backup nodes.

Nodes maintaining their own state is simpler and means that when a node fails, the loss of state due to the failure only impacts the failed node.

A specific design for redundant DHCPv6 has to exist. Redundancy in SLAAC came inherently in its design because a node failure only impacts that node.



Gert Doering
        -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email