Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis
Fernando Gont <fgont@si6networks.com> Thu, 07 April 2016 17:27 UTC
Return-Path: <fgont.mobile@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5950612D1A3 for <ipv6@ietfa.amsl.com>; Thu, 7 Apr 2016 10:27:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXk-kJKJaktl for <ipv6@ietfa.amsl.com>; Thu, 7 Apr 2016 10:27:28 -0700 (PDT)
Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3294C12D1DE for <ipv6@ietf.org>; Thu, 7 Apr 2016 10:27:28 -0700 (PDT)
Received: by mail-ig0-x236.google.com with SMTP id ui10so76592042igc.1 for <ipv6@ietf.org>; Thu, 07 Apr 2016 10:27:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=4RYzXEOJ+VZy6Va6V3UTRij4vowQufkP9VnLvmt4tcI=; b=dZc6xhMkh70QXhiXC5xWYh1JV5bu4T6p4coGdMPGTJDjejso8XSmT7t7+S2XWmVoZ4 R6PBgoJzzobALuOVEhXr+7gA19JP+TsYjKHHhfmh63IAdV1SWbDqGni4NgirzzgglSFD 24Wk0vT0pOwRcMHe7PqT9uQsT6TTPJXF8gnQtMVTcMMXE6Dbo9yiK9faD9uFhPNMHGAr nWmQ1bVZyI8NNaafkLhmUQMGtZ9/0ZJUfPNTKHUDeKMXgcKB5jUg7qMyPDaVwiVzTDF1 17P43fDcMxfNOhKGIQf3yCi9FzM3XzD+09g2byxj5YcF5WcK3Ji5LEgV9WcQwQ7iCyQW SQeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=4RYzXEOJ+VZy6Va6V3UTRij4vowQufkP9VnLvmt4tcI=; b=UV1SScJpHY9ZJLM2CfzR7B20989w1BC3j4d/W9PJmlqXI1LjkZx8a48R6FRYvAugIj io3NaoI7ge667T+wpJpAowEayVoE40bNVLV4RxHb2+elphO2hwDNKqb+aAvZEcMROZO7 GHmNOqlHSvscppV5ZQVi2G7dCrvvYa+6UXs2v5ur99uH5ebsT/5hZfFeAN5BMnC+/xDg l14nTsIM3IGKYM48Evqh9/+x8/WF/7cQMp6z4r4j3ZRMLJ5k3F4dWUpMKKaPwviIlxaI WiMOoedOhvUVfbDAyO+8+jOjqROYoP9IShiv6bK099m+bAbYUjhvXCrsdiMW26P7anaI 0oJA==
X-Gm-Message-State: AD7BkJL8XFAOqBfZYTDgHLs9iyPlVBeG2Qdm2cGoA4/a7+XSPkNr/RzxeTlHdJOUMYa5sfaN7K4S3FPvitjNTg==
MIME-Version: 1.0
X-Received: by 10.50.30.41 with SMTP id p9mr4433684igh.86.1460050047551; Thu, 07 Apr 2016 10:27:27 -0700 (PDT)
Sender: fgont.mobile@gmail.com
Received: by 10.36.110.13 with HTTP; Thu, 7 Apr 2016 10:27:27 -0700 (PDT)
Received: by 10.36.110.13 with HTTP; Thu, 7 Apr 2016 10:27:27 -0700 (PDT)
In-Reply-To: <CAPK2DezKbdA-ScoNqL7k1onv2brgbNACvFcS8XkTjSyk6bgNsg@mail.gmail.com>
References: <6AC58C26-01B6-4C16-851F-0C1228CDD2AF@employees.org> <CAJE_bqfeLxURYwMDcjMtSnyb2WBeYu_5Yq_2Yyo_O9sqHRn+og@mail.gmail.com> <73EEC8CE-EDC8-45FC-AE4F-F390F965304F@employees.org> <CAPK2DezV9vKYrHCAJJ_bFQZa02MCJMPdX7=BtL-tPzOj+da6vQ@mail.gmail.com> <CAJE_bqd316puXTvku3hMMGnThOV3JGMbLK_erQJDd6ic-BNJgA@mail.gmail.com> <CAPK2DezfW5khZyW-2wNfZ04=BSV2xq57Z52WDCoeivt4J9tvig@mail.gmail.com> <CAJE_bqfLtPmFBqZXDCfnnxZHUvzQFbicV0dweS23VjL_oEbDVg@mail.gmail.com> <CAPK2Dew4AVuZ9ssQnwSfbGu7vfS1f__8tgNWk9WFhEep7wPdGA@mail.gmail.com> <56EA8D27.3060704@forthnet.gr> <CAPK2DeyT-K1LR3+dAuLiuS2L=xr7Q4e2N-QZAoWHRC_cQSFKzw@mail.gmail.com> <CAKD1Yr142AT1UKfdQG4D9HaROJKKJN8Zj+ywj3sp9T-qNq7wNQ@mail.gmail.com> <56EAAD36.20901@si6networks.com> <CAKD1Yr1RH2r7H7Zq5y7ZRLx1v87jNWHy5n_eQDLWL9kfL7L2mg@mail.gmail.com> <CAPK2DewGU4sM4yqN-bgc7zQ77F_ednZ8X0-VyQRmD_aoZCgapA@mail.gmail.com> <1C086B9C-C1FD-4C53-823D-0A58A2DDE607@employees.org> <56EBCC78.6030206@forthnet.gr> <CAPK2Dez6kD4WQf9tEuWj5ccX_v53bSw-gzwy_+KQ6Z=F68tjEA@mail.gmail.com> <CAPK2DezKbdA-ScoNqL7k1onv2brgbNACvFcS8XkTjSyk6bgNsg@mail.gmail.com>
Date: Thu, 07 Apr 2016 19:27:27 +0200
X-Google-Sender-Auth: Zg_WMia3-Z2zIY-UIRatXC_h2pY
Message-ID: <CAG6TeAtrsFZoobj6GHNYJz12CCbEuTndE7BKL_Dq2G02y=zH=g@mail.gmail.com>
Subject: Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis
From: Fernando Gont <fgont@si6networks.com>
To: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bdc1b687051d7052fe864a2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/YkJtx0GEquPZNR5JNo_m-UT7So0>
Cc: 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 17:27:32 -0000
Yes. I will be reviewing evrything and preparing the proto writeup no later than tomorrow. Thanks! Fernando El 7/4/2016 9:59, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> escribió: > Hi Fernando and Ole, > I believe that I have addresses all of the comments from 6man WG with the > following revision: > https://tools.ietf.org/html/draft-ietf-6man-rdnss-rfc6106bis-12 > > Could you review it and make it forward from WGLC? > > Thanks. > > Paul > > > On Mon, Mar 21, 2016 at 9:41 PM, Mr. Jaehoon Paul Jeong < > jaehoon.paul@gmail.com> wrote: > >> Hi Tassos, >> Thanks for your comments. >> I put my answers inline below with "=>". >> >> On Fri, Mar 18, 2016 at 6:38 PM, Tassos Chatzithomaoglou < >> achatz@forthnet.gr> wrote: >> >>> otroan@employees.org wrote on 18/3/2016 10:44 πμ: >>> > Paul, >>> > >>> >> I took a look at the draft of >>> https://www.ietf.org/id/draft-ietf-v6ops-dhcpv6-slaac-problem-06.txt. >>> >> >>> >> From Case 4 (all RA flags are set, that is, M=1, A=1, O=1) in A.2.2, >>> >> Fedora 21 and Centos 7 let the DNS of the RAs have higher priority, >>> but >>> >> MAC OS-X lets the DNS of DHCPv6 have higher priority. >>> >> In the current implementations, there is no consistency to handle >>> RDNSS options from RA and DHCPv6. >>> >> >>> >> Thus, I suggest the following text with the preference for DHCPv6 >>> because >>> >> there is no a stong rationale, but there must be somehow a guidance >>> to handle this case: >>> >> >>> >> The DNS options from Router Advertisements and DHCP SHOULD be >>> >> stored into the DNS Repository and Resolver Repository so that >>> >> information from DHCP appears there first and therefore takes >>> >> precedence. This document recommends that the DNS information >>> >> from DHCP should have higher priority than that of RA for >>> >> DNS queries to handle the case of the coexistence of RA and DHCP. >>> >> >>> >> If anyone does not object this text, I will revise the draft with it. >>> > I would prefer this document focused solely on specifying the RA DNS >>> options, and did not stray into more general configuration complexity. >>> > >>> > getting information from multiple sources is a more general problem in >>> IPv6, and I don't want us to "solve" (if that's possible) that problem in >>> this document. >>> > >>> > "the less you say, the less likely you are to say something wrong". ;-) >>> > >>> > Best regards, >>> > Ole >>> > >>> So we leave the DHCP/RA preference choice to the implementers? >>> >> => Since this issue is not standardized yet, we will leave it to the >> implementers. >> >> >>> >>> Something else that doesn't seem ok to me. >>> > However, the security of these RA options for DNS configuration does >>> > not affect ND protocol security [RFC4861]. This is because learning >>> > DNS information via the RA options cannot be worse than learning bad >>> > router information via the RA options. Therefore, the vulnerability >>> > of ND is not worse and is a subset of the attacks that any node >>> > attached to a LAN can do. >>> >>> I do not agree with the statement "learning DNS information via the RA >>> options cannot be worse than learning bad router information via the RA >>> options". >>> I believe that bad router exploitation is at a local level, while bad >>> DNS exploitation is at a global level. So while the origin of the attack >>> can be the same (a node attached to the LAN), the easiness/effectiveness >>> of the attack can be greater in the case of DNS. >>> >>> => By the invalid RDNSS addresses, the DNS query messages from >> IPv6 hosts can be generated and sent toward those addresses over >> the link >> to which the hosts are attached. However, in the aspect of IPv6 >> hosts, >> the vulnerability level for ND service seems still the same. >> >> >>> >>> Also, i have spotted a few more places for further clarification: >>> >>> > Step (c): For each RDNSS address, if it already exists in the DNS >>> > Server List, then... >>> >>> Step (c): For each RDNSS address, if it already exists in the DNS >>> Server List and the RDNSS option's Lifetime field is not set to >>> zero, then.... >>> >>> => This clarification looks good. I will reflect this in the revision. >> >> >>> > Step (d): For each RDNSS address, if it does not exist in the DNS >>> > Server List, register the RDNSS address and Lifetime with the DNS >>> > Server List and then insert the RDNSS address in front of the >>> > Resolver Repository. >>> >>> ...and then insert the RDNSS address as the first one in the Resolver >>> Repository. >>> >>> => This clarification looks good, too. I will reflect this in the >> revision. >> >> >> Thanks. >> >> Best Regards, >> Paul >> >> >>> -- >>> Tassos >>> >>> >>> -------------------------------------------------------------------- >>> IETF IPv6 working group mailing list >>> ipv6@ietf.org >>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >>> -------------------------------------------------------------------- >>> >> >> >> >> -- >> =========================== >> Mr. Jaehoon (Paul) Jeong, Ph.D. >> Assistant Professor >> Department of Software >> Sungkyunkwan University >> Office: +82-31-299-4957 >> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu >> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php >> <http://cpslab.skku.edu/people-jaehoon-jeong.php> >> > > > > -- > =========================== > Mr. Jaehoon (Paul) Jeong, Ph.D. > Assistant Professor > Department of Software > Sungkyunkwan University > Office: +82-31-299-4957 > Email: jaehoon.paul@gmail.com, pauljeong@skku.edu > Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php > <http://cpslab.skku.edu/people-jaehoon-jeong.php> >
- 6MAN Working group last call: draft-ietf-6man-rdn… otroan
- Re: 6MAN Working group last call: draft-ietf-6man… Fernando Gont
- Re: 6MAN Working group last call: draft-ietf-6man… otroan
- Reviewers needed (Re: 6MAN Working group last cal… Fernando Gont
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- RE: 6MAN Working group last call: draft-ietf-6man… Liubing (Leo)
- Re: 6MAN Working group last call: draft-ietf-6man… Fernando Gont
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… otroan
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… otroan
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Tassos Chatzithomaoglou
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Lorenzo Colitti
- Re: 6MAN Working group last call: draft-ietf-6man… Fernando Gont
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Lorenzo Colitti
- Re: 6MAN Working group last call: draft-ietf-6man… Fernando Gont
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Lorenzo Colitti
- Re: 6MAN Working group last call: draft-ietf-6man… otroan
- Re: 6MAN Working group last call: draft-ietf-6man… Tassos Chatzithomaoglou
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Fernando Gont