IETF Logo Mail Archive

Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis

Fernando Gont <fgont@si6networks.com> Thu, 07 April 2016 17:27 UTC

Return-Path: <fgont.mobile@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5950612D1A3 for <ipv6@ietfa.amsl.com>; Thu, 7 Apr 2016 10:27:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXk-kJKJaktl for <ipv6@ietfa.amsl.com>; Thu, 7 Apr 2016 10:27:28 -0700 (PDT)
Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3294C12D1DE for <ipv6@ietf.org>; Thu, 7 Apr 2016 10:27:28 -0700 (PDT)
Received: by mail-ig0-x236.google.com with SMTP id ui10so76592042igc.1 for <ipv6@ietf.org>; Thu, 07 Apr 2016 10:27:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=4RYzXEOJ+VZy6Va6V3UTRij4vowQufkP9VnLvmt4tcI=; b=dZc6xhMkh70QXhiXC5xWYh1JV5bu4T6p4coGdMPGTJDjejso8XSmT7t7+S2XWmVoZ4 R6PBgoJzzobALuOVEhXr+7gA19JP+TsYjKHHhfmh63IAdV1SWbDqGni4NgirzzgglSFD 24Wk0vT0pOwRcMHe7PqT9uQsT6TTPJXF8gnQtMVTcMMXE6Dbo9yiK9faD9uFhPNMHGAr nWmQ1bVZyI8NNaafkLhmUQMGtZ9/0ZJUfPNTKHUDeKMXgcKB5jUg7qMyPDaVwiVzTDF1 17P43fDcMxfNOhKGIQf3yCi9FzM3XzD+09g2byxj5YcF5WcK3Ji5LEgV9WcQwQ7iCyQW SQeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=4RYzXEOJ+VZy6Va6V3UTRij4vowQufkP9VnLvmt4tcI=; b=UV1SScJpHY9ZJLM2CfzR7B20989w1BC3j4d/W9PJmlqXI1LjkZx8a48R6FRYvAugIj io3NaoI7ge667T+wpJpAowEayVoE40bNVLV4RxHb2+elphO2hwDNKqb+aAvZEcMROZO7 GHmNOqlHSvscppV5ZQVi2G7dCrvvYa+6UXs2v5ur99uH5ebsT/5hZfFeAN5BMnC+/xDg l14nTsIM3IGKYM48Evqh9/+x8/WF/7cQMp6z4r4j3ZRMLJ5k3F4dWUpMKKaPwviIlxaI WiMOoedOhvUVfbDAyO+8+jOjqROYoP9IShiv6bK099m+bAbYUjhvXCrsdiMW26P7anaI 0oJA==
X-Gm-Message-State: AD7BkJL8XFAOqBfZYTDgHLs9iyPlVBeG2Qdm2cGoA4/a7+XSPkNr/RzxeTlHdJOUMYa5sfaN7K4S3FPvitjNTg==
MIME-Version: 1.0
X-Received: by 10.50.30.41 with SMTP id p9mr4433684igh.86.1460050047551; Thu, 07 Apr 2016 10:27:27 -0700 (PDT)
Sender: fgont.mobile@gmail.com
Received: by 10.36.110.13 with HTTP; Thu, 7 Apr 2016 10:27:27 -0700 (PDT)
Received: by 10.36.110.13 with HTTP; Thu, 7 Apr 2016 10:27:27 -0700 (PDT)
In-Reply-To: <CAPK2DezKbdA-ScoNqL7k1onv2brgbNACvFcS8XkTjSyk6bgNsg@mail.gmail.com>
References: <6AC58C26-01B6-4C16-851F-0C1228CDD2AF@employees.org> <CAJE_bqfeLxURYwMDcjMtSnyb2WBeYu_5Yq_2Yyo_O9sqHRn+og@mail.gmail.com> <73EEC8CE-EDC8-45FC-AE4F-F390F965304F@employees.org> <CAPK2DezV9vKYrHCAJJ_bFQZa02MCJMPdX7=BtL-tPzOj+da6vQ@mail.gmail.com> <CAJE_bqd316puXTvku3hMMGnThOV3JGMbLK_erQJDd6ic-BNJgA@mail.gmail.com> <CAPK2DezfW5khZyW-2wNfZ04=BSV2xq57Z52WDCoeivt4J9tvig@mail.gmail.com> <CAJE_bqfLtPmFBqZXDCfnnxZHUvzQFbicV0dweS23VjL_oEbDVg@mail.gmail.com> <CAPK2Dew4AVuZ9ssQnwSfbGu7vfS1f__8tgNWk9WFhEep7wPdGA@mail.gmail.com> <56EA8D27.3060704@forthnet.gr> <CAPK2DeyT-K1LR3+dAuLiuS2L=xr7Q4e2N-QZAoWHRC_cQSFKzw@mail.gmail.com> <CAKD1Yr142AT1UKfdQG4D9HaROJKKJN8Zj+ywj3sp9T-qNq7wNQ@mail.gmail.com> <56EAAD36.20901@si6networks.com> <CAKD1Yr1RH2r7H7Zq5y7ZRLx1v87jNWHy5n_eQDLWL9kfL7L2mg@mail.gmail.com> <CAPK2DewGU4sM4yqN-bgc7zQ77F_ednZ8X0-VyQRmD_aoZCgapA@mail.gmail.com> <1C086B9C-C1FD-4C53-823D-0A58A2DDE607@employees.org> <56EBCC78.6030206@forthnet.gr> <CAPK2Dez6kD4WQf9tEuWj5ccX_v53bSw-gzwy_+KQ6Z=F68tjEA@mail.gmail.com> <CAPK2DezKbdA-ScoNqL7k1onv2brgbNACvFcS8XkTjSyk6bgNsg@mail.gmail.com>
Date: Thu, 07 Apr 2016 19:27:27 +0200
X-Google-Sender-Auth: Zg_WMia3-Z2zIY-UIRatXC_h2pY
Message-ID: <CAG6TeAtrsFZoobj6GHNYJz12CCbEuTndE7BKL_Dq2G02y=zH=g@mail.gmail.com>
Subject: Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis
From: Fernando Gont <fgont@si6networks.com>
To: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bdc1b687051d7052fe864a2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/YkJtx0GEquPZNR5JNo_m-UT7So0>
Cc: 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 17:27:32 -0000

Yes. I will be reviewing evrything and preparing the proto writeup no later
than tomorrow.

Thanks!
Fernando

El 7/4/2016 9:59, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
escribió:

> Hi Fernando and Ole,
> I believe that I have addresses all of the comments from 6man WG with the
> following revision:
> https://tools.ietf.org/html/draft-ietf-6man-rdnss-rfc6106bis-12
>
> Could you review it and make it forward from WGLC?
>
> Thanks.
>
> Paul
>
>
> On Mon, Mar 21, 2016 at 9:41 PM, Mr. Jaehoon Paul Jeong <
> jaehoon.paul@gmail.com> wrote:
>
>> Hi Tassos,
>> Thanks for your comments.
>> I put my answers inline below with "=>".
>>
>> On Fri, Mar 18, 2016 at 6:38 PM, Tassos Chatzithomaoglou <
>> achatz@forthnet.gr> wrote:
>>
>>> otroan@employees.org wrote on 18/3/2016 10:44 πμ:
>>> > Paul,
>>> >
>>> >> I took a look at the draft of
>>> https://www.ietf.org/id/draft-ietf-v6ops-dhcpv6-slaac-problem-06.txt.
>>> >>
>>> >> From Case 4 (all RA flags are set, that is, M=1, A=1, O=1) in A.2.2,
>>> >> Fedora 21 and Centos 7 let the DNS of the RAs have higher priority,
>>> but
>>> >> MAC OS-X lets the DNS of DHCPv6 have higher priority.
>>> >> In the current implementations, there is no consistency to handle
>>> RDNSS options from RA and DHCPv6.
>>> >>
>>> >> Thus, I suggest the following text with the preference for DHCPv6
>>> because
>>> >> there is no a stong rationale, but there must be somehow a guidance
>>> to handle this case:
>>> >>
>>> >> The DNS options from Router Advertisements and DHCP SHOULD be
>>> >> stored into the DNS Repository and Resolver Repository so that
>>> >> information from DHCP appears there first and therefore takes
>>> >> precedence. This document recommends that the DNS information
>>> >> from DHCP should have higher priority than that of RA for
>>> >> DNS queries to handle the case of the coexistence of RA and DHCP.
>>> >>
>>> >> If anyone does not object this text, I will revise the draft with it.
>>> > I would prefer this document focused solely on specifying the RA DNS
>>> options, and did not stray into more general configuration complexity.
>>> >
>>> > getting information from multiple sources is a more general problem in
>>> IPv6, and I don't want us to "solve" (if that's possible) that problem in
>>> this document.
>>> >
>>> > "the less you say, the less likely you are to say something wrong". ;-)
>>> >
>>> > Best regards,
>>> > Ole
>>> >
>>> So we leave the DHCP/RA preference choice to the implementers?
>>>
>>  => Since this issue  is not standardized yet, we will leave it to the
>> implementers.
>>
>>
>>>
>>> Something else that doesn't seem ok to me.
>>> > However, the security of these RA options for DNS configuration does
>>> >    not affect ND protocol security [RFC4861].  This is because learning
>>> >    DNS information via the RA options cannot be worse than learning bad
>>> >    router information via the RA options.  Therefore, the vulnerability
>>> >    of ND is not worse and is a subset of the attacks that any node
>>> >    attached to a LAN can do.
>>>
>>> I do not agree with the statement "learning DNS information via the RA
>>> options cannot be worse than learning bad router information via the RA
>>> options".
>>> I believe that bad router exploitation is at a local level, while bad
>>> DNS exploitation is at a global level. So while the origin of the attack
>>> can be the same (a node attached to the LAN), the easiness/effectiveness
>>> of the attack can be greater in the case of DNS.
>>>
>>>  => By the invalid RDNSS addresses, the DNS query messages from
>>       IPv6 hosts can be generated and sent toward those addresses over
>> the link
>>       to which the hosts are attached. However, in the aspect of IPv6
>> hosts,
>>       the vulnerability level for ND service seems still the same.
>>
>>
>>>
>>> Also, i have spotted a few more places for further clarification:
>>>
>>> > Step (c): For each RDNSS address, if it already exists in the DNS
>>> >       Server List, then...
>>>
>>> Step (c): For each RDNSS address, if it already exists in the DNS
>>>       Server List and the RDNSS option's Lifetime field is not set to
>>> zero, then....
>>>
>>>  => This clarification looks good. I will reflect this in the revision.
>>
>>
>>> > Step (d): For each RDNSS address, if it does not exist in the DNS
>>> >       Server List, register the RDNSS address and Lifetime with the DNS
>>> >       Server List and then insert the RDNSS address in front of the
>>> >       Resolver Repository.
>>>
>>> ...and then insert the RDNSS address as the first one in the Resolver
>>> Repository.
>>>
>>>   => This clarification looks good, too. I will reflect this in the
>> revision.
>>
>>
>>  Thanks.
>>
>>  Best Regards,
>>  Paul
>>
>>
>>> --
>>> Tassos
>>>
>>>
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6@ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>>>
>>
>>
>>
>> --
>> ===========================
>> Mr. Jaehoon (Paul) Jeong, Ph.D.
>> Assistant Professor
>> Department of Software
>> Sungkyunkwan University
>> Office: +82-31-299-4957
>> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
>> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
>> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>>
>
>
>
> --
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Assistant Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>

v2.23.0 | Report a Bug | By Email