IETF Logo Mail Archive

Re: draft-chakrabarti-nordmark-6man-efficient-nd-00.txt

Carsten Bormann <cabo@tzi.org> Fri, 02 November 2012 06:23 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7528421F916E for <ipv6@ietfa.amsl.com>; Thu, 1 Nov 2012 23:23:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.521
X-Spam-Level:
X-Spam-Status: No, score=-106.521 tagged_above=-999 required=5 tests=[AWL=-0.272, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqs5TQqzC-pP for <ipv6@ietfa.amsl.com>; Thu, 1 Nov 2012 23:23:32 -0700 (PDT)
Received: from informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) by ietfa.amsl.com (Postfix) with ESMTP id 8AE9521F9189 for <ipv6@ietf.org>; Thu, 1 Nov 2012 23:23:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from smtp-fb3.informatik.uni-bremen.de (smtp-fb3.informatik.uni-bremen.de [134.102.224.120]) by informatik.uni-bremen.de (8.14.3/8.14.3) with ESMTP id qA26NLi4003547; Fri, 2 Nov 2012 07:23:21 +0100 (CET)
Received: from [192.168.217.105] (p548938D5.dip.t-dialin.net [84.137.56.213]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp-fb3.informatik.uni-bremen.de (Postfix) with ESMTPSA id AC326360; Fri, 2 Nov 2012 07:23:20 +0100 (CET)
Subject: Re: draft-chakrabarti-nordmark-6man-efficient-nd-00.txt
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Content-Type: text/plain; charset="iso-8859-1"
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <5092E983.7080108@acm.org>
Date: Fri, 02 Nov 2012 07:23:19 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <E1D8286D-FA2C-40B7-856A-219925D288C9@tzi.org>
References: <16D60F43CA0B724F8052D7E9323565D72ECE73F3B4@EUSAACMS0715.eamcs.ericsson.se> <653FE6CB-CBFF-4CF5-967B-3227B5295B46@tzi.org> <5092E983.7080108@acm.org>
To: Erik Nordmark <nordmark@acm.org>
X-Mailer: Apple Mail (2.1499)
Cc: 6man Mailing List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2012 06:23:33 -0000

>> The two areas in which I think this proposal can benefit from some more discussion:
>> 
>> Clearly, mitigating the external ND table DoS is one of the major pain points addressed by this.  Thinking point: Is there any way to structure the transition from legacy ND to efficient ND in such a way that it becomes easier to reap this benefit?
> 
> If not all the hosts on the link do explicit registration, then the routers need to be able to send multicast NS messages to find those that didn't register.
> As noted in RFC 6583, draft-gashinsky-6man-v6nd-enhance-02.txt, and draft-ietf-6man-impatient-nud-05.txt, things can be improved if the routers don't discard NCEs too quickly, and potentially interpret unsolicited NS messages as a registration attempt.
> 
> The last part is a bit problematic in general, but if a router has sufficient memory it can definitely track which hosts it has ever heard from on the link and thereby significantly reduce the rate at which is needs to send multicast NS to look for previously unknown hosts.

But most of this only helps with the addresses for which hosts actually exist.

In the transition, routers still need to implement rate-limiting on their multicast NS.  
(With Efficient-ND, hosts defer to routers for finding other hosts.)  Maybe we should mention that.

Using any heuristic (tracking hosts based on unsolicited NS, MLD, whatever) to track existing hosts (more specifically: existing host addresses) is good.  Routers can limit their NS rate-limiting behavior to those hosts for which they have heard nothing.  So this is a valid strategy to point out.  (Specific heuristics are orthogonal to this draft, though.)

But the attack is about hosts that don't exist, so inducing multicast NS rate limiting is still an effective DoS on the router finding hosts/addresses not yet discovered (there are many more non-existing hosts than additional addresses).  Improving the discovery heuristic thus mitigates the DoS.

(Note that attacks on the discovery heuristic are possible, but these would be inside attacks.  
The bad thing about the ND table attack is that any Internet host can carry it out.)

Not being subject to not being found due to multicast NS rate-limiting, of course, is a deployment incentive on the host side...

>> For DC applications, the assumption of uniqueness of the EUI-64 probably requires some more thinking.  VMs get copied all the time, and it is way too easy to copy this kind of config info in the process.
> 
> I don't think the EUI-64 is different than the IEEE-48 MAC address. In fact the for Ethernet the EUI-64 is derived from the MAC address.
> 
> And if cloning a VM results in keeping the same MAC address then things will not work well even for IPv4.

Sure.  People do have problems with this on IPv4, too.  But can (should?) we do better?
If yes, that would be another deployment incentive for Efficient-ND.

In summary, none of these are problems with the draft -- I'm just pointing out that if we can do something beyond what we have, these are ways to increase the deployment incentive.

Grüße, Carsten

v2.23.0 | Report a Bug | By Email