Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis
"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Thu, 07 April 2016 12:59 UTC
Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7971912D8CD for <ipv6@ietfa.amsl.com>; Thu, 7 Apr 2016 05:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.689
X-Spam-Level:
X-Spam-Status: No, score=-2.689 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_HK_NAME_FM_MR_MRS=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7oqu0zHDS9bF for <ipv6@ietfa.amsl.com>; Thu, 7 Apr 2016 05:59:03 -0700 (PDT)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C315F12D8E1 for <ipv6@ietf.org>; Thu, 7 Apr 2016 05:59:03 -0700 (PDT)
Received: by mail-yw0-x22e.google.com with SMTP id i84so88963708ywc.2 for <ipv6@ietf.org>; Thu, 07 Apr 2016 05:59:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZiMu4BKf0WMoo75c614CH/VCe7lpVpSF5OzYKame81o=; b=ov21zbm5pTylu42iw01b2kcsXz2vZvOFy7U+1JwSibYnIzV5wdzV2f4mWg0sJ85YgH jU0p8HC0DgvN2tZolQQxDh9RjTR71g7uTDPEilanRgQ5RuU/fMAripEuLwV/eOgHVL+f 1D1bAU23EZik8rSqkn/zTGshl205LyHr6jCExhGLevHmuwnNGe5eLM+TPDFgwesqwENr eyNJaqaMkX90i1ZezLPhegGtLnWltq5TM/0UUoOTut6JLmQEl5yr/xZcezIYBWWsgVxf L87HL31Tg9IiB6CA/21b1y+FJOzes2wDs/eP7efWIngFNEFAZYaHMq4j2nVb7GcpXUtr 2+8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZiMu4BKf0WMoo75c614CH/VCe7lpVpSF5OzYKame81o=; b=A5b4nfR3E1sp59TG3rot7hsg4JdwQYcmtJCxI9ON7qUfZoAne3Yf5A7N8Z2OgGUQSA tDxbfeoEw3D4BX4jbi0u7a9rpvKew4AdiiY4dAHbvrBV5JuaHOk4TugnfcMCpEaWcerb A8wE0We73cSHzjC9nVcXZMsyP5qazxSYNyAbks+tmXWouY94wsyDszSOSMZUet0miyxY A4xALT1IXuE29chdOceop9H03GtT1Pft/UQXgbi0hTRogRkyhWl+Ztlw7dHEZ1eifaz5 mLVty340+U1A2PspEK25ctP0lGdIc1ObO4BWkCS/4xAmna/0+bH2gb6sRWiP/O/CL5DD /lWg==
X-Gm-Message-State: AD7BkJJAaXXpkhh/7w5C+FjxZLUE2N5QGZOKxWbjPQdeY6R11YWU8sdHdhzvxaw5SQohNZmbvfQEfiJjAQS85g==
X-Received: by 10.129.148.2 with SMTP id l2mr1373320ywg.298.1460033942859; Thu, 07 Apr 2016 05:59:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.4.22 with HTTP; Thu, 7 Apr 2016 05:58:33 -0700 (PDT)
In-Reply-To: <CAPK2Dez6kD4WQf9tEuWj5ccX_v53bSw-gzwy_+KQ6Z=F68tjEA@mail.gmail.com>
References: <6AC58C26-01B6-4C16-851F-0C1228CDD2AF@employees.org> <CAJE_bqfeLxURYwMDcjMtSnyb2WBeYu_5Yq_2Yyo_O9sqHRn+og@mail.gmail.com> <73EEC8CE-EDC8-45FC-AE4F-F390F965304F@employees.org> <CAPK2DezV9vKYrHCAJJ_bFQZa02MCJMPdX7=BtL-tPzOj+da6vQ@mail.gmail.com> <CAJE_bqd316puXTvku3hMMGnThOV3JGMbLK_erQJDd6ic-BNJgA@mail.gmail.com> <CAPK2DezfW5khZyW-2wNfZ04=BSV2xq57Z52WDCoeivt4J9tvig@mail.gmail.com> <CAJE_bqfLtPmFBqZXDCfnnxZHUvzQFbicV0dweS23VjL_oEbDVg@mail.gmail.com> <CAPK2Dew4AVuZ9ssQnwSfbGu7vfS1f__8tgNWk9WFhEep7wPdGA@mail.gmail.com> <56EA8D27.3060704@forthnet.gr> <CAPK2DeyT-K1LR3+dAuLiuS2L=xr7Q4e2N-QZAoWHRC_cQSFKzw@mail.gmail.com> <CAKD1Yr142AT1UKfdQG4D9HaROJKKJN8Zj+ywj3sp9T-qNq7wNQ@mail.gmail.com> <56EAAD36.20901@si6networks.com> <CAKD1Yr1RH2r7H7Zq5y7ZRLx1v87jNWHy5n_eQDLWL9kfL7L2mg@mail.gmail.com> <CAPK2DewGU4sM4yqN-bgc7zQ77F_ednZ8X0-VyQRmD_aoZCgapA@mail.gmail.com> <1C086B9C-C1FD-4C53-823D-0A58A2DDE607@employees.org> <56EBCC78.6030206@forthnet.gr> <CAPK2Dez6kD4WQf9tEuWj5ccX_v53bSw-gzwy_+KQ6Z=F68tjEA@mail.gmail.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Thu, 07 Apr 2016 09:58:33 -0300
Message-ID: <CAPK2DezKbdA-ScoNqL7k1onv2brgbNACvFcS8XkTjSyk6bgNsg@mail.gmail.com>
Subject: Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis
To: Fernando Gont <fgont@si6networks.com>, Ole Troan <otroan@employees.org>
Content-Type: multipart/alternative; boundary="94eb2c07b51686356b052fe4a40f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/ZwGrr0C-0wEXZnbZBDEopUG2NsM>
Cc: 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 12:59:06 -0000
Hi Fernando and Ole, I believe that I have addresses all of the comments from 6man WG with the following revision: https://tools.ietf.org/html/draft-ietf-6man-rdnss-rfc6106bis-12 Could you review it and make it forward from WGLC? Thanks. Paul On Mon, Mar 21, 2016 at 9:41 PM, Mr. Jaehoon Paul Jeong < jaehoon.paul@gmail.com> wrote: > Hi Tassos, > Thanks for your comments. > I put my answers inline below with "=>". > > On Fri, Mar 18, 2016 at 6:38 PM, Tassos Chatzithomaoglou < > achatz@forthnet.gr> wrote: > >> otroan@employees.org wrote on 18/3/2016 10:44 πμ: >> > Paul, >> > >> >> I took a look at the draft of >> https://www.ietf.org/id/draft-ietf-v6ops-dhcpv6-slaac-problem-06.txt. >> >> >> >> From Case 4 (all RA flags are set, that is, M=1, A=1, O=1) in A.2.2, >> >> Fedora 21 and Centos 7 let the DNS of the RAs have higher priority, but >> >> MAC OS-X lets the DNS of DHCPv6 have higher priority. >> >> In the current implementations, there is no consistency to handle >> RDNSS options from RA and DHCPv6. >> >> >> >> Thus, I suggest the following text with the preference for DHCPv6 >> because >> >> there is no a stong rationale, but there must be somehow a guidance to >> handle this case: >> >> >> >> The DNS options from Router Advertisements and DHCP SHOULD be >> >> stored into the DNS Repository and Resolver Repository so that >> >> information from DHCP appears there first and therefore takes >> >> precedence. This document recommends that the DNS information >> >> from DHCP should have higher priority than that of RA for >> >> DNS queries to handle the case of the coexistence of RA and DHCP. >> >> >> >> If anyone does not object this text, I will revise the draft with it. >> > I would prefer this document focused solely on specifying the RA DNS >> options, and did not stray into more general configuration complexity. >> > >> > getting information from multiple sources is a more general problem in >> IPv6, and I don't want us to "solve" (if that's possible) that problem in >> this document. >> > >> > "the less you say, the less likely you are to say something wrong". ;-) >> > >> > Best regards, >> > Ole >> > >> So we leave the DHCP/RA preference choice to the implementers? >> > => Since this issue is not standardized yet, we will leave it to the > implementers. > > >> >> Something else that doesn't seem ok to me. >> > However, the security of these RA options for DNS configuration does >> > not affect ND protocol security [RFC4861]. This is because learning >> > DNS information via the RA options cannot be worse than learning bad >> > router information via the RA options. Therefore, the vulnerability >> > of ND is not worse and is a subset of the attacks that any node >> > attached to a LAN can do. >> >> I do not agree with the statement "learning DNS information via the RA >> options cannot be worse than learning bad router information via the RA >> options". >> I believe that bad router exploitation is at a local level, while bad >> DNS exploitation is at a global level. So while the origin of the attack >> can be the same (a node attached to the LAN), the easiness/effectiveness >> of the attack can be greater in the case of DNS. >> >> => By the invalid RDNSS addresses, the DNS query messages from > IPv6 hosts can be generated and sent toward those addresses over the > link > to which the hosts are attached. However, in the aspect of IPv6 > hosts, > the vulnerability level for ND service seems still the same. > > >> >> Also, i have spotted a few more places for further clarification: >> >> > Step (c): For each RDNSS address, if it already exists in the DNS >> > Server List, then... >> >> Step (c): For each RDNSS address, if it already exists in the DNS >> Server List and the RDNSS option's Lifetime field is not set to >> zero, then.... >> >> => This clarification looks good. I will reflect this in the revision. > > >> > Step (d): For each RDNSS address, if it does not exist in the DNS >> > Server List, register the RDNSS address and Lifetime with the DNS >> > Server List and then insert the RDNSS address in front of the >> > Resolver Repository. >> >> ...and then insert the RDNSS address as the first one in the Resolver >> Repository. >> >> => This clarification looks good, too. I will reflect this in the > revision. > > > Thanks. > > Best Regards, > Paul > > >> -- >> Tassos >> >> >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list >> ipv6@ietf.org >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >> -------------------------------------------------------------------- >> > > > > -- > =========================== > Mr. Jaehoon (Paul) Jeong, Ph.D. > Assistant Professor > Department of Software > Sungkyunkwan University > Office: +82-31-299-4957 > Email: jaehoon.paul@gmail.com, pauljeong@skku.edu > Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php > <http://cpslab.skku.edu/people-jaehoon-jeong.php> > -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Assistant Professor Department of Software Sungkyunkwan University Office: +82-31-299-4957 Email: jaehoon.paul@gmail.com, pauljeong@skku.edu Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php <http://cpslab.skku.edu/people-jaehoon-jeong.php>
- 6MAN Working group last call: draft-ietf-6man-rdn… otroan
- Re: 6MAN Working group last call: draft-ietf-6man… Fernando Gont
- Re: 6MAN Working group last call: draft-ietf-6man… otroan
- Reviewers needed (Re: 6MAN Working group last cal… Fernando Gont
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- RE: 6MAN Working group last call: draft-ietf-6man… Liubing (Leo)
- Re: 6MAN Working group last call: draft-ietf-6man… Fernando Gont
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… otroan
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… otroan
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Tassos Chatzithomaoglou
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Lorenzo Colitti
- Re: 6MAN Working group last call: draft-ietf-6man… Fernando Gont
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Lorenzo Colitti
- Re: 6MAN Working group last call: draft-ietf-6man… Fernando Gont
- Re: 6MAN Working group last call: draft-ietf-6man… 神明達哉
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Lorenzo Colitti
- Re: 6MAN Working group last call: draft-ietf-6man… otroan
- Re: 6MAN Working group last call: draft-ietf-6man… Tassos Chatzithomaoglou
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Mr. Jaehoon Paul Jeong
- Re: 6MAN Working group last call: draft-ietf-6man… Fernando Gont