IETF Logo Mail Archive

Re: ND NS/NA support required on point-to-point links?

Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org> Mon, 19 July 2010 11:17 UTC

Return-Path: <ipng@69706e6720323030352d30312d31340a.nosense.org>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9713B3A683E for <ipv6@core3.amsl.com>; Mon, 19 Jul 2010 04:17:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5u9Yg1MkTqUT for <ipv6@core3.amsl.com>; Mon, 19 Jul 2010 04:17:14 -0700 (PDT)
Received: from smtp2.adam.net.au (smtp2.adam.net.au [202.136.110.251]) by core3.amsl.com (Postfix) with ESMTP id D4B833A6835 for <ipv6@ietf.org>; Mon, 19 Jul 2010 04:17:13 -0700 (PDT)
Received: from 114-30-99-20.ip.adam.com.au ([114.30.99.20] helo=opy.nosense.org) by smtp2.adam.net.au with esmtp (Exim 4.63) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1OaoLV-00027c-7H; Mon, 19 Jul 2010 20:47:17 +0930
Received: from opy.nosense.org (localhost.localdomain [IPv6:::1]) by opy.nosense.org (Postfix) with ESMTP id 257AE3B325; Mon, 19 Jul 2010 20:51:27 +0930 (CST)
Date: Mon, 19 Jul 2010 20:51:26 +0930
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
Subject: Re: ND NS/NA support required on point-to-point links?
Message-ID: <20100719205126.3595c597@opy.nosense.org>
In-Reply-To: <6A2A459175DABE4BB11DE2026AA50A5D02574457@XMB-AMS-107.cisco.com>
References: <m1OYznp-0001ehC@stereo.hq.phicoh.net> <20100714.131624.74719628.sthaug@nethelp.no> <m1OZ0OT-0001VGC@stereo.hq.phicoh.net> <20100714.152554.41658861.sthaug@nethelp.no> <20100715073256.3a7fccd3@opy.nosense.org> <6A2A459175DABE4BB11DE2026AA50A5D02574457@XMB-AMS-107.cisco.com>
X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; x86_64-unknown-linux-gnu)
X-Location: Lower Mitcham, South Australia, 5062
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Cc: ipv6@ietf.org, dthaler@microsoft.com
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2010 11:17:15 -0000

Hi Pascal,

On Thu, 15 Jul 2010 11:33:03 +0200
"Pascal Thubert (pthubert)" <pthubert@cisco.com> wrote:

> Hi Mark:
> 
> A new ND registration model is being developed at 6LoWPAN to enable a
> proactive population of the ND cache - table, really -. Applying the ND
> registration to the P2P link case, the endpoint routers would need to
> register to one another prior to delivering packets on that link. Any
> packet for the subnet on link that does not match an NC Entry would be
> dropped as opposed to blindly passed to the other end. I tried at some
> point to modernize RFC 3122 but it seems a better approach to generalize
> the ND registration to P2p in particular and NBMA links at large.
> 
> What do you think?

Coincidentally, I bought the 6LoWPAN books last week, and have just
been reading about the ND NR/NC protocol on the train to and from work
in the last day or so. That seems like a good alternative to ND NS/NA.
I think it'd achieve the goal of being able to generate ICMP
destination unreachables, eliminate the ping-pong problem, and preserve
the simplicity of universal /64 assignments to all link types. I
haven't come across whether NUD is still performed in 6LoWPAN, however
since the scenario we're talking about isn't likely to be as low
bandwidth or power sensitive, I think NUD could be used to further
reduce the detection time of failed nodes, in addition to the ND NR
registration expiry time.

That model would also seem to be a good method to significantly mitigate
the off-link source ND cache attack on LAN /64s, preventing that attack
from e.g. Internet sources. Although the default router's neighbor cache
would be vulnerable to malicious onlink devices, which could use ND NR
messages to exhaust the cache, those devices have a far more of a
vested interest in the default router(s) staying available, so they're
much less likely to attempt it compared to Internet origin attackers
who suffer no consequence if successful.

I seem to remember a discussion I had with Erik Nordmark a while back,
after I suggested the idea of using MLD joins for the solicited node
address as a method of validating neighbor cache entries, where he
thought that ultimately a registration protocol would be the best
solution. It'd seem that this 6lowpan ND NR/NC protocol would be a good
candidate for resolving these issues.

Regards,
Mark.


> 
> Pascal
> 
> > -----Original Message-----
> > From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On Behalf
> Of
> > Mark Smith
> > Sent: Thursday, July 15, 2010 12:03 AM
> > To: sthaug@nethelp.no
> > Cc: ipv6@ietf.org; dthaler@microsoft.com
> > Subject: Re: ND NS/NA support required on point-to-point links?
> > 
> > On Wed, 14 Jul 2010 15:25:54 +0200 (CEST) sthaug@nethelp.no wrote:
> > 
> > > > >However, it would seem that several of the major vendors (e.g.
> > > > >Cisco,
> > > > >Juniper) have interpreted this differently, and chosen not to
> > > > >perform ND on point-to-point links.
> > > >
> > > > Do you mean perform, as in issue the NS request or also in not
> > > > responding to a NS request from the peer?
> > >
> > > I have no idea whether an NS request would be answered on a
> > > point-to-point link for these vendors. When I have tested this in
> the
> > > lab, the observed behavior is that an NS request is never issued.
> > >
> > 
> > It's also a bit interesting to look at the multicast groups that have
> been
> > subscribed to on the interfaces. Some of the implementations subscribe
> to the
> > solicited node multicast group(s) for the local addresses. It's as
> though they're
> > "half" ND NS/NA enabled.
> > 
> > > > So I wonder, with all the IPv6 interoperability testing and
> > > > certification going on, how come nobody ever noticed that this is
> an issue?
> > >
> > > The ping-pong behavior on IPv6 point-to-point links has most
> certainly
> > > been noticed, see for instance
> > >
> > 
> > It seems the the consequence of not implementing ND NS/NA on
> point-to-point
> > links has been noticed, not the root cause. The root cause seems to be
> an
> > assumption that any non-local interface addresses on the link within a
> prefix
> > must exist and are always available at the other end of the
> point-to-point link,
> > so traffic can be forwarded onto that link without validating that
> assumption.
> > When implementations at both ends of the link are making that
> assumption,
> > the ping pong problem is the result.
> > 
> > 
> > 
> > >     http://tools.ietf.org/html/draft-ietf-ipngwg-p2p-pingpong-00
> > >     http://tools.ietf.org/html/draft-kohno-ipv6-prefixlen-p2p-00
> > >
> > >
> http://www.janog.gr.jp/meeting/janog22/program/day2/data/day2-1-e.pdf
> > >
> > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email