IETF Logo Mail Archive

Feedback on draft-linkova-6man-grand-01

Fernando Gont <fgont@si6networks.com> Wed, 27 November 2019 12:42 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3490312011F for <ipv6@ietfa.amsl.com>; Wed, 27 Nov 2019 04:42:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xbezVJ6r56Ot for <ipv6@ietfa.amsl.com>; Wed, 27 Nov 2019 04:42:43 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 091AA12009E for <6man@ietf.org>; Wed, 27 Nov 2019 04:42:42 -0800 (PST)
Received: from [192.168.4.77] (unknown [190.179.54.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 5811586AEA; Wed, 27 Nov 2019 13:42:39 +0100 (CET)
To: Jen Linkova <furry@google.com>
From: Fernando Gont <fgont@si6networks.com>
Subject: Feedback on draft-linkova-6man-grand-01
Openpgp: preference=signencrypt
Cc: "6man@ietf.org" <6man@ietf.org>
Message-ID: <3fbc97b1-123b-49e8-0c66-47815177e0ca@si6networks.com>
Date: Wed, 27 Nov 2019 09:42:26 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/dA9syYPC1cMjJak34jvMjdRw5is>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 12:42:45 -0000

Hello, Jen,

Here are comments on the I-Ddraft-linkova-6man-grand-01.

Meta: I think this is a problem worth solving. Some might think of it as
 a minor annoyance... but if things evolve toward more transient
addresses (as in per-application addresses, and/or use-and-throw-away
addresses), this may be more of a recurrent problem, and a more
significant annoyance.


**** Technical: ****

>    As the main purpose of sending unsolicited NAs upon configuring a new
>    address is to proactively create a Neighbor Cache entry on the first-
>    hop routers, the gratuitous NAs SHOULD be sent to all-routers
>    multicast address (ff02::2).  Limiting the recipients to routers only
>    would help reduce the multicast noise level.

In the context of RFC8028, one might argue that you could simply send
the unsolicited NAs unicast to the routers that advertised this prefix.
This would:

 * reduce multicast traffic

 * also reduce the number of unnecessary entries in local routers (there
would be no point to create entries for addresses configured for, say,
2001:2b8::/64 at Router A, if you will only use Router B as the default
router for packets sourced from those addresses).



>  As the INCOMPLETE entry means that the router has
>    started the ND process for the address and the multicast NS has been
>    sent, the rightful owner is expected to reply with solicited NA with
>    the Override flag set. 

I should re-check the spec. The NA would certainly have the solicited
flag set. Although I'm not sure it woudl always have the override flag set.


>    When a valid Neighbor Advertisement is received (either solicited or
>    unsolicited), the Neighbor Cache is searched for the target's entry.
>    If no entry exists, hosts SHOULD silently discard the advertisement.
>    There is no need to create an entry if none exists, since the
>    recipient has apparently not initiated any communication with the
>    target.  Routers SHOULD create a new entry for the target address
>    with the link-layer address set to the Target link-layer address
>    option (if supplied).  The entry its reachability state MUST also be
>    set to STALE.  If the received Neighbor Advertisement does not
>    contain the Target link-layer address option the advertisement SHOULD
>    be silently discarded.

Shouldn't this only happen if the "solicited" flag is not set?


>    Announcing a new address to all-routers multicast address may inform
>    an on-link attacker about IPv6 addresses assigned to the host.
>    However hiding information about the specific IPv6 address should not
>    be considered a security measure as it falls into 'Security through
>    obscurity' category. 

I'd remove the "security through obscurity" bit, and note that this
information is normally disclosed with dad, anyway, and not just to
routers, but to all nodes.


Food for thought:
Maybe routers could simply create the ND cache entries, if the entry is
not present, when the corresponding DAD packets are received?
This would mean no changes on clients, and just updates on routers.
(me thinking out loud)




**** Editorial: ****

>    However when a host sends traffic to off-link destinations the
>    different scenario is observed. 

s/the/a/

> This document summarized
>    the proposed neighbor discovery updates to address the issue.

s/summarized/summarizes/


> 
>    SLLA: Source link-layer Address, an option in the ND packets
>    containing the link-layer address of the sender of the packet
>    ([RFC4861]).
> 
>    TLLA: Target link-layer Address, an option in the ND packets
>    containing the link-layer address of the target ([RFC4861]).
> 
>    GUA: Global Unicast Address ([RFC4291]).

Please remove the parenthesis, for consistence with the other bullets.


>    The reasoning behind dropping unsolicited Neighbor Advertisements
>    ("the recipient has apparently not initiated any communication with
>    the target") is valid for onlink host-to-host communication but, as
>    discussed in [I-D.ietf-v6ops-nd-cache-init] does not really apply for

s/does not really/it does not really/


> 
>> IT would would recover the cache entry and set the
>>    LLA to the one of the rightful owner.  
> 

s/IT/It/


Thanks!

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email