IETF Logo Mail Archive

Re: 6MAN Adoption call on raft-chakrabarti-nordmark-6man-efficient-nd-04

Lorenzo Colitti <lorenzo@google.com> Thu, 09 January 2014 06:22 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F6111AD8F3 for <ipv6@ietfa.amsl.com>; Wed, 8 Jan 2014 22:22:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.916
X-Spam-Level:
X-Spam-Status: No, score=-1.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iuLbdpajwfvL for <ipv6@ietfa.amsl.com>; Wed, 8 Jan 2014 22:22:48 -0800 (PST)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) by ietfa.amsl.com (Postfix) with ESMTP id 044FB1ACCDC for <ipv6@ietf.org>; Wed, 8 Jan 2014 22:22:47 -0800 (PST)
Received: by mail-ig0-f177.google.com with SMTP id uy17so6720911igb.4 for <ipv6@ietf.org>; Wed, 08 Jan 2014 22:22:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=QkFYrHtBOkirS2SSyeni+Kf8iQ9OZ+bED1fXk2itNzg=; b=edkXtzh7D4v/qr3o8lkJ7MD8Yb+hsp5DkuO0q6gwpqndSLT/m1IiY3Z1CCeoKeWP9C 5AGd97tjgM8L3oAuKjE2kw7RJKolK/+kf/6kwsUB+SLVLfypL4XC547/69hbxvmoFauc dw4HHVAt0RoYZIuJahW3eHOaIaZMg+8DnF/zA9dLXYRGQHPKG4hQZhKK5zxagj+GAK/2 3GWIOHurs7AgRdfu9nwAkJG7CZ551aVCQJ9G6o6+VqEaG7Cx1eSkHeG4+9vD1CuFy2pZ 6iseh0NjhciC805x9IcNuVKkOPf0kwnlRazJHLX+QnCci0De6Rto79K8WfMARfoggV+h BdYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=QkFYrHtBOkirS2SSyeni+Kf8iQ9OZ+bED1fXk2itNzg=; b=XVgMWJM55s2GQQflsA8FpCz08vhAPp2qa5xbLa4I4GptT7kTgG0RNGh3aD3pj6YrKL FaPxeqo1szd5yb9LXXUkfFobu8G5+1h/WiwoT8i3aKiHtjwXFiYxNMazbyMpDcuM+YTt LjdDecxrBIQL4uSwaT1VGUEqB6A4WeFPsSiUPtjFG57fSBtgBAGTyH8muUFF4zGt7KoE g/TqoMqGvfsoI/vJO80pmb1DqBEV9bCDlYJ2v3v5Skd0uHw56sAvXIBWTDGSkB6hBey4 GjPxkPQBjeCUOhnnKHhVmxel3sXsCKV1wnRR751Fo0+wbAOQYsIMS/L/7Kwlo/C29Bja 3voQ==
X-Gm-Message-State: ALoCoQkLi/8xKvIa+Evs36ZmnVDO7m69rMcNjeN3ivti9bi+q41N3gyCGX4R4Bc6MV5FXeHrA23/irZ2gvJzBpeCE/QHi34RZYaE1X80QLtphp9EtcQMWqEm5lsdkfrTPd2mG99sP5AZrlSxKKSSrzdbGa3BJQs8gEcGJd7vrdN0Nqd2Vo2Ug0QfuGFBftCj6OUm0m1B+kEF
X-Received: by 10.43.71.65 with SMTP id yj1mr983973icb.2.1389248558523; Wed, 08 Jan 2014 22:22:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.7.36 with HTTP; Wed, 8 Jan 2014 22:22:18 -0800 (PST)
In-Reply-To: <alpine.DEB.2.02.1401090707580.20074@uplift.swm.pp.se>
References: <1F653502-AD41-4EB6-A43D-541356810DF2@employees.org> <CAKD1Yr1XPKibHenLMcNDRnfCht6X8tF2nMq1HgOiQv6eR9m6Yg@mail.gmail.com> <alpine.DEB.2.02.1401081305120.20074@uplift.swm.pp.se> <CAKD1Yr2AtF1CMqFxE1W63tXrS5OsbhJGfktN=sAaZtsBOSVg2Q@mail.gmail.com> <alpine.DEB.2.02.1401090707580.20074@uplift.swm.pp.se>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 09 Jan 2014 15:22:18 +0900
Message-ID: <CAKD1Yr2yjPOWWHBx5dzwhNCT8fx9SEQg1wbPgGJSN3aS5bg5tg@mail.gmail.com>
Subject: Re: 6MAN Adoption call on raft-chakrabarti-nordmark-6man-efficient-nd-04
To: Mikael Abrahamsson <swmike@swm.pp.se>
Content-Type: multipart/alternative; boundary="bcaec51f96cfd602d604ef83a274"
Cc: 6man Chairs <6man-chairs@tools.ietf.org>, 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 06:22:50 -0000

On Thu, Jan 9, 2014 at 3:09 PM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:

> You don't need to modify ND to do that, though. You can defend against that
>> sort of attack by having the ND implementation:
>>
>> 1. Prioritize preserving ND cache entries over making new address
>> resolution attempts.
>> 2. Glean ND cache entries from DAD packets (and if need be, NS/NA
>> packets),
>> and prioritize those gleaned entries over new address resolution attempts.
>>
>> Some of these measures are documented in RFC 6583.
>>
>
> If I do that, can I instantly drop packets not in my ND table already? (or
> my table of 1 and 2 above)?
>
> If not, I don't consider it a complete solution.


I'm afraid I don't understand the question. You can't "just drop packets
not in your ND table already" - otherwise you won't be able to talk to a
new host that just joined the link. What I believe you can do is, even when
you are under full-scale attack, allow the following to work:

1. Communications to and from devices in your table keep working.
2. New directly-connected devices can make it into your neighbour cache.

Is there something else would you want to do?

v2.23.0 | Report a Bug | By Email