IETF Logo Mail Archive

Re: draft-ietf-6man-slaac-renum: Heuristics to deprecate stale information

Ted Lemon <mellon@fugue.com> Fri, 12 August 2022 18:59 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AAD3C14CF0C for <ipv6@ietfa.amsl.com>; Fri, 12 Aug 2022 11:59:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w-QFjXB5HYBD for <ipv6@ietfa.amsl.com>; Fri, 12 Aug 2022 11:59:30 -0700 (PDT)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E1DBC157B40 for <ipv6@ietf.org>; Fri, 12 Aug 2022 11:59:30 -0700 (PDT)
Received: by mail-qk1-x730.google.com with SMTP id w27so1388775qki.5 for <ipv6@ietf.org>; Fri, 12 Aug 2022 11:59:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc; bh=QNhRcxA9kXz0EJyJYBcROLyONuxbHPPlkwyDRV2Nvfk=; b=YeQZzIrdhiJC94k94WwDW6TygdfHbl61ivKN6Aap9Yt2Kw/PDekRnMLsXJ+0ClB3yH 139FFQRvjBXSaPv2dUt+Luasynh3B+dFWKXN+H+aoVVi9ILIA/Uf1fjoXbgB+PlZyBIC icM8A3gCu9WQcSUfhiVs+qc+nWBT+nnN0HDtdukC/BNl/nB0uE3ZFK3voLoGk72lEcXx DCAfP1qg611Erjd7nDV4L05/nXv50EMaiTut9EJm1VwWXaPRA6sLJ+1dwWMaXzM56SO0 ea7cpcYvykl4rGYtsoG5oo20EblEda1ra17pddTpfPTHvIFSPkNAWhVluRX6kTyAouTu 9C+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc; bh=QNhRcxA9kXz0EJyJYBcROLyONuxbHPPlkwyDRV2Nvfk=; b=ephc1OfvN1qBtngXFf0U1FGoNMXXBjIT51mn/l77/GViHqeoTt6rf5N4k556obG4HE EfMRggE46GqeQc80E70ctD24SZw8XmxV8+WWeG2st4U1TYliy3K7WvdaB3KqwVwXCIMf maGlzLiY+tlXIbXzDPfqw9HD+2eewPrzy/y/sQdPhS1ylkUOCyKVcUzK3zyk40AUCkES isaz3JU6sjZzY8lC7PXhouaS1jJnCd8S2xAylUpXVG1py2hvvuYA8DcItCNXUXaQniDQ nfpFWb481nYwtvj6M0YobVKh4wAPxlkoZS5kNdIBZXr34dV7nN5KXiNt3Mi6V9THmrGR FGbQ==
X-Gm-Message-State: ACgBeo3ySxZMWAFrWzy6FewSTurlIcz0xmEmO0u5qEdJ6dHf+HTEjWvn 040CEUB8XhPoGJ3WmHjBd23dpjzMHPVdWg==
X-Google-Smtp-Source: AA6agR502bzSIzI2mfS+GK+afL5JIdHlYhO78OIL1feEIuLY5jCqPVIu63ezNVroXUmOmcENDkSvrg==
X-Received: by 2002:a05:620a:24d0:b0:6b9:1117:20c0 with SMTP id m16-20020a05620a24d000b006b9111720c0mr3918243qkn.271.1660330769109; Fri, 12 Aug 2022 11:59:29 -0700 (PDT)
Received: from smtpclient.apple ([2601:18b:300:3380:90a0:9bc:7117:94ee]) by smtp.gmail.com with ESMTPSA id az33-20020a05620a172100b006b8619a67f4sm2402309qkb.34.2022.08.12.11.59.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 12 Aug 2022 11:59:28 -0700 (PDT)
Content-Type: multipart/mixed; boundary="Apple-Mail-0FE5EEBD-741F-4096-A7AC-31203C639EF6"
Content-Transfer-Encoding: 7bit
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Subject: Re: draft-ietf-6man-slaac-renum: Heuristics to deprecate stale information
Date: Fri, 12 Aug 2022 14:59:28 -0400
Message-Id: <D9257BFF-5480-4280-A8CA-598B1388B639@fugue.com>
References: <21348.1660329329@localhost>
Cc: fgont@si6networks.com, ipv6@ietf.org
In-Reply-To: <21348.1660329329@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: iPad Mail (19F77)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/dowwZbh3RsBdNQ9rK9w2mXCGgJ8>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2022 18:59:31 -0000

Actually the case I’m thinking of is where the router goes down, and another router just announces another prefix. In this case, following Eduard’s heuristic, hosts on the link would immediately stop using addresses on the old prefix. Although actually I think he said they’d deprecate that prefix, not unconfigure it, so maybe I’m worried over nothing. In that case, existing connections would continue to function, and when the router came back, the prefix would be un-deprecated.

Sent from my iPad

> On Aug 12, 2022, at 2:35 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Ted Lemon <mellon@fugue.com> wrote:
>> RS, they seem low-cost. I am somewhat concerned that a cleverly-timed
>> attack while a router is known to be down could result in bogus
>> prefixes being preferred on the link until the router comes back, and
>> that this could break connections on the link that would otherwise
>> survive. But this seems like a fairly useless denial-of-service attack.
> 
> If I understand the attack you are thinking about,  it would depend on the
> addresses expiring from the nodes while the router is down and can not renew
> the prefix lifetimes.
> 
> The attacker deprecates the addresses, by impersonating the router, and
> nodes kill connections.    One answer, I think, is that any existing sockets
> that are using those addresses can just continue to use them.
> New connections/sockets would not use those addresses.
> 
> I know that my browsers all seem to notice when there is an address change
> and they restart connections.  I'm not entirely sure if this is just based
> upon opening the routing socket and listening, or if there is a lower
> overhead mechanism... I'd sure like to be able to toggle a socket option on a
> bind()/connect()'ed socket (both TCP and UDP) to get an error if the
> addresses involved go into deprecated state.
> 
> The sockets might actually break if they are connections to the Internet, but
> they would break anyway in that case.  If they are just across the link, then
> they would just continue working.
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>           Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email