Re: [v6ops] IPv6 link-local traffic questions
Toerless Eckert <tte@cs.fau.de> Fri, 20 March 2020 14:32 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAAB23A09E4; Fri, 20 Mar 2020 07:32:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6IZ5LRHT-JLh; Fri, 20 Mar 2020 07:32:22 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE44D3A0BE4; Fri, 20 Mar 2020 07:30:15 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 3AB87548047; Fri, 20 Mar 2020 15:30:09 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 331BD440040; Fri, 20 Mar 2020 15:30:09 +0100 (CET)
Date: Fri, 20 Mar 2020 15:30:09 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Gyan Mishra <hayabusagsm@gmail.com>
Cc: Jen Linkova <furry13@gmail.com>, 6man <6man@ietf.org>, V6 Ops List <v6ops@ietf.org>
Subject: Re: [v6ops] IPv6 link-local traffic questions
Message-ID: <20200320143009.GA19351@faui48f.informatik.uni-erlangen.de>
References: <20200312000016.GO54522@faui48f.informatik.uni-erlangen.de> <CAFU7BAT-LP5TC9dpYw+5j8T8H_8XMF=tcY-Qsbg5=MOgUYNk+A@mail.gmail.com> <CABNhwV1uCFHCO9r3NK7QeqZ4gvrquoD_534LXoykaf59S48rpA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABNhwV1uCFHCO9r3NK7QeqZ4gvrquoD_534LXoykaf59S48rpA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/fNQdN55219IORYcx8GsnFAbPyZQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 14:32:33 -0000
On Sat, Mar 14, 2020 at 02:07:34AM -0400, Gyan Mishra wrote: > Jen > > I always wondered why RFC 4862 states that ND & RD packets have TTL 255. > We have run into so many PSIRT bugs with ND which makes it more problematic > having the TTL 255. Is there anything that would makes you think 255 is a worse choice for security than 1 ? Or is it just implementation bugs ? Cheers Toerless > Since ND & RD packets would always be local scope in your response to > Toreless you mentioned that GTSM that ND using 255 is kind of an example of > GTSM in the sense that the TTL is set to 255 for a direct neighbor > adjacency. I think though the security issues of TTL 255 with ND/RD > packets seem to make security a bigger issue then just leaving TTL=1. > > Gyan > > On Wed, Mar 11, 2020 at 8:34 PM Jen Linkova <furry13@gmail.com> wrote: > > > On Thu, Mar 12, 2020 at 11:01 AM Toerless Eckert <tte@cs.fau.de> wrote: > > > > > > Sorry for cross posting, but this is both ops and arch questions. > > > > > > I was trying to find any generic description that/if link-local IPv6 > > > traffic MUST/SHOULD use Hop-count 1, but could not find one in > > > rfc8200 or rfc4291 and its updates. Instead, text like > > > MUST set Hop-limit to 1 is repeated in various RFCs using link-local > > > IPv6 traffic. > > > > I believe it depends what you are trying to achieve. If you want to > > make sure that the traffic never leaves the network - then hop limit = > > 1 helps. But using link-local sources/destinations would help even > > better if the routers comply with RFC4291 Section 2.5.6 > > If you want to make sure those packets are not sent by a malicious > > party from outside - hop limit shall be 255. > > For example, see RFC4861 Section 3.1 > > > > > Am i overlooking something ? Or is this intentional in the IPv6 > > architecture ? > > > > > > If intentional, i guess it means: Any RFC introducing some type of > > link-local > > > traffic can specify Hop-limit requirements for its traffic. As in > > > "our WG likes 42 as the Hop-limit" (silly to me, but should be fine with > > > IPv6 architecture then, right ?). > > > > > > In one of my draft document reviews using such link-local IPv6 traffic, > > > EricV brought up the Q if that traffic shouldn't use RFC5082 instead > > > of Hop-Count 1 too. But given how we do not seem to have architectural > > > recommendations for TTL=1 (unless, quite likely i overlook something), > > > and given how i am not aware of any actual use of GTSM, i am quite > > > weary to go down that route. Aka: Would like learn of actual uses of > > > GTSM with IPv6. > > > > Neighbor Discovery. > > > > > There is an additional set of consideration re. link-local traffic > > > when trying to use it as a HW accelerated tunneling mechanism across > > links, > > > a use we both have in ANIMA, and maybe get the same in BIER (probably > > > other WGs too, not sure). > > > > > > In implementations, i have seen quite a range of issues with > > > accelerated forwarding planes across link-local addressed tunnels, > > > and when using non-link-local addresses (loopback addresses), > > > the HW plane forwarding might have issues doing HW forwarding, because > > > usually TTL=1 is only used for control plane traffic. Of course, > > > this is not a good architectural argument, but if given architectural > > > leeway to even choose 42, maybe GTSM/255 is easier to be supported > > > across various HW accelerated forwarding planes than 1. > > > > > > Opinions and experiences welcome! > > > > If you control the router I'd say 'link-local source/destination, > > HL=255 AND RFC4291 would be the best option. > > > > I did see a few devices somewhere far away sending me ICMPv6 (packet > > too big) from their link-local addresses but it was not very common > > case. > > > > -- > > SY, Jen Linkova aka Furry > > > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > ipv6@ietf.org > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > -------------------------------------------------------------------- > > > > > -- > > Gyan Mishra > > Network Engineering & Technology > > Verizon > > Silver Spring, MD 20904 > > Phone: 301 502-1347 > > Email: gyan.s.mishra@verizon.com > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops -- --- tte@cs.fau.de
- IPv6 link-local traffic questions Toerless Eckert
- Re: [v6ops] IPv6 link-local traffic questions Jen Linkova
- Re: [v6ops] IPv6 link-local traffic questions Mark Smith
- Re: [v6ops] IPv6 link-local traffic questions Toerless Eckert
- Re: [v6ops] IPv6 link-local traffic questions Toerless Eckert
- Re: [v6ops] IPv6 link-local traffic questions Erik Kline
- Re: [Bier] [v6ops] IPv6 link-local traffic questi… Tony Przygienda
- Re: [Bier] [v6ops] IPv6 link-local traffic questi… Toerless Eckert
- Re: [v6ops] IPv6 link-local traffic questions Gyan Mishra
- Re: [v6ops] IPv6 link-local traffic questions Gyan Mishra
- Re: [v6ops] IPv6 link-local traffic questions Karl Auer
- Re: [v6ops] IPv6 link-local traffic questions Ole Troan
- Re: [v6ops] IPv6 link-local traffic questions Gert Doering
- Re: [v6ops] IPv6 link-local traffic questions Gyan Mishra
- Re: [v6ops] IPv6 link-local traffic questions Gyan Mishra
- Re: [v6ops] IPv6 link-local traffic questions Gyan Mishra
- Re: [v6ops] IPv6 link-local traffic questions Toerless Eckert
- Re: [v6ops] IPv6 link-local traffic questions Stewart Bryant
- Re: [v6ops] IPv6 link-local traffic questions Toerless Eckert
- Re: [v6ops] IPv6 link-local traffic questions Tony Przygienda
- Re: [v6ops] IPv6 link-local traffic questions Gyan Mishra
- Re: [v6ops] IPv6 link-local traffic questions Mark Smith
- Re: [v6ops] IPv6 link-local traffic questions Erik Kline
- Re: [v6ops] IPv6 link-local traffic questions Owen DeLong
- Re: [v6ops] IPv6 link-local traffic questions Brian E Carpenter
- Re: [v6ops] IPv6 link-local traffic questions Owen DeLong
- Re: [v6ops] IPv6 link-local traffic questions Gert Doering
- Re: [v6ops] IPv6 link-local traffic questions Brian E Carpenter
- Re: [v6ops] IPv6 link-local traffic questions Owen DeLong
- Re: [v6ops] IPv6 link-local traffic questions Gert Doering
- Re: [v6ops] IPv6 link-local traffic questions Philip Homburg
- Re: [v6ops] IPv6 link-local traffic questions Brian E Carpenter
- Re: [v6ops] IPv6 link-local traffic questions Jen Linkova