IETF Logo Mail Archive

Re: Source Address Dependent Routing and Source Address Selection for IPv6 - fate sharing

Ray Hunter <v6ops@globis.net> Wed, 25 February 2015 13:06 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7CDB1A026C for <ipv6@ietfa.amsl.com>; Wed, 25 Feb 2015 05:06:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VD9RT-HS3g6F for <ipv6@ietfa.amsl.com>; Wed, 25 Feb 2015 05:06:21 -0800 (PST)
Received: from globis01.globis.net (mail.globis.net [IPv6:2001:470:1f15:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id F26391A0181 for <ipv6@ietf.org>; Wed, 25 Feb 2015 05:06:20 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id E0A07871646; Wed, 25 Feb 2015 14:06:19 +0100 (CET)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H7YujND6RgfS; Wed, 25 Feb 2015 14:06:19 +0100 (CET)
Received: from Rays-iMac.local (092-111-140-211.static.chello.nl [92.111.140.211]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPSA id 9BCFF870009; Wed, 25 Feb 2015 14:06:19 +0100 (CET)
Message-ID: <54EDC8C9.10705@globis.net>
Date: Wed, 25 Feb 2015 14:06:17 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Alexandru Petrescu <alexandru.petrescu@gmail.com>
Subject: Re: Source Address Dependent Routing and Source Address Selection for IPv6 - fate sharing
References: <CAC8QAcdfLPW5-GZFo-eFZY=wXXzTgvNpKG_MgARGkb48HtPQsQ@mail.gmail.com> <CAC8QAcep0qXfsagftfsdFO9Sch2Aogcr2Y6s8MQBhwryNrFcSQ@mail.gmail.com> <54DA3630.2030508@gmail.com> <CAC8QAcdOQ3u3O88e+qWn-9RegX=PyMXAP2vC=QpoaUvZHo3hSA@mail.gmail.com> <9AE3066C-0C80-45E7-A0DC-F7D283FFD3CB@employees.org> <CAC8QAcc9rRrX8m=eRT1PhtJT0WCVKC6d=vDeZLTEZTOb=DjZ4Q@mail.gmail.com> <F1A8D1AD-B341-4C0B-92C4-CF87CD6CFFEA@employees.org> <CAC8QAceAowkFrYzN7PXiZ4RKc8yPpvWGq1Nk2YHqgJu8UFqMxg@mail.gmail.com> <CAKD1Yr0zeZbS6pLKmALAMCMv00wk85RW8fax7DVaCDnK-ua4JA@mail.gmail.com> <54E492F0.8090105@globis.net> <C AC8QAcdeT9rJMroX9QQcMBNLY2pCmbM3HcrFCuKheQVzoiRSSQ@mail.gmail.com> <0CEC58BE-C6C8-46ED-9982-85BF146FE119@glob! is.net> <54E7216A.1070200@gmail.com> <A55713B3-F678-45AA-8CDF-C3BED6E61CA6@employees.org> <54E7661A.6040509@gmail.com> <D5518DA6-CD8D-493D-8A69-61D9ABC4A42B@glob! is.net> <54EAF8F8.5020207@gmail.com> <B6EBE31D-DA74-4D24-A9C5-C0154E6EB464@globis.net> <54EC965E.9030805@gmail.com>
In-Reply-To: <54EC965E.9030805@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/gearrIljIMSNHPxpwUA_0OWPV9I>
Cc: 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2015 13:06:23 -0000

> Alexandru Petrescu <mailto:alexandru.petrescu@gmail.com>
> 24 February 2015 16:18
> Le 23/02/2015 17:40, V6ops a écrit :
>>
>>
>>> On 23 Feb 2015, at 10:55, Alexandru Petrescu
>>> <alexandru.petrescu@gmail.com> wrote:
>>>
>>> Le 20/02/2015 21:46, V6ops a écrit :
>>>>
>>>>
>>>>> On 20 Feb 2015, at 17:51, Alexandru Petrescu
>>>>> <alexandru.petrescu@gmail.com> wrote:
>>>>>
>>>>> Le 20/02/2015 13:23, Ole Troan a écrit :
>>>>>>>>
>>>>>>>> But why would one router need to point routes with the
>>>>>>>> next hop pointing at another router?
>>>>>>>
>>>>>>> BEcause that's how it works when two smartphones (Routers)
>>>>>>> talk directly over WiFi.  A Host device tethered to one
>>>>>>> smartphone would need to communicate to another Host
>>>>>>> tethered to the other smartphone. In this case, one
>>>>>>> smartphone (Router) would need to point a route with the
>>>>>>> next hop at the other smartphone (Router).
>>>>>>>
>>>>>>> The smartphone Router-to-Router is just an instantiation
>>>>>>> use-case. Another instantiation is in Vehicle-to-Vehicle
>>>>>>> communications.
>>>>>>
>>>>>> that's what we have redirects for.
>>>>>
>>>>> REdirects are sent by Routers to Hosts, not to other Routers.
>>>>>
>>>>> They assume some route is already in place (the route from a
>>>>> Host to a Router) and that another one should be suggested -
>>>>> _re_-direct.
>>>>>
>>>>> In the case of smartphone-to-smartphone, or vehicle-to-vehicle,
>>>>> they may not be connected to anything else prior to connecting
>>>>> to each other, so they wouldnt issue Redirects.
>>>>>
>>>>> Alex
>>>>>
>>>>
>>>> And why exactly would a router listen to an RA then?
>>>>
>>>
>>> Sorry, I dont understand why you ask this?  Please clarify the
>>> question.
>>>
>>> Until then here's an answer about what I think the question is not
>>> clear.
>>>
>>> A router would need to listen for RA issued by other router, such
>>> as to learn the prefix of this other Router's other interface.
>>
>> Where is this specified in a current IETF document?
>

> In individual submissions such as the 'RA-based routing'
I've read these drafts. Thanks for the links.
> draft-petrescu-autoconf-ra-based-routing
OK. But this has a completely different RA option set and semantic 
space, that is clearly only going to be processed by mobile routers. 
[new 'm' flag from 5175]

I may or may not disagree with the proposal, but it's not going to 
impact older nodes or non-mobile routers.
>
> with use-cases issued from the vehicular communications world;
> and other similar mechanisms described in
> draft-pfister-moving-net-autoconf-00
Again an 'm' flag for mobile use only.
> draft-jhlee-mext-mnpp-00
Has a new ICMP type code for MNPP Solicitation and MNPP Advertisement 
messages. It won't affect generic nodes.
> draft-hampel-mext-ro-without-ha-00
contains no new options AFAICS.

My point is that none of these proposed extensions will likely be 
processed by older nodes, or wired nodes, or Homenet nodes, so backwards 
compatibility and having to update generic (wired) nodes is less of an 
issue for me.

>
>> Routers ignore RA in most instances ( unless they are acting as a
>> host on what is clearly an upstream interface, and they need to
>> configure a prefix for use on the upstream interface e.g. on an ISP
>> link)
>
> I agree.  But even this little detail (ignore RA unless acting as a host
> on a clearly identified upstream interface) is not explicitely stated
> anywhere.
Agreed.

>
>> Even in this case why would the RA require a different next hop (my
>> real confusion is why this option is needed at all)
>
> No, the next-hop comes from the src address of the RA.  But the prefix
> contained in the RA is the prefix of other link, not the prefix of the
> link on which this RA is sent.
No, in Bechet's draft draft-sarikaya-6man-next-hop-ra-04, there's an 
explicit Next-Hop Address option proposed.

That option only makes sense if it contains a next-hop address that is 
different from the src address of the RA.

That's exactly why I'm questioning the semantics of the new option (e.g. 
with respect to the existing semantics of 4191).
>
>> Homenet is not following this path for prefix distribution/learning
>> between LAN interfaces of Homenet devices (one of the use cases of
>> the draft). Two smartphones peering would run HNCP to learn
>> prefixes.... Not RA based mechanisms.
>
> Well, there should be a need for the HNCP to be first agreed on, and
> then to find widely available and reliable software.  With an RA-based
> scheme one would use already available software, with very small
> modifications, if any at all.
>
>>>
>>> A smartphone Router would send an RA on its bluetooth interface
>>> containing the prefix of its WiFi interface.
>>
>> This was already extensively discussed when producing 464xlat.....
>
> I didnt know that.  I guess though 464xlat does not send RAs.
>
>>> An On-Board Unit Router would send an RA on its 802.11p
>>> (vehicle-to-vehicle) interface containing the prefix of its
>>> wired-Ethernet interface.
>>>
>>> Alex
>>
>> In general, I can certainly appreciate the need for a SADR
>> equivalent extension to 4191. But I'm mystified by the need for the
>> additional complexity contained in this draft. And I'm genuinely
>> missing how receiving nodes would process and validate the new
>> options. I.e. The conceptual host model of 4191.
>
> I personally think at this time that SADR is a concept still much in an
> inception phase.  There are multiple ways in which the src address could
> be taken into account during a forwarding process.  And I think it has
> little to do with RFC4191, or with what to put in an RA.
>
> The reason I react on this thread is only related to having other links'
> prefixes in an RA.
>
I find these use cases of an RA message containing information about 
off-link interfaces distinctly odd.

RA is strictly link local (section 6.1.1 and 6.1.2 of RFC4861).

Quote: "A node MUST silently discard any received Router Advertisement
    messages that do not satisfy all of the following validity checks:

       - IP Source Address is a link-local address."

How does the receiving node know that the next hop is being advertised 
from another interface on the sending router (there's no interface tag 
in the proposed option)?
[use case given by you of a smart phone advertising its wifi prefix via 
the bluetooth interface]

So in my mind that is introducing a possibility of non optimal routing, 
race conditions, or worse still, looping (imagine the two routers share 
two links, both wifi AND bluetooth, rather than just one, and they pair 
at different times)

How does the receiving node know that the next hop target is to be found 
on another interface on the receiving host (again there's no interface 
tag in the proposed option)?
[use case given by Bechet of a 3gpp router advertising next hop 
addresses for use on the wireless interface on the receiving node when 
connected to a VPN router]

So in my mind that is introducing a possibility of non optimal routing, 
or route attacks where routes received on a trusted interfaces point to 
non-trusted interfaces, or an amplification attack, where the receiving 
node has to perform ND on all of its interfaces to discover where the 
proposed next hop is located (assuming the advertised next hop actually 
contains garbage, and is unreachable)
> Alex
>
>
> V6ops <mailto:v6ops@globis.net>
> 23 February 2015 17:40
>> On 23 Feb 2015, at 10:55, Alexandru Petrescu<alexandru.petrescu@gmail.com>  wrote:
>>
>> Le 20/02/2015 21:46, V6ops a écrit :
>>>> On 20 Feb 2015, at 17:51, Alexandru Petrescu
>>>> <alexandru.petrescu@gmail.com>  wrote:
>>>>
>>>> Le 20/02/2015 13:23, Ole Troan a écrit :
>>>>>>> But why would one router need to point routes with the next
>>>>>>> hop pointing at another router?
>>>>>> BEcause that's how it works when two smartphones (Routers) talk
>>>>>> directly over WiFi.  A Host device tethered to one smartphone
>>>>>> would need to communicate to another Host tethered to the other
>>>>>> smartphone. In this case, one smartphone (Router) would need to
>>>>>> point a route with the next hop at the other smartphone
>>>>>> (Router).
>>>>>>
>>>>>> The smartphone Router-to-Router is just an instantiation
>>>>>> use-case. Another instantiation is in Vehicle-to-Vehicle
>>>>>> communications.
>>>>> that's what we have redirects for.
>>>> REdirects are sent by Routers to Hosts, not to other Routers.
>>>>
>>>> They assume some route is already in place (the route from a Host
>>>> to a Router) and that another one should be suggested -
>>>> _re_-direct.
>>>>
>>>> In the case of smartphone-to-smartphone, or vehicle-to-vehicle,
>>>> they may not be connected to anything else prior to connecting to
>>>> each other, so they wouldnt issue Redirects.
>>>>
>>>> Alex
>>>>
>>> And why exactly would a router listen to an RA then?
>>>
>> Sorry, I dont understand why you ask this?  Please clarify the question.
>>
>> Until then here's an answer about what I think the question is not clear.
>>
>> A router would need to listen for RA issued by other router, such as to
>> learn the prefix of this other Router's other interface.
> Where is this specified in a current IETF document?
>
> Routers ignore RA in most instances ( unless they are acting as a host on what is clearly an upstream interface, and they need to configure a prefix for use on the upstream interface e.g. on an ISP link)
>
> Even in this case why would the RA require a different next hop (my real confusion is why this option is needed at all)
>
> Homenet is not following this path for prefix distribution/learning between LAN interfaces of Homenet devices (one of the use cases of the draft). Two smartphones peering would run HNCP to learn prefixes.... Not RA based mechanisms.
>> A smartphone Router would send an RA on its bluetooth interface
>> containing the prefix of its WiFi interface.
> This was already extensively discussed when producing 464xlat.....
>
>> An On-Board Unit Router
>> would send an RA on its 802.11p (vehicle-to-vehicle) interface
>> containing the prefix of its wired-Ethernet interface.
>>
>> Alex
>
> In general, I can certainly appreciate the need for a SADR equivalent extension to 4191. But I'm mystified by the need for the additional complexity contained in this draft. And I'm genuinely missing how receiving nodes would process and validate the new options. I.e. The conceptual host model of 4191.
>

-- 
Regards,
RayH

v2.23.0 | Report a Bug | By Email