Re: Feedback on draft-linkova-6man-grand-01
Jen Linkova <furry13@gmail.com> Thu, 28 November 2019 00:36 UTC
Return-Path: <furry13@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83149120B08 for <ipv6@ietfa.amsl.com>; Wed, 27 Nov 2019 16:36:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLjSflcyOvsi for <ipv6@ietfa.amsl.com>; Wed, 27 Nov 2019 16:36:43 -0800 (PST)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24B361209AA for <6man@ietf.org>; Wed, 27 Nov 2019 16:36:43 -0800 (PST)
Received: by mail-qk1-x730.google.com with SMTP id e187so21275130qkf.4 for <6man@ietf.org>; Wed, 27 Nov 2019 16:36:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xj3BzKtBdBHJMTnGaJgXMZ2tYwaJ12YrgygbxiWDz74=; b=L5ZWF+wSAPikrNCuyKeufJpSQ7b1yr86bvXCxC+SG4CYUAqOPnAQdFnixKHZ5riKqK VR52X5LB9o2Rg4nyZhrmmvqQmjg3aa4H2yQ3a8pukit95uzHw4sbh8lOJeHp1sblWjKe XYqAuBdXcxSJoQ2Gd9PWdcVcBoXlkzUyfSkS5ewaUr6OW2cMn9kBtoVddtU6b47j1Ion XFlVQznNYnqDw2PMdEg8qlX9qe4K8GIvq1ET2ohFqMg3EDuu0lBh/mf4bi/kRg5wFQnN HtP7IhpNTU1jf1XWHGoHRlDPxoT6J3ypnSquW5ZN804d7ubcqMBffhYxNQUJ0cnITobp ls3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xj3BzKtBdBHJMTnGaJgXMZ2tYwaJ12YrgygbxiWDz74=; b=rgpscY57CXcn/EQbnpoyGKm80DTzGKhIA4y4oxmHR15/nYTDDvos2JFECmpf6XRn2k 9lQq7sb8/l5GZie0rhOAVCmU/TlzDTAW+eMtcag5PXvITk100psC4cY0pPaEMDTVrqiK N0sg/QfAQZfa6kcmDyP5P4Vj3sfNfuSuRn0Dlu7Oe+kTq0c0PsKiTULMiEm9DQ5aU4tf 3p36LjLNt63vjjOn4n68R2dnQwTk4JOIo5dxacQVxp0cdivc8uFXJ+eRa7IJuzHqj80N Hf9J0Oy2MLn5rg5u4cDV02FcmXS3CMbt0Rxhh09DKB5BReoH5uveQ/dh1fYESM03UAWw pyVw==
X-Gm-Message-State: APjAAAXHfDMmCrASJkQyirPA/xR4vN9USuY6bTWLQDUEezIY1BnyGbnm kmx6WvUliYDFhUBwNPbNBTI3yBfEj39SNcEVTDY=
X-Google-Smtp-Source: APXvYqwJ+gODneaMUOD/AorjrH2KKPc1iIiaNEDw+WFduENn5Ff4VDY30WSOncj7FtiMfEOp+KVCg/qelIc9orXM7Ig=
X-Received: by 2002:a37:9145:: with SMTP id t66mr7683044qkd.332.1574901401751; Wed, 27 Nov 2019 16:36:41 -0800 (PST)
MIME-Version: 1.0
References: <3fbc97b1-123b-49e8-0c66-47815177e0ca@si6networks.com>
In-Reply-To: <3fbc97b1-123b-49e8-0c66-47815177e0ca@si6networks.com>
From: Jen Linkova <furry13@gmail.com>
Date: Thu, 28 Nov 2019 11:36:30 +1100
Message-ID: <CAFU7BATNSXBypROU3p2JW_=9HN0rtKYq2oe4oJL65eifZdkdNw@mail.gmail.com>
Subject: Re: Feedback on draft-linkova-6man-grand-01
To: Fernando Gont <fgont@si6networks.com>
Cc: Jen Linkova <furry@google.com>, "6man@ietf.org" <6man@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/haBSRktWc9MAeVBzBCxJ-37jI0A>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2019 00:36:44 -0000
Hi Fernando, Thanks for your review! Comments inline. On Wed, Nov 27, 2019 at 11:42 PM Fernando Gont <fgont@si6networks.com> wrote: > > As the main purpose of sending unsolicited NAs upon configuring a new > > address is to proactively create a Neighbor Cache entry on the first- > > hop routers, the gratuitous NAs SHOULD be sent to all-routers > > multicast address (ff02::2). Limiting the recipients to routers only > > would help reduce the multicast noise level. > > In the context of RFC8028, one might argue that you could simply send > the unsolicited NAs unicast to the routers that advertised this prefix. > This would: > > * reduce multicast traffic > > * also reduce the number of unnecessary entries in local routers (there > would be no point to create entries for addresses configured for, say, > 2001:2b8::/64 at Router A, if you will only use Router B as the default > router for packets sourced from those addresses). The main drawback of this approach is it would work in 50% of cases if the network provides first-hop router redundancy. There is no guarantee that the traffic is symmetrical - the host can easily choose a router A as a default gateway but the return flow can reach the LAN via the router B. See https://tools.ietf.org/html/draft-ietf-v6ops-nd-cache-init-00#section-2.3.2.2 I'll update the text to clarify it. > > As the INCOMPLETE entry means that the router has > > started the ND process for the address and the multicast NS has been > > sent, the rightful owner is expected to reply with solicited NA with > > the Override flag set. > > I should re-check the spec. The NA would certainly have the solicited > flag set. Although I'm not sure it woudl always have the override flag set. It *SHOULD* unless it's anycast or the device is a proxy: https://tools.ietf.org/html/rfc4861#section-7.2.4 " If the Target Address is either an anycast address or a unicast address for which the node is providing proxy service, or the Target Link-Layer Address option is not included, the Override flag SHOULD be set to zero. Otherwise, the Override flag SHOULD be set to one." > > When a valid Neighbor Advertisement is received (either solicited or > > unsolicited), the Neighbor Cache is searched for the target's entry. > > If no entry exists, hosts SHOULD silently discard the advertisement. > > There is no need to create an entry if none exists, since the > > recipient has apparently not initiated any communication with the > > target. Routers SHOULD create a new entry for the target address > > with the link-layer address set to the Target link-layer address > > option (if supplied). The entry its reachability state MUST also be > > set to STALE. If the received Neighbor Advertisement does not > > contain the Target link-layer address option the advertisement SHOULD > > be silently discarded. > > Shouldn't this only happen if the "solicited" flag is not set? Valid point. I do not see any harm is doing it for Solicited but I'm happy to limit to unsolicited NA only... > > Announcing a new address to all-routers multicast address may inform > > an on-link attacker about IPv6 addresses assigned to the host. > > However hiding information about the specific IPv6 address should not > > be considered a security measure as it falls into 'Security through > > obscurity' category. > > I'd remove the "security through obscurity" bit, and note that this > information is normally disclosed with dad, anyway, and not just to > routers, but to all nodes. Not *exactly* true if the network deploys all those smart WiFi devices but it's more an operational consideration. I'll update the text, thanks! > Food for thought: > Maybe routers could simply create the ND cache entries, if the entry is > not present, when the corresponding DAD packets are received? > This would mean no changes on clients, and just updates on routers. > (me thinking out loud) Please note that this draft does not discuss *all* possible approaches. The operational issue and various solutions are documented in https://tools.ietf.org/html/draft-ietf-v6ops-nd-cache-init-00. Your proposal 'why not DAD' is discussed in https://tools.ietf.org/html/draft-ietf-v6ops-nd-cache-init-00#section-2.4 I should probably make it explicit in the Introduction section that the readers of draft-linkova-6man-grand shall read the 6ops doc first. -- SY, Jen Linkova aka Furry
- Feedback on draft-linkova-6man-grand-01 Fernando Gont
- Re: Feedback on draft-linkova-6man-grand-01 Jen Linkova
- Re: Feedback on draft-linkova-6man-grand-01 Gyan Mishra
- Re: Feedback on draft-linkova-6man-grand-01 Jen Linkova
- Re: Feedback on draft-linkova-6man-grand-01 Gyan Mishra