IETF Logo Mail Archive

RE: Route Information Options in IPv6 Neighbor Discovery

"Templin, Fred L" <Fred.L.Templin@boeing.com> Tue, 18 April 2017 20:43 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75BEE127876 for <ipv6@ietfa.amsl.com>; Tue, 18 Apr 2017 13:43:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dtrJ1DvsbAmw for <ipv6@ietfa.amsl.com>; Tue, 18 Apr 2017 13:43:00 -0700 (PDT)
Received: from phx-mbsout-01.mbs.boeing.net (phx-mbsout-01.mbs.boeing.net [130.76.184.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BCDC1243FE for <ipv6@ietf.org>; Tue, 18 Apr 2017 13:43:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id v3IKgxVN033871; Tue, 18 Apr 2017 13:42:59 -0700
Received: from XCH15-06-12.nw.nos.boeing.com (xch15-06-12.nw.nos.boeing.com [137.136.239.221]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id v3IKgsQ2033470 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Tue, 18 Apr 2017 13:42:54 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-12.nw.nos.boeing.com (2002:8988:efdd::8988:efdd) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 18 Apr 2017 13:42:53 -0700
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1263.000; Tue, 18 Apr 2017 13:42:53 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Fred Baker <fredbaker.ietf@gmail.com>
CC: Mikael Abrahamsson <swmike@swm.pp.se>, james woodyatt <jhw@google.com>, "ipv6@ietf.org" <ipv6@ietf.org>, Dave Thaler <dthaler@microsoft.com>
Subject: RE: Route Information Options in IPv6 Neighbor Discovery
Thread-Topic: Route Information Options in IPv6 Neighbor Discovery
Thread-Index: AdKz02OPoeaHB7mXSI2gKFT6CIowLQDYdB/0ABIAnAAAFYoRkAAQ+GSAABsW9kA=
Date: Tue, 18 Apr 2017 20:42:53 +0000
Message-ID: <5ce85dd13f1741de95ee722d0ec23dd9@XCH15-06-08.nw.nos.boeing.com>
References: <e0405ed49491441fb1a883b0d7e8d773@XCH15-06-08.nw.nos.boeing.com> <alpine.DEB.2.02.1704141353370.5591@uplift.swm.pp.se> <7C3DB700-B389-4796-AA1E-38172A5A89B0@gmail.com> <alpine.DEB.2.02.1704170642090.5591@uplift.swm.pp.se> <AF3C4D0B-E7B0-4DB3-A96B-9ED618DDA6C5@gmail.com> <12c8ae91db234098a4bb402c08630364@XCH15-06-08.nw.nos.boeing.com> <62ADCA5F-1319-4771-AD48-A449077AD11E@gmail.com>
In-Reply-To: <62ADCA5F-1319-4771-AD48-A449077AD11E@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/iPeH6wWHB2Ve8c5Eiwck4AY8ZUs>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 20:43:02 -0000

Hi Fred,

A comment about SAVI/DHCP. RFC7513 seems to suggest DHCP snooping, i.e.,
some device on the path from the DHCP server to client examines the contents
of DHCP messages. Unfortunately, the DHCPv6 Security specification mandates
the use of encryption:

https://www.ietf.org/id/draft-ietf-dhc-sedhcpv6-21.txt

Does it mean that Secure DHCPv6 will be incompatible with SAVI?

Thanks - Fred

> -----Original Message-----
> From: Fred Baker [mailto:fredbaker.ietf@gmail.com]
> Sent: Monday, April 17, 2017 5:42 PM
> To: Templin, Fred L <Fred.L.Templin@boeing.com>
> Cc: Mikael Abrahamsson <swmike@swm.pp.se>; james woodyatt <jhw@google.com>; ipv6@ietf.org; Dave Thaler
> <dthaler@microsoft.com>
> Subject: Re: Route Information Options in IPv6 Neighbor Discovery
> 
> We have essentially the same problem with IPv4 Source Guard, as several companies call the technology. It has been deployed since
> 2004 or thereabouts as proprietary technology, but operates essentially as SAVI/DHCP does. We don't observe the issue you raise.
> 
> A redirect in essence is router A telling some host that router B in the same subnet that would be a better choice - that router A's next
> hop for the indicated address is router B, and the host can be a good citizen by sending that traffic to B in the first place. If they're in
> the same subnet and the host can talk with both of them, the host is going to use the same source address and the same interface.
> SAVI is thrilled, and if the host does as it is told, we reduced message rate on the LAN a little bit.
> 
> Further discussion of SAVI should probably go to savi@ietf.org...
> 
> > On Apr 17, 2017, at 4:47 PM, Templin, Fred L <Fred.L.Templin@boeing.com> wrote:
> >
> > I have a question on how SAVI interacts with the IPv6 Redirect function in general.
> > When a Router Redirects a Source to a Target, the Source has discovered something
> > that it did not know before, namely that a target IPv6 prefix is reachable via the
> > Target directly without having to go through the Router.
> >
> > Armed with this knowledge however, what is to stop the Source from sending packets
> > with spoofed IPv6 source addresses via the Target? And, this is an issue for standard
> > IPv6 Redirect for a singleton destination and not just for Redirects that include RIOs.
> >
> > That said, there is a way for the Source to tell the Target about the source address(es)
> > it intends to use by including the source addresses or prefixes in RIOs in a NS sent
> > to the Target before any data packets are sent. And, if the Source lies about any of
> > its addresses any SAVI L2 devices that examine the NS messages can drop them.
> >
> > Thanks - Fred
> >
> >> -----Original Message-----
> >> From: Fred Baker [mailto:fredbaker.ietf@gmail.com]
> >> Sent: Sunday, April 16, 2017 11:19 PM
> >> To: Mikael Abrahamsson <swmike@swm.pp.se>
> >> Cc: Templin, Fred L <Fred.L.Templin@boeing.com>; james woodyatt <jhw@google.com>; ipv6@ietf.org; Dave Thaler
> >> <dthaler@microsoft.com>
> >> Subject: Re: Route Information Options in IPv6 Neighbor Discovery
> >>
> >>
> >>> On Apr 16, 2017, at 9:43 PM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:
> >>>
> >>> On Fri, 14 Apr 2017, Fred Baker wrote:
> >>>
> >>>>> SAVI (https://tools.ietf.org/wg/savi/) has document that I imagine would be in scope for this documents security section. For
> >> instance, what would an SAVI enabled L2 switch that inspects ND entries do when it sees this RIO entry in ND?
> >>>>
> >>>> As specified, I think it would ignore them. It looks at the NA to determine what {IP address, MAC address} or {IP address, MAC
> >> address, Port #} association it should enforce. It has no illusion that this is the only data present.
> >>>
> >>> So the question becomes, is this desired behaviour? Sounds to me that there needs to be SAVI document enhancement for this
> RIO
> >> in ND then, for things to continue functioning properly (as I imagine if something sends RIO in ND to somewhere, there is
> expectation
> >> that any antispoofing device should allow for return traffic as well).
> >>
> >> Please feel free to make specific suggestions.
> >>
> >> https://tools.ietf.org/html/rfc6620
> >> 6620 FCFS SAVI: First-Come, First-Served Source Address Validation
> >>     Improvement for Locally Assigned IPv6 Addresses. E. Nordmark, M.
> >>     Bagnulo, E. Levy-Abegnoli. May 2012. (Format: TXT=84010 bytes)
> >>     (Status: PROPOSED STANDARD) (DOI: 10.17487/RFC6620)
> >>
> >> https://tools.ietf.org/html/rfc6959
> >> 6959 Source Address Validation Improvement (SAVI) Threat Scope. D.
> >>     McPherson, F. Baker, J. Halpern. May 2013. (Format: TXT=62217 bytes)
> >>     (Status: INFORMATIONAL) (DOI: 10.17487/RFC6959)
> >>
> >> https://tools.ietf.org/html/rfc7039
> >> 7039 Source Address Validation Improvement (SAVI) Framework. J. Wu, J.
> >>     Bi, M. Bagnulo, F. Baker, C. Vogt, Ed.. October 2013. (Format:
> >>     TXT=31946 bytes) (Status: INFORMATIONAL) (DOI: 10.17487/RFC7039)
> >>
> >> https://tools.ietf.org/html/rfc7219
> >> 7219 SEcure Neighbor Discovery (SEND) Source Address Validation
> >>     Improvement (SAVI). M. Bagnulo, A. Garcia-Martinez. May 2014.
> >>     (Format: TXT=90423 bytes) (Status: PROPOSED STANDARD) (DOI:
> >>     10.17487/RFC7219)
> >>
> >> https://tools.ietf.org/html/rfc7513
> >> 7513 Source Address Validation Improvement (SAVI) Solution for DHCP. J.
> >>     Bi, J. Wu, G. Yao, F. Baker. May 2015. (Format: TXT=123735 bytes)
> >>     (Status: PROPOSED STANDARD) (DOI: 10.17487/RFC7513)
> >>
> >> https://tools.ietf.org/html/rfc8074
> >> 8074 Source Address Validation Improvement (SAVI) for Mixed Address
> >>     Assignment Methods Scenario. J. Bi, G. Yao, J. Halpern, E.
> >>     Levy-Abegnoli, Ed.. February 2017. (Format: TXT=23910 bytes)
> >>     (Status: PROPOSED STANDARD) (DOI: 10.17487/RFC8074)
> >>
> >>
> >
> >
>

v2.23.0 | Report a Bug | By Email