RE: Route Information Options in Redirect Messages (updated)

"Templin, Fred L" <Fred.L.Templin@boeing.com> Tue, 07 February 2017 18:43 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59FDE1295AF for <ipv6@ietfa.amsl.com>; Tue, 7 Feb 2017 10:43:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IToEM_gE-NWV for <ipv6@ietfa.amsl.com>; Tue, 7 Feb 2017 10:43:22 -0800 (PST)
Received: from phx-mbsout-01.mbs.boeing.net (phx-mbsout-01.mbs.boeing.net [130.76.184.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04D2212945B for <ipv6@ietf.org>; Tue, 7 Feb 2017 10:43:21 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id v17IhLBe030491; Tue, 7 Feb 2017 11:43:21 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (xch15-06-08.nw.nos.boeing.com [137.136.238.222]) by phx-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id v17IhCEV030399 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=OK); Tue, 7 Feb 2017 11:43:13 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 7 Feb 2017 10:43:12 -0800
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1178.000; Tue, 7 Feb 2017 10:43:12 -0800
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: =?utf-8?B?56We5piO6YGU5ZOJ?= <jinmei@wide.ad.jp>, james woodyatt <jhw@google.com>
Subject: RE: Route Information Options in Redirect Messages (updated)
Thread-Topic: Route Information Options in Redirect Messages (updated)
Thread-Index: AdJ8F7CvYW0JrWzvRzOTQSlLsXA0KQA/bwYAACZxdWAA79nnKQAAmI2Q
Date: Tue, 7 Feb 2017 18:43:12 +0000
Message-ID: <614ead862aa54a548ed4835a998a42e4@XCH15-06-08.nw.nos.boeing.com>
References: <9910b4acd87044e89fad83bb5c795b77@XCH15-06-08.nw.nos.boeing.com> <CAJE_bqfJMW5SRDxm04rC67Xvf4YqaxihyCRUXfGW3TUq42Xk-A@mail.gmail.com> <5ebd374f4ec8454b8a3796cffe5e1919@XCH15-06-08.nw.nos.boeing.com> <CAJE_bqfN9x031TXBd8Hpiv5168=zXXN+U02gGqsxyXhpQ-SDWA@mail.gmail.com> <E291D7B9-7492-4043-BE4F-E45CB54985D7@google.com> <CAJE_bqePL1bKAZL53=oebn=2eiYKdxyULd5jS4uJk9jo1sFrcA@mail.gmail.com>
In-Reply-To: <CAJE_bqePL1bKAZL53=oebn=2eiYKdxyULd5jS4uJk9jo1sFrcA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/jJD7Y0jRhKY8uHBrvBLfdB35KMI>
Cc: IPv6 List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 18:43:23 -0000

Hi Jinmei-san,

One important clarification below:

> -----Original Message-----
> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of ????
> Sent: Tuesday, February 07, 2017 10:18 AM
> To: james woodyatt <jhw@google.com>
> Cc: IPv6 List <ipv6@ietf.org>
> Subject: Re: Route Information Options in Redirect Messages (updated)
> 
> At Mon, 6 Feb 2017 12:07:32 -0800,
> james woodyatt <jhw@google.com> wrote:
> 
> > >>>   "IPv6 Router Advertisement Guard" [RFC6105] ("RA Guard") describes a
> > >>>   layer-2 filtering technique intended for network operators to use in
> > >>>   [...]
> > >>>
> > >>>  I don't understand the purpose of this paragraph,[...]
> 
> > The idea I had in mind when I wrote this is that we are leaving
> > aside entirely the question of whether or not RFC 6105 has any
> > issues to be identified after reviewing our draft. It’s our view
> > that this draft is applicable in networks where no RA Guard function
> > is deployed. We include this note in section 6 because we are aware
> > that RFC 6105 exists, and our draft is relevant to the
> > considerations that drive operators to deploy RA Guard functions.
> 
> Hmm, maybe I'm so dumb but I'm afraid I still don't understand intent
> clearly.  Do you mean an operational assumption of this proposal is to
> use it in a link where RA guard isn't deployed?  If so, it's far
> better (at least to me) to just say so.
> 
> BTW, if this proposal keeps the concept of "unsolicited redirect" and
> also allows the destination address of '::' to bypass the host's
> validity check of whether it's really the first hop router for the
> destination,

No, that is not what we want to have happen. The document doesn't
say this currently, but we want to retain a revised version of the validity
check. The revised version of the check would say:

OLD:
      - The IP source address of the Redirect is the same as the current
        first-hop router for the specified ICMP Destination Address.

NEW:
      - The IP source address of the Redirect is the same as the current
        first-hop router for the specified ICMP Destination Address, or
        (when the ICMP Destination Address is '::') the same as the current
        first-hop router for the specified RIOs

Would welcome better wording than this, but we definitely do want
to retain the validity check. Comments?

Thanks - Fred
fred.l.templin@boeing.com

> then I'd rather be more interested in a discussion of
> whether we should extend RFC6105 so it will also cover redirects and
> filter out "rogue redirects".  That's because such an unsolicited
> redirect is quite powerful and allows almost any arbitrary on-link
> attacker to exploit it at almost the same level of rogue RAs.  Aside
> from specific conclusion from the discussion, a discussion like that
> would look good content to me for the security considerations section
> of this document.
> 
> --
> JINMEI, Tatuya
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------