IETF Logo Mail Archive

Re: [**EXTERNAL**] New Version Notification for draft-mudric-6man-lcs-00.txt

Alexandre Petrescu <alexandre.petrescu@gmail.com> Mon, 24 August 2020 16:09 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04C333A0F87 for <ipv6@ietfa.amsl.com>; Mon, 24 Aug 2020 09:09:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.23
X-Spam-Level: **
X-Spam-Status: No, score=2.23 tagged_above=-999 required=5 tests=[DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.948, NML_ADSP_CUSTOM_MED=1.2, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.972, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EVd_q07ErmBd for <ipv6@ietfa.amsl.com>; Mon, 24 Aug 2020 09:09:34 -0700 (PDT)
Received: from sainfoin-smtp-out.extra.cea.fr (sainfoin-smtp-out.extra.cea.fr [132.167.192.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FC7D3A0F84 for <ipv6@ietf.org>; Mon, 24 Aug 2020 09:09:34 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by sainfoin-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 07OG9KZG030054; Mon, 24 Aug 2020 18:09:20 +0200
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id C8020204059; Mon, 24 Aug 2020 18:09:20 +0200 (CEST)
Received: from muguet2-smtp-out.intra.cea.fr (muguet2-smtp-out.intra.cea.fr [132.166.192.13]) by pisaure.intra.cea.fr (Postfix) with ESMTP id B55CE2013F6; Mon, 24 Aug 2020 18:09:20 +0200 (CEST)
Received: from [10.11.240.51] ([10.11.240.51]) by muguet2-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 07OG9Js7004738; Mon, 24 Aug 2020 18:09:19 +0200
Subject: Re: [**EXTERNAL**] New Version Notification for draft-mudric-6man-lcs-00.txt
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: "Mudric, Dusan" <dmudric@ciena.com>, "ipv6@ietf.org" <ipv6@ietf.org>, Dusan Mudric <dusan.mudric@gmail.com>
References: <320327D8-C90A-49A2-AC48-003ED0C3349C@ciena.com> <95b7363e293547688482ed45bd95c549@huawei.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <7bd79b52-1170-d493-7d2d-17774bf6f6fd@gmail.com>
Date: Mon, 24 Aug 2020 18:09:19 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <95b7363e293547688482ed45bd95c549@huawei.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/lQ1fiDAn-vH-pTs_w4UeEKEHWPQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2020 16:09:37 -0000

Hi, Eduard,

Le 24/08/2020 à 10:55, Vasilenko Eduard a écrit :
> Hi Dusan,

> [Dusan] The proposed mechanism is to use address resolution for GUA,
>  to obtain Destination LLA, when it is found that a destination GUA 
> is on link. It is exactly the problem: you have not proposed any 
> details how to do it.
> 
> Another problem for adoption could be on use case:
> 
> - if it is corporate environment, then Server is probably on a 
> separate segment from client, and both are protected by FW on the 
> perimeter

True, especially if Server might be a DHCPv6 server for multiple subnets.

In the design space, we might not want a central Server to perform that
resolution GUA-LLA for all Hosts in a domain.  We might want that
resolution to be targetting the Host that owns the addresses, a little
bit like NS/NA does.

However, we might want to consider the next-hop router instead of Server.

> - if it is home environment, then resource location is manual - LLA 
> could be chosen without any protocol extensions.

True, in some small home environments tables of mappings LLA-GUA could
be maintained manually, and protocol extensions might not be necessary.

> Do you have any evidences that the problem is really applicable to 
> real life?

We will provide some more details soon.

> PS: Vendor names are typically better to use "Vendor1" and
> "Vendor2", real vendors could have an objections that they are not
> capable to do something.

YEs yes, true enough.   Anonymizing names helps avoid pointing the finger.

Alex, and Dusan

> 
> Ed/ -----Original Message----- From: Mudric, Dusan 
> [mailto:dmudric@ciena.com] Sent: 21 августа 2020 г. 20:24 To: 
> Alexandre Petrescu <alexandre.petrescu@gmail.com>; Vasilenko Eduard 
> <vasilenko.eduard@huawei.com>; ipv6@ietf.org Cc: Dusan Mudric 
> <dusan.mudric@gmail.com> Subject: Re: [**EXTERNAL**] New Version 
> Notification for draft-mudric-6man-lcs-00.txt
> 
>> On 2020-08-20, 1:57 PM, "Vasilenko Eduard" 
>> <vasilenko.eduard@huawei.com> wrote:
>> 
>>> It is possible to look into "Prefix List" (RFC 4861
>>> terminology), If particular PIO was with "L"="Local" bit set,
>>> Then it is possible to use GUA as destination, but LLA as source.
>>> Should work.
>> 
> [Dusan] rfc6724#section-5, SASA Rule 2
> 
> "   Rule 2: Prefer appropriate scope. If Scope(SA) < Scope(SB): If 
> Scope(SA) < Scope(D), then prefer SB and otherwise prefer SA. 
> Similarly, if Scope(SB) < Scope(SA): If Scope(SB) < Scope(D), then Hi
> prefer SA and otherwise prefer SB."
> 
> prefers the closest Scope(S) to the given destination Scope(D). If D 
> is GUA, a source will selects its S-GUA, rather than S-LLA.
> 
> Even if it might be possible to make S-LLA - to - D-GUA connection, 
> for security reasons it is preferred that both parties use LLAs for 
> ON-LINK communication.
> 
> But if I am a Cisco router computer software I can not force a 
> Juniper router computer software to do whatever.  If Juniper
> computer contacts me by using a GUA all I can do is to reply to it
> using my LLA.  I have no way to signal it to tell it 'please use an
> LLA instead'. This draft is proposing  such a new way.
> 
> So, this draft is saying "I have your GUA destination address  but I 
> would like to talk to you using our LLAs. If you agree to give me 
> your LLA, we will talk using our LLAs".
> 
>>> It is radical departure from 6724: " to prefer destination/source
>>> address pairs for  which the two addresses are of equal scope or
>>> type ..."
>> 
>>> I am not sure that any other RFC would not block this approach.
>>> I do not see any blocking factor. Let's others speak.
> 
> Yes, I think it is time to see what others think.
> 
>>> PS: I do not believe that it is possible to map Destination GUA 
>>> to Destination LLA.
>> 
> [Dusan] The proposed mechanism is to use address resolution for GUA, 
> to obtain Destination LLA, when it is found that a destination GUA is
> on link. LLA is a Link Local Address, not 'link-layer address' MAC 
> address. Address resolution NA message can be extended to provide 
> D-LLA. That is how a source will learn about destination LL address.
> 
> The existing address resolution mechanisms (NS/NA) would resolve a 
> link-layer address of a GUA that is used by the same interface on 
> which GUA is attached. The existing address resolution mechanism 
> (NS/NA) does not offer means to obtain the link-local address of an 
> interface of a GUA. This draft is proposing to change the current 
> mechanism to be able to negotiate LLAs.
> 
> Alex
> 
>> 
>>> Eduard
>> -----Original Message----- From: Mudric, Dusan 
>> [mailto:dmudric@ciena.com] Sent: 20 августа 2020 г. 16:08 To: 
>> Alexandre Petrescu <alexandre.petrescu@gmail.com>; Vasilenko Eduard
>> <vasilenko.eduard@huawei.com>; ipv6@ietf.org Cc: Dusan Mudric
>> <dusan.mudric@gmail.com> Subject: Re: [**EXTERNAL**] New Version
>> Notification for draft-mudric-6man-lcs-00.txt
>> 
>> 
>> On 2020-08-18, 4:04 PM, "Vasilenko Eduard" 
>> <vasilenko.eduard@huawei.com> wrote:
>>> 
>>> Hi Dusan, Hi Alexandere,
>> 
>> [Alex] Thank you for the reply.  We carefully consider the 
>> comments.
>> 
>> We identified a corner case of communicating on the same link.  In
>>  this corner case the RFC6724 recommendation creates a security 
>> problem.
>> 
>> Rather, we recommend to use the least possible scope that is 
>> 'common', i.e. it allows to reach the other.  In other words, use
>> a LL src even if the dst is a GUA (GUA on the same link).
>> 
>> (maybe the 'least common scope' is not the best.  Because by RFC 
>> 4291 "Addr Archi" the LL and GUA are not the same common scope, 
>> even though one might imagine that link scope is included in a 
>> 'global' scope, and thus the least common scope between LL and GUA 
>> is the LL scope; it is a notion borrowed from set theory, an 
>> intersection; another difficulty with 'least common scope' is that 
>> Global in GUA is not a 'scope' but a characteristic of the 
>> uniqueness; and 'Global Unicast' is an address 'type', not a
>> scope. To make things worse, 'types' of addresses  could be more
>> than just LL ang GUA; other equally legitimate address types are
>> 'unicast', 'multicast' and 'anycast', and also 'Unspecified',
>> 'Loopback', 'Multicast'; and there are sub-types too.  So, maybe a
>> more precise recommendation would be to 'use an address type whose
>> scope is the least possible to reach a given destination', or
>> 'least possibly scoped address type', instead of 'least common
>> scope'.)
>> 
>>> RFC 6724 does have big attention to choose addresses with 
>>> smallest scope - section 3.1.
>> 
>> [Alex] That section 3.1 is about mapping multicast scopes to 
>> unicast scope, in order to give reason to comparing the scopes of 
>> unicast. However, a 1-to-1 mapping between these two scopes is 
>> hardly understandable.  In particular, there still exists a 
>> site-local scope for multicast but no longer for unicast.   And, 
>> there exist a unicast ULA global scope that is not reachable (it's 
>> global in that it is uniquely global, not because it is globally 
>> reachable - 'reachable' a word not in dictionary anyways :-).   So 
>> it's hard to see its multicast counterpart: either it's globally 
>> reachable or it's site-local (cant be both).
>> 
>> (In a multicast context it's not possible to use a multicast 
>> address in the source of the packets; so in a multicast context
>> one couldn't talk about same-scope recommendations.  Moreover,
>> there should not be blockage to sending packets of ll scope to
>> global mc scope.  _If_ we had a src multicast possibility then yes,
>> there could have been a good recommendation of same-scope
>> src-to-dst multicast-to-multicast packets. But we are not concerned
>> with that here.)
>> 
>> Because of the impossibility of the mapping that I mention above, 
>> it's impossible to come up with rules of same scope use in unicast 
>> context. And thus the effort of mapping seems without success.
>> 
>>> Then scope is at the second priority for section 5 "Source 
>>> Address Selection".
>> 
>> [Alex] Rule 2 might not lead to what we want.  The execution of 
>> that rule using input parameters SA==GUA, SB==LL and D==GUA leads 
>> to select SA (a GUA) as src; we dont want GUA in src when the 
>> destination is GUA on the same link.
>> 
>> [Dusan] It is rather DASA rule 8: Rule 8: Prefer smaller scope. If
>>  Scope(DA) < Scope(DB), then prefer DA.  Similarly, if Scope(DA) >
>>  Scope(DB), then prefer DB.
>> 
>> I think the order of address selection should be: - DASA Rule 8 to
>>  select LL destination address, preferring the smaller scope, and -
>>  SASA Rule 6 will select SA-LL source address that has the same 
>> label as destination DA-LL address
>> 
>> Section 10.2 example: "   Candidate Source Addresses: 2001:db8:1::2
>> or fe80::2 Destination Address List: 2001:db8:1::1 or fe80::1
>> Result: fe80::1 (src fe80::2) then 2001:db8:1::1 (src 
>> 2001:db8:1::2) (prefer smaller scope)"
>> 
>> This means a host needs to autodiscover a destination LL address, 
>> before applying DASA Rule 8. The details of this mechanism will be
>>  provided.
>> 
>>> I have not understood what else you need? IMHO: it is better to 
>>> clearly state what particular sentences in RFC 6724 you would 
>>> like to change or amend.
>> [Dusan] For ON-LINK D-GUA, SASA cannot be done until On-Link check 
>> and LL address resolution are completed. A socket API in  RFC5014 
>> would get a destination GUA or ULA, and: - Need to do ON-LINK 
>> determination, and - Obtain LL address for ON-LINK destinations
>> (LL address resolution). Otherwise: - Rule 8 can be updated to
>> check if a destination (with its DA-GUA and DB-ULA addresses) is
>> ON-LINK, and obtain and use LL address for  ON-LINK destinations.
>> 
>> The second approach makes SASA dependent on asynchronous 
>> communication with the ON-LINK destination and is not a preferred 
>> choice. If the first approach is used, there is no need to update 
>> RFC 6724.
>> 
>>> I suspect that finally you would come to the problem how to find 
>>> LLA for particular GUA?
>> 
>> [Alex] Yes, probably that problem.  As a solution, it is not 
>> impossible to find the LLA of a particular interface that is is 
>> present as a field in an entry in a routing table whose first field
>> covers the GUA ('covers' - as identified by a longest-prefix match
>> algorithm).
>> 
>>> even for the case when proper GUA prefix is announced from local
>>>  router with "L" bit set. Because GUA and LLA could have
>>> different interface ID.
>> 
>> [Alex] Yes, could.
>> 
>>> GUA has been fetched from an Active Directory or DNS.
>> 
>> [Dusan] Or assigned by DHCPv6 (e.g. a destination host server 
>> address)
>> 
>>> Where to find LLA for the same host?!? Is every host should 
>>> register all their addresses on default router? to find 
>>> correspondence.
>> 
>> [Dusan] No.
>> 
>>> What is the protocol to fetch this correspondence?
>> 
>> [Dusan] Host already have defined on-link determination, RFC 4861.
>>  If DA_GUA prefix: " - is covered by one of the link's prefixes 
>> (e.g., as indicated by the on-link flag in the Prefix Information 
>> option)" "A node considers an address to be on-link".
>> 
>> The same RFC4861 defines "     Address resolution: How nodes 
>> determine the link-layer address of an on-link destination (e.g., a
>> neighbor) given only the destination's IP address."
>> 
>> If the DA is ON-LINK, a host can resolve DA not only into the 
>> link-layer address, but, with extensions, into DA_LL address.
>> 
>>> Nope. It would not fly... Not on this planet.
>>> 
>>> Correspondence between GUA and ULA is potentially possible to 
>>> keep in Active Directory. It looks like operational 
>>> recommendation to corporate IT: use ULA and populate it into DNS 
>>> and Active Directory with higher priority (if you need GUA at all
>>> for internal resources); use ULA and GUA for ordinary hosts.
>>>> I do not see why you need to change RFC 6724 for this - host
>>> should automatically choose ULA in this scenario. The fact that 
>>> ULA is more secure is not a big secret. > Eduard
>> 
>> 
>>> -----Original Message----- From: ipv6 
>>> [mailto:ipv6-bounces@ietf.org] On Behalf Of
>> Mudric, Dusan
>>> Sent: 18 августа 2020 г. 16:56 To: ipv6@ietf.org Cc: 
>>> alexandre.petrescu@gmail.com Subject: FW: [**EXTERNAL**] New 
>>> Version Notification for
>> draft-mudric-6man-lcs-00.txt
>>> 
>>> Hi,
>>> 
>>> Please provide comments.
>>> 
>>> Thanks a lot, Dusan.
>>> 
>>> On 2020-08-18, 9:31 AM, "internet-drafts@ietf.org"
>> <internet-drafts@ietf.org> wrote:
>>> 
>>> 
>>> A new version of I-D, draft-mudric-6man-lcs-00.txt has been 
>>> successfully submitted by Dusan Mudric and
>> posted to the
>>> IETF repository.
>>> 
>>> Name:		draft-mudric-6man-lcs Revision:	00 Title:		Least-Common 
>>> Scope Communications Document date:	2020-08-18 Group: Individual
>>>  Submission Pages:		5 URL:
>> https://urldefense.com/v3/__https://www.ietf.org/internet-drafts/draft
>>
>>
>>
>>
>> 
-mudric-6man-lcs-00.txt__;!!OSsGDw!f7qBGY2iA8pCnxJAbIUGbxahnxInuh9WqA0
>> MxmIe6D_mOhy38kXzuv1SQv-G$
>> 
>> 
>> 
>> 
> Status:
>> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-mud
>>
>>
>>
>>
>> 
ric-6man-lcs/__;!!OSsGDw!f7qBGY2iA8pCnxJAbIUGbxahnxInuh9WqA0MxmIe6D_mO
>> hy38kXzuq3WYxzi$
>> 
>> 
>> 
>> 
> Htmlized:
>> https://urldefense.com/v3/__https://tools.ietf.org/html/draft-mudric-6
>>
>>
>>
>>
>> 
man-lcs-00__;!!OSsGDw!f7qBGY2iA8pCnxJAbIUGbxahnxInuh9WqA0MxmIe6D_mOhy3
>> 8kXzuvX3ounT$
>> 
>> 
>> 
>> 
> Htmlized:
>> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draf
>>
>>
>>
>>
>> 
t-mudric-6man-lcs__;!!OSsGDw!f7qBGY2iA8pCnxJAbIUGbxahnxInuh9WqA0MxmIe6
>> D_mOhy38kXzuqfeyVD5$
>> 
>> 
>> 
>> 
>> 
>>> 
>>> Abstract: This draft formulates a security problem statement.
>> The problem
>>> arises when a Host uses its Global Unicast Address
>> (GUA) to
>>> communicate with another Host situated on the same link.
>>> 
>>> To address this problem, we suggest to select and use
>> addresses of a
>>> least scope that are common.
>>> 
>>> 
>>> 
>>> 
>>> Please note that it may take a couple of minutes from
>> the time of submission
>>> until the htmlized version and diff are available at
>> tools.ietf.org.
>>> 
>>> The IETF Secretariat
>>> 
>>> 
>>> 
>>> --------------------------------------------------------------------
>>
>>>
>>>
>>>
>>
>>>
>>>
>>>
>>> 
IETF IPv6 working group mailing list
>>> ipv6@ietf.org Administrative Requests:
>> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6
>>
>>
>>
>>
>> 
__;!!OSsGDw!fONP9f1G2DpYm4hiHyFwVVjqExwPBwSwmSlxAzxAgzOnTGru3lZoLcdvdY
>> KG$
>> 
>> 
>> 
>> 
>> --------------------------------------------------------------------
>>>
>>
>>
>

v2.23.0 | Report a Bug | By Email