Re: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt

Mark ZZZ Smith <markzzzsmith@yahoo.com.au> Sat, 18 January 2014 08:58 UTC

Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 264541ADE87 for <ipv6@ietfa.amsl.com>; Sat, 18 Jan 2014 00:58:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9bAceL3fQ8V0 for <ipv6@ietfa.amsl.com>; Sat, 18 Jan 2014 00:58:42 -0800 (PST)
Received: from nm18-vm4.bullet.mail.ne1.yahoo.com (nm18-vm4.bullet.mail.ne1.yahoo.com [98.138.91.178]) by ietfa.amsl.com (Postfix) with ESMTP id F33441ADDCA for <ipv6@ietf.org>; Sat, 18 Jan 2014 00:58:41 -0800 (PST)
Received: from [98.138.101.132] by nm18.bullet.mail.ne1.yahoo.com with NNFMP; 18 Jan 2014 08:58:29 -0000
Received: from [98.138.86.157] by tm20.bullet.mail.ne1.yahoo.com with NNFMP; 18 Jan 2014 08:58:29 -0000
Received: from [127.0.0.1] by omp1015.mail.ne1.yahoo.com with NNFMP; 18 Jan 2014 08:58:29 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 113366.65889.bm@omp1015.mail.ne1.yahoo.com
Received: (qmail 91642 invoked by uid 60001); 18 Jan 2014 08:58:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s1024; t=1390035509; bh=NplnEFOx5RAE8rq4xW3cdDASlBphh7/p8NszOS1XcuI=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=mT87r4kikfckhyyFopPRFrVpeFtsqmaB10JbGNw5Z6MTz6hiFi2eHvYs9kh+qqrXNnu6StYC1lQGBFSykvZ+0IZ+/yCjrudU97Vg7omDOxfSgWzc19F4C4nj/z3yKF/VczATb7U5kxnxrk1vLxpEi2C2HkcmJcaYeCeuP6t+P6w=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.au; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=OAwwGZBdBTH4jeASAJT1aW30N+i+bIzCHQrQZneDT6u5wlXDJkFhv+Ngxn+vkelqFtjRFGWoOXtFybT8Y2RUEk9MAFkwiLPJCFkpmmtSbp6hCRgB0FmEam3ELdxSyKq2IfWemjrLCWi1czWD26rB/fWpNYblR6P7IIl/CkFXx9Y=;
X-YMail-OSG: mvXTV.UVM1lL28XbQSwalD6GVkuryL6n2DXfFRYy6Epd57v R3PMY2xKmFmOeDDEASlYoNEVg8Bbgw2ufVOFaxnalJVrlxua7EvudN1jPdXX wgShSro8_UqrlkVI66CvafzfWOAP1JICCsJ5NZT.HEEGjvy4QOURuj9BFie_ dIbYxbrm7c21OjJ8LLYi6TW_n0HgYwlVpOhGpspU7FmhVDuXaPo8fnvh0..G lagO.0ia3W_RlSWrO_k66BqCT3WlP33.eVhpfqL6fRPy1dyIYSqwNWfE.I6S nabEqJZWk99CTTkvda1CANYs1OuK4AAmaRyi4lb0QPJrufE1SuEZH9BRHTTO s_Ecgf5024c2_MHTYwFmBicXcPzTfZGgKWjBBAB7U.oDeOXpC7DsKbud3Qcp FJPERjxH2VECJbjqQLWggxpuvEdvo9Yn7BbojRI1hLOn_hrkxjcUONMCOSR8 gaf8dGcrsSz2Mru6hvnh1Gft5HTO1Mp9S4QuDsV_.3QRgFqJp2kuAfXyktTc HTbQDl8UlF6zhzcByBPhDjtYKdBYlA4eG0iFQZUJUjKKptqiunyRHntst5Qb TVn0TYPZ7qZBnsSlTHH.fd9jmG_Cmdw--
Received: from [150.101.221.237] by web120503.mail.ne1.yahoo.com via HTTP; Sat, 18 Jan 2014 00:58:28 PST
X-Rocket-MIMEInfo: 002.001, CgoKCi0tLS0tIE9yaWdpbmFsIE1lc3NhZ2UgLS0tLS0KPiBGcm9tOiBHcmVnIERhbGV5IDxnZGFsZXlAYXUubG9naWNhbGlzLmNvbT4KPiBUbzogJ0luZy1XaGVyIENoZW4nIDxpbmctd2hlci5jaGVuQGVyaWNzc29uLmNvbT47ICJpcHY2QGlldGYub3JnIiA8aXB2NkBpZXRmLm9yZz4KPiBDYzogCj4gU2VudDogRnJpZGF5LCAxNyBKYW51YXJ5IDIwMTQgMToxNCBQTQo.IFN1YmplY3Q6IFJFOiBOZXcgVmVyc2lvbiBOb3RpZmljYXRpb24gZm9yIGRyYWZ0LWhhbHBlcm4tNm1hbi1uZC1wcmUtcmVzb2x2ZS1hZGQBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.173.622
References: <20140111004402.10451.90724.idtracker@ietfa.amsl.com> <BF6E0BD839774345977891C597F8B50C5CE74C@eusaamb109.ericsson.se> <72381AF1F18BAE4F890A0813768D992817FCA84E@sdcexchms.au.logicalis.com>
Message-ID: <1390035508.23310.YahooMailNeo@web120503.mail.ne1.yahoo.com>
Date: Sat, 18 Jan 2014 00:58:28 -0800
From: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
Subject: Re: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt
To: Greg Daley <gdaley@au.logicalis.com>, 'Ing-Wher Chen' <ing-wher.chen@ericsson.com>, "ipv6@ietf.org" <ipv6@ietf.org>
In-Reply-To: <72381AF1F18BAE4F890A0813768D992817FCA84E@sdcexchms.au.logicalis.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2014 08:58:43 -0000




----- Original Message -----
> From: Greg Daley <gdaley@au.logicalis.com>
> To: 'Ing-Wher Chen' <ing-wher.chen@ericsson.com>; "ipv6@ietf.org" <ipv6@ietf.org>
> Cc: 
> Sent: Friday, 17 January 2014 1:14 PM
> Subject: RE: New Version Notification for draft-halpern-6man-nd-pre-resolve-addr-00.txt
> 
> Hi Helen,
> 
<snip>

> 
> 3/ Monitor the solicited nodes' addresses in the MLD querier router, and do 
> not transmit an NS from off-link for an incomplete address unless someone is 
> listening.
>

So I've been thinking for the last few months that this method could be a useful further mitigation to off-link ND cache attacks for routers. I've been writing something up which I've been planning to finish and post in the next week or so.

I think it could be fairly effective - there are a total possible 2^24 solicited-node multicast groups on a link, where as there will only be as many present ones as there are IIDs with unique lower 24 bits. For most subnets I think that will number in the order of 10s or 100s, and perhaps on rare occasions in the low 1000s. So NSes would only be necessary for e.g. 1000/2^24 portion of the unicast address space, otherwise the packets that would trigger them can be dropped (or perhaps sent to an RFC6018 greynet collector).

A neighbor cache attack is likely to be still be possible for the 2^40 portions of unicast address space covered by each of the the present solicited-multicast groups, however Fernando's Stable/Opaque IID draft would make them harder to find, even though it will increase the number of them, as there is an unique Opaque IID per prefix.

All routers listening to MLD track group membership, not just the MLD querier, so all routers on the link could implement this method.

Regards,
Mark.