IETF Logo Mail Archive

RE: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address

Vasilenko Eduard <vasilenko.eduard@huawei.com> Thu, 17 September 2020 09:03 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A64E03A0B96 for <ipv6@ietfa.amsl.com>; Thu, 17 Sep 2020 02:03:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTBRU1vkrWZU for <ipv6@ietfa.amsl.com>; Thu, 17 Sep 2020 02:03:23 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C3633A0B93 for <ipv6@ietf.org>; Thu, 17 Sep 2020 02:03:23 -0700 (PDT)
Received: from lhreml723-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 0E3B92FB56832B61DB12; Thu, 17 Sep 2020 10:03:21 +0100 (IST)
Received: from msceml705-chm.china.huawei.com (10.219.141.144) by lhreml723-chm.china.huawei.com (10.201.108.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Thu, 17 Sep 2020 10:03:20 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml705-chm.china.huawei.com (10.219.141.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Thu, 17 Sep 2020 12:03:20 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.1913.007; Thu, 17 Sep 2020 12:03:20 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Jen Linkova <furry13@gmail.com>
CC: "ipv6@ietf.org" <ipv6@ietf.org>
Subject: RE: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address
Thread-Topic: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address
Thread-Index: AdaLXezVEsH+qntxRsm4qUh2TiwzjABb86DOAACBV6A=
Date: Thu, 17 Sep 2020 09:03:19 +0000
Message-ID: <de2dcac732d5478eb1165c06fe25445d@huawei.com>
References: <7120052452e644dcbf60485cb4224128@huawei.com> <CAFU7BATTpJtAPeKCJtapQCbwD2FFrYOH_ErfuPcZnO8uYar_kA@mail.gmail.com> <9cd9fb5962d44046871e7185ab344e34@huawei.com> <CAFU7BARs4N8X_DOe7CcRUKddo++qtDj9hWmreE3trCqO_q0rZg@mail.gmail.com>
In-Reply-To: <CAFU7BARs4N8X_DOe7CcRUKddo++qtDj9hWmreE3trCqO_q0rZg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.206.217]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/rInWPZIV7XDU-j-HxXeeVeeBfZE>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 09:03:26 -0000

Hi Jen,
See in-line
Ed/
> -----Original Message-----
> From: Jen Linkova [mailto:furry13@gmail.com]
> Sent: 17 сентября 2020 г. 11:37
> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> Cc: ipv6@ietf.org
> Subject: Re: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred
> address
> 
> On Wed, Sep 16, 2020 at 7:28 PM Vasilenko Eduard
> <vasilenko.eduard@huawei.com> wrote:
> > If addresses is promoted to "Preferred", then DAD has passed.
> 
> We all know how "reliable" DAD is.
> AFAIR during Berlin IETF we got ~25% false negatives for DAD on the IETF WiFi.
[Ed: ] We have to assume that DAD work. Or else we need to scrape it.
Moreover, probability of unintentional duplicates is extremely small.
It is not just because 2^64, but additionally lost multicast.
> 
> >Then there is no way to shut up any host (from both duplicates).
> 
> Not sure what you mean...Could you please elaborate?
[Ed: ] Before DAD finish - it is possible to send negative NA and push at least one host out of this address.
> 
> > Very bad things would happen:
> > Only one would win the fight for neighbor cache record on the router.
> >
> > 1-way MITM: other one would sent upstream normal, but return traffic would
> go to first host.
> 
> Let's not call it MITM unless the first host is malicious and intends to forward
> traffic back to the second host.
[Ed: ] I am developing security feature. I should assume that 1st or 2nd could be the Intruder.
> 
> > 2-way MITM at the same time: You could not assume what host (first or
> second) is more valuable - second one could be the important server after
> reboot.
> >Then other one would get all requests to applications (DB, File Server, Web)
> from outside of the subnet. At least to collect passwords, and may be much
> more... depends on application type.
> >
> >
> >
> > My problem: router could not see duplicity (and help) if at least legal host
> would not be persuasive to claim neighbor cache entry on the router.
> 
> I believe you need to define 'the legitimate' first.
> The grand draft follows the approach of the Optimistic DAD RFC4429:
> the host which got the address first is the rightful owner. The newcomer should
> not cause any disruption.
[Ed: ] It is the wrong approach: 1st is not always right.
I have shown already the situation when Intruder would catch server in reload that would give him chances to impersonate valuable corporate Server with application that everybody use.
If we have duplicate addresses and both are trying to use it - both should be blocked.
It would not happen without Intruder, because DAD should shut up one.
> 
> > Override flag set does permit for router to understand that address has
> achieved Preferred status (not optimistic) - action could be taken now.
> 
> I feel like I need to read your draft first so we can establish some common
> ground for the discussion.
[Ed: ] It is very right comment - it is very weak point in all this discussion that I have initiated. I hope very soon.
> Has it been submitted and I missed it? If you could provide a link, it would be
> highly appreciated.
> 
> > In general, I do not respect this story about "first-come/first-serve" (I propose
> to block both).
> 
> So far I'm afraid we disagree on this topic.
> As an operator I have a strong preference on minimizing the disruption for the
> existing elements.
> When I'm adding a new element to the network and there is smth wrong with it
> (e.g. a duplicated address), I want the new element to malfunction, not smth
> else.
[Ed: ] But what if such "disruption" could not happen in normal operation (address collision followed by DAD fail has very low probability).
What if it is clear evidence that you have Intruder. Would you put Security on priority? not convenience for NOC.
Especially in the respect to MITM and leakage of information.
> 
> >
> > -----Original Message-----
> > From: Jen Linkova [mailto:furry13@gmail.com]
> > Sent: 16 сентября 2020 г. 5:29
> > To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> > Cc: ipv6@ietf.org
> > Subject: Re: I-D Action: draft-ietf-6man-grand-02 - override flag for
> > preferred address
> >
> >
> >
> > On Tue, Sep 15, 2020 at 10:55 PM Vasilenko Eduard
> <vasilenko.eduard@huawei.com> wrote:
> >
> > > I did believe that your draft has already passed last call, I was late. Hence, I
> did not make one important comment.
> >
> >
> >
> > That's perfectly fine - as the IESG asked for both drafts (v6ops-nd-cache-init
> and 6man-grand) to be merged, there will be another WGLC for 6man-grand.
> >
> >
> >
> > > Meanwhile, I was working on my draft how to block MITM in ND. I am very
> unhappy about the leakage of information - you probably remember.
> >
> > > I have almost finished - MITM blocked except very corner cases of host-to-
> host communication (no routers).
> >
> > > But after many discussions with co-author we have found 1 hole that has
> been patched in this way:
> >
> > >
> >
> > > * Section 7.2.6 (Sending unsolicited NA) of [ND], add at the end:
> >
> > > A node SHOULD send Neighbor Advertisement message with Override flag
> set to the all-routers multicast address after respective address would change
> state to preferred.
> >
> > >
> >
> > > There is the section later that explains interoperability with all ND-related
> extensions. Interoperability to GRAND is explained in this way:
> >
> > > [Gratuitous ND] operates as intended in the combination with [Optimistic
> DAD].
> >
> > > [Gratuitous ND] is effectively replaced by this document for the case when
> address is progressed to preferred, because stronger form of unsolicited NA
> (with override bit set) is proposed.
> >
> > >
> >
> > > May be I am asking too much (you better know IETF practices).
> >
> > > 1. Could you consider to set Override flag after address progressed to
> Preferred? I need SHOULD.
> >
> > > 2. Could you consider to recommend to send at least 1 unsolicited NA after
> address would go to preferred? I need SHOULD.
> >
> >
> >
> > Setting O=1 would drastically increase the risk of disruption for a 'rightful'
> address owner, in case of duplicated addresses.
> >
> > If a host configures a new preferred address while the same address is in use
> by another host:
> >
> > - [without GRAND] the rightful owner continues to receive its traffic (and,
> potentially, some packets which actually belong to the new host). The new host
> does not have connectivity.
> >
> > - [with GRAND] the same
> >
> > - [ GRAND + O=1] the rightful owner losing the connectivity, and the new host
> starts receiving traffic for its own flows and some traffic which belongs to the
> rightful address owner.
> >
> >
> >
> > --
> >
> > SY, Jen Linkova aka Furry
> 
> 
> 
> --
> SY, Jen Linkova aka Furry

v2.23.0 | Report a Bug | By Email