IETF Logo Mail Archive

Re: [v6ops] IPv6 link-local traffic questions

Erik Kline <ek.ietf@gmail.com> Tue, 24 March 2020 05:48 UTC

Return-Path: <ek.ietf@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5A783A0EE9; Mon, 23 Mar 2020 22:48:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c6G6ASJD7x3s; Mon, 23 Mar 2020 22:47:55 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6B7B3A0799; Mon, 23 Mar 2020 22:47:29 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id m14so959647oic.0; Mon, 23 Mar 2020 22:47:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ajQavUoaNeuied3lBwVPMc54hF5Ge0+oKnlhKMlGXbo=; b=dnNG65v82IuOqyaVA9xyuJsDGDQsGoVFOOTY255dd8/1ynkTmjgeEyOOM2UOsCdDyt Msks40jUtVnVT05f/zE6yp7QmQDpMdKkz82ENNsDZ/njfuanEJUM5lW6Gu7UHmKX9Np3 4KxObM08H41NQNEQ+KpO6UhV5k2MnY2i7Qn/LhbcImYL9EZSSf9CPaU0raniYpfjryzd 0TkXlK9ZYH99tBeiUrJcfqH9CvZsxGjzZ+GcN4EYWhKLyATc96KNdpOX7AKAUv+8VwtY V1/skSYYB2EnDXd99DAkLPIZOWd/qqOf75CCxIfDzh+tSt1SZzQ9G4eVFH+aIclHrv4c sGLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ajQavUoaNeuied3lBwVPMc54hF5Ge0+oKnlhKMlGXbo=; b=E5nWCYupROo72/4htTDL11haXCmDIZuO83c0U6r9vn8TwOgq2im7ZmwJLVr2KUwd1l awMdFmSH+U8D5NAgMLsce+N4wxH9xq64sJ/bz+wu6ie08Nb+wMADMBwK25t47FCOUS/q zWfmF5hiqYkOvaDS0pFpxN6Vmt5V54V9UW0SvLntnhYQAJnhgZfgRHcRR7CNvV59FYGU JPgmwkd4REu0bGp/IEnN0SBWSZx5vDwz0eNutYr9yZ8owtGIsVnFK9w6Wyg/4s6P9CAv RqBcz8eABM90i2XxMLoXp1EH2L7G+neE4LO5nA5W6U9ak/DsBVgmxqU7oVI3e0oD4vWT kH8A==
X-Gm-Message-State: ANhLgQ3/f3gDm9JncNlVGUlYPgCL0mAZ34Ee0vbZ2gHQimgD9+smGsk5 I/789KhFMzbNRrtjhzQzCd5Fi3CGha+DXzXyB28=
X-Google-Smtp-Source: ADFU+vtiuawlIKoEbu5pfJftPvPODQvrLlzQ0+cgVNzP7lGFP/VB0Jz3u28bjDurmHy9Sa+tkRw6TcJUsVXBgFwEazk=
X-Received: by 2002:aca:5194:: with SMTP id f142mr2316989oib.100.1585028837691; Mon, 23 Mar 2020 22:47:17 -0700 (PDT)
MIME-Version: 1.0
References: <20200312000016.GO54522@faui48f.informatik.uni-erlangen.de> <CAFU7BAT-LP5TC9dpYw+5j8T8H_8XMF=tcY-Qsbg5=MOgUYNk+A@mail.gmail.com> <CABNhwV1uCFHCO9r3NK7QeqZ4gvrquoD_534LXoykaf59S48rpA@mail.gmail.com> <1584173474.2857.102.camel@biplane.com.au> <CABNhwV3VCPmcaGNyf=9dX4vcrsSreRGgkRDh0zQD+VLqG-g63Q@mail.gmail.com> <CABNhwV0D71380ZPWTLHu-LM=sz1OK6aB0du=g7uW-gxLdfGvsg@mail.gmail.com> <CA+wi2hMPk6init=1Q1+S0SzTCzOqSDbMNpsD4rUBB0VEo1BkfA@mail.gmail.com> <CABNhwV3Z=YPvU3=X4WOxF1+JRBMovucOdVDa67g1Tv4Yo7+G+A@mail.gmail.com>
In-Reply-To: <CABNhwV3Z=YPvU3=X4WOxF1+JRBMovucOdVDa67g1Tv4Yo7+G+A@mail.gmail.com>
From: Erik Kline <ek.ietf@gmail.com>
Date: Mon, 23 Mar 2020 22:47:06 -0700
Message-ID: <CAMGpriVoOufyFhn8tzYvO5S3jJ5=eJz324=3jPJQmK1MiyPQ2g@mail.gmail.com>
Subject: Re: [v6ops] IPv6 link-local traffic questions
To: Gyan Mishra <hayabusagsm@gmail.com>
Cc: Tony Przygienda <tonysietf@gmail.com>, V6 Ops List <v6ops@ietf.org>, 6man <6man@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d455d505a1934815"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/rwax9n9188svhLSwQ1ufjDWU9jM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2020 05:48:08 -0000

On Fri, Mar 20, 2020 at 7:59 PM Gyan Mishra <hayabusagsm@gmail.com> wrote:

>
>
> On Fri, Mar 20, 2020 at 9:59 PM Tony Przygienda <tonysietf@gmail.com>
> wrote:
>
>> Yepp, that's personally I prefer on multicast TTL=1 (and also on ISIS &
>> e.g. on expired draft where we were carrying ISIS natively over IP). The
>> cost of a frame running away unintended multiple-hops in a control protocol
>> without a tunnel are simply NOT fun.  The cost of such a thing (and it
>> happened MORE than once) outweighs IMO the minor security advantage.
>>
>> If you read v6 BIER drafts you should read
>> https://datatracker.ietf.org/doc/draft-zhang-bier-bierin6/ which has
>> been published much, much earlier ...
>>
>> --- tony
>>
>> TTL security is a necessity for ND with limited risk of run away ND
>> packets as it’s  minimal bandwidth usage.
>>
>
>    With a multicast stream the risk is much greater if forwarded multiple
> hops past the BFER PE as stated and maybe a high data rate stream so
> undesirable to ever happen.
>
>  ND is the only protocol I know of that uses TTL security.
>
> I would go with TTL=1.
>

Certainly RFC 4861 message validation sections say the message has to have
a hop limit of 255, so it should go without saying that the spec should be
followed where such text exists.

Also BGP and other routing protocols can use hop limit security.  GTSM (
https://tools.ietf.org/html/rfc5082).  Specifically:
https://tools.ietf.org/html/rfc5082#section-5.1

If security is a concern in the v6 tunnel, is it possible to add
> cryptography to BIER or even setting security TLV in the BIER header
> encoded in the DO on the BFIR and then validate the TLV encoding on the
> BFER destination endpoint.
>
>
>
>> On Sat, Mar 14, 2020 at 10:38 AM Gyan Mishra <hayabusagsm@gmail..com
>> <hayabusagsm@gmail.com>> wrote:
>>
>>>
>>> Toreless & Tony
>>>
>>> I read through the draft for BIER over IPv6.
>>>
>>> https://tools.ietf.org/html/draft-xie-bier-ipv6-encapsulation-06
>>>
>>> So since the BIER header bitmask that denotes the BFERs in the Domain to
>>> replicate the multicast packets is encoded in the DestOp processed by the
>>> BFER, the packets should not be forwarded past the BFER is my guess is with
>>> ttl 255.  With IPv6 ND with ttl 255 example the packet can be forwarded
>>> past the adjacent node but I have not seen that happen.  I believe Jen
>>> Linkova on this thread has seen that. Since the BFER dest options has to
>>> have the BIER bit mask encoding or the packet is dropped I believe is your
>>> security protection from forwarding past the BIER with 255 ttl if you
>>> decided to go that route.
>>>
>>> Under BIERv6 packet processing should help if ttl 255 is used to prevent
>>> forwarding outside of bier domain
>>>
>>> A packet having a 'BIER Specific Handling' indication but not having
>>>    a BIER option is supposed to be a wrong packet or an ICMPv6 packet,
>>>    and the process can be refered to the example in section 3.2 <https://tools.ietf.org/html/draft-xie-bier-ipv6-encapsulation-06#section-3.2>.
>>>
>>>    A packet not having a 'BIER Specific Handling' indication but having
>>>    a BIER option SHOULD be processed normally as unicast forwarding
>>>    procedures, which may be a behavior of drop, or send to CPU, or other
>>>    behaviors in existing implementations.
>>>
>>>
>>> Under 5.3 security considerations should also help with ttl 255 and
>>> forwarding outside of BIER domain
>>>
>>> For a router incapable of BIERv6, such BIERv6 packet will not be
>>>    processed by the procedure described in this document, but be
>>>    processed as normal IPv6 packet with unknown option, and the existing
>>>    security considerations for handling IPv6 options apply.  Possible
>>>    way of handling IPv6 packets with BIER option may be send to CPU for
>>>    slow path processing, with rate-limiting, or be discarded according
>>>    to the local policy.
>>>
>>>    For a router capable of BIERv6, such BIERv6 packet MUST NOT be
>>>    forwarded, but should be processed as a normal IPv6 packet with
>>>    unknown option, or additionally and optionally be countered and
>>>    logged if the router is capable of doing so.
>>>
>>>
>>> Kind regards
>>>
>>> Gyan
>>>
>>> On Sat, Mar 14, 2020 at 10:31 AM Gyan Mishra <hayabusagsm@gmail.com>
>>> wrote:
>>>
>>>>
>>>> Makes sense.
>>>>
>>>> Thanks
>>>>
>>>> Gyan
>>>>
>>>> On Sat, Mar 14, 2020 at 4:12 AM Karl Auer <kauer@biplane.com.au> wrote:
>>>>
>>>>> On Sat, 2020-03-14 at 02:07 -0400, Gyan Mishra wrote:
>>>>> > I always wondered why RFC 4862 states that ND & RD packets have TTL
>>>>> > 255.
>>>>>
>>>>> >From RFC4861:
>>>>>
>>>>>    "By setting the Hop Limit to 255, Neighbor Discovery
>>>>>     is immune to off-link senders that accidentally or
>>>>>     intentionally send ND messages.  In IPv4, off-link
>>>>>     senders can send both ICMP Redirects and Router
>>>>>     Advertisement messages."
>>>>>
>>>>> RFC4861 also requires RA and NA packets with any other TTL value to be
>>>>> silently discarded by any receiving node.
>>>>>
>>>>> I can't find my original source, but my notes in a training course I
>>>>> developed a while ago have this to say about why:
>>>>>
>>>>>    "Why does 255 mean “local source”? Because routers
>>>>>     decrement the hop limit on packets passing through
>>>>>     them, and discard packets where the hop count
>>>>>     decrements to zero. It is impossible to decrement
>>>>>     a one-byte counter to 255 without passing through
>>>>>     zero, because 255 is the maximum value such a counter
>>>>>     can have. So the value 255 means that the packet must
>>>>>     have been generated on the local link."
>>>>>
>>>>> Probably would be better expressed as "must have originated on the
>>>>> local link".
>>>>>
>>>>> Regards, K.
>>>>>
>>>>> --
>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>> Karl Auer (kauer@biplane.com.au)
>>>>> http://www.biplane.com.au/kauer
>>>>> http://twitter.com/kauer389
>>>>>
>>>>> GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
>>>>> Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> v6ops mailing list
>>>>> v6ops@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>>>
>>>> --
>>>>
>>>> Gyan  Mishra
>>>>
>>>> Network Engineering & Technology
>>>>
>>>> Verizon
>>>>
>>>> Silver Spring, MD 20904
>>>>
>>>> Phone: 301 502-1347
>>>>
>>>> Email: gyan.s.mishra@verizon.com
>>>>
>>>>
>>>>
>>>> --
>>>
>>> Gyan  Mishra
>>>
>>> Network Engineering & Technology
>>>
>>> Verizon
>>>
>>> Silver Spring, MD 20904
>>>
>>> Phone: 301 502-1347
>>>
>>> Email: gyan.s.mishra@verizon.com
>>>
>>>
>>>
>>> --
>
> Gyan  Mishra
>
> Network Engineering & Technology
>
> Verizon
>
> Silver Spring, MD 20904
>
> Phone: 301 502-1347
>
> Email: gyan.s.mishra@verizon.com
>
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email