IETF Logo Mail Archive

RE: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address

Vasilenko Eduard <vasilenko.eduard@huawei.com> Thu, 17 September 2020 09:22 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F34443A0BC4 for <ipv6@ietfa.amsl.com>; Thu, 17 Sep 2020 02:22:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSgWemTVDUVw for <ipv6@ietfa.amsl.com>; Thu, 17 Sep 2020 02:22:41 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FBF43A0BC1 for <ipv6@ietf.org>; Thu, 17 Sep 2020 02:22:41 -0700 (PDT)
Received: from lhreml742-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id D31DC2B7924671ADE79E; Thu, 17 Sep 2020 10:22:38 +0100 (IST)
Received: from msceml704-chm.china.huawei.com (10.219.141.143) by lhreml742-chm.china.huawei.com (10.201.108.192) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Thu, 17 Sep 2020 10:22:38 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml704-chm.china.huawei.com (10.219.141.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Thu, 17 Sep 2020 12:22:37 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.1913.007; Thu, 17 Sep 2020 12:22:37 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Jen Linkova <furry13@gmail.com>
CC: "ipv6@ietf.org" <ipv6@ietf.org>
Subject: RE: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address
Thread-Topic: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address
Thread-Index: AdaLXezVEsH+qntxRsm4qUh2TiwzjAAWg9UAABMUOFAAA6PTUAApBhKAAAasABA=
Date: Thu, 17 Sep 2020 09:22:37 +0000
Message-ID: <097e4d0d7e594541accdcabb3eba2b72@huawei.com>
References: <7120052452e644dcbf60485cb4224128@huawei.com> <CAFU7BATTpJtAPeKCJtapQCbwD2FFrYOH_ErfuPcZnO8uYar_kA@mail.gmail.com> <9cd9fb5962d44046871e7185ab344e34@huawei.com> <54658b6d40e3476eab9edfb807769b6f@huawei.com> <CAFU7BASsOZ7QMaCV9Su1REODUY3L4Wm0PDfT0Z7RcKWyb4xmHg@mail.gmail.com>
In-Reply-To: <CAFU7BASsOZ7QMaCV9Su1REODUY3L4Wm0PDfT0Z7RcKWyb4xmHg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.206.217]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/t6jNoRtChTV5gcxLQxZzpM9cdes>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 09:22:44 -0000

In-line

> -----Original Message-----
> From: Jen Linkova [mailto:furry13@gmail.com]
> Sent: 17 сентября 2020 г. 11:54
> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> Cc: ipv6@ietf.org
> Subject: Re: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred
> address
> 
> On Wed, Sep 16, 2020 at 8:32 PM Vasilenko Eduard
> <vasilenko.eduard@huawei.com> wrote:
> > Intruder would not obey ND rules – he would set Override flag (and probably
> Solicited too).
> >
> > Hence, GRAND could not improve security by extremely gentle behavior on
> legal hosts (O=0).
> 
> The GRAND goal is NOT to increase security. Not at all. 
[Ed: ] I know
GRAND operates in the
> existing ND landscape and threat model.
[Ed: ] "Threat model" RFC is fully obsolete. It does not have discussion about MITM, not at all.
And it is not very useful to just reference to "Threat model" - it is not a good excuse. It is better to discuss the essence of particular problems.
> Whatever attack is possible with the current ND state machine, would be
> possible with GRAND. I believe that GRAND does not introduce any new security
> issues.
[Ed: ] In reality it does. I would show you in the draft. Intruder would intercept tens of ms more traffic with GRAND in some corner case (in the beginning after host inactivity).
But current MITM attack is so effective that it does not make sense to block GRAND or improve it in any way.
> 
> > As we discussed before: address collision on 2^64 space that would follow by
> DAD lost – is extremely low probability for legal hosts.
> 
> I've seen duplicated addresses way too many times.
[Ed: ] Ops, Please educate me why?
> 
> >Moreover, it assumes that multicast was lost and ND does not operate
> properly – not good assumption.
> 
> It's a reality on the ground. Like it or not. Multicast, especially on busy WiFi
> networks, is unreliable.
[Ed: ] Then we need to redefine ND completely. Then my efforts to fix ND is useless.
We should not rely on something that everybody believe "does not work".
> 
> > You would not lose much setting O=1 for preferred - it is legal by ND
> architecture if address progressed to Preferred.
> 
> Let me explain my concern.
> I have an operational issue: not a huge but rather annoying one. I'd like to solve
> it with minimal disruption to existing mechanisms.
> Whatever works now should work as before.
> I'm not trying to drastically improve ND, make it more secure or anything. I
> noticed an assumption in the state machine logic which is not always true, and
> I'd like to fix it.
[Ed: ] It is perfectly logical position in the scope "just GRAND, other things are not in scope".
I am trespassing you tolerance pushing you to expand scope a little bit
(without big problem for GRAND or ND or any current practices)
> 
> Now, you are suggesting a bit more disruptive way of doing things. It looks to
> me that your suggestion is a part of a big and ambitious plan to drastically
> change the ND logic - sorry, I'm guessing here as I've not read your draft yet.
[Ed: ] I hope not drastically. Or else it would be rejected by market and this working group.
> 
> When I change smth - a network, a code or  a protocol - I prefer to minimize the
> scope of the change and do not make changes of a different nature in one
> attempt.
[Ed: ] I do understand that you would not do this till you would read my draft and understand justification.
You are right: you do not have any justification now, even for small thing that I am asking.
> So my suggestion is: let's discuss GRAND in its context and then your draft can
> propose updates to RFC4861 which may or may not override the GRAND
> changes.
[Ed: ] I would not vote against current GRAND.
Because if my proposal would be rejected - then you have the optimum now.
I do not know how to do GRAND better for the current (narrow) scope.
> 
> > Because else I have to propose Override GRAND
> 
> Looking forward to reading your draft.
> 
> > From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Vasilenko
> > Eduard
> > Sent: 16 сентября 2020 г. 12:29
> > To: Jen Linkova <furry13@gmail.com>
> > Cc: ipv6@ietf.org
> > Subject: RE: I-D Action: draft-ietf-6man-grand-02 - override flag for
> > preferred address
> >
> >
> >
> > Hi Jen,
> >
> > If addresses is promoted to "Preferred", then DAD has passed. Then there is no
> way to shut up any host (from both duplicates). Very bad things would happen:
> >
> > Only one would win the fight for neighbor cache record on the router.
> >
> > 1-way MITM: other one would sent upstream normal, but return traffic would
> go to first host.
> >
> > 2-way MITM at the same time: You could not assume what host (first or
> second) is more valuable - second one could be the important server after
> reboot. Then other one would get all requests to applications (DB, File Server,
> Web) from outside of the subnet. At least to collect passwords, and may be
> much more... depends on application type.
> >
> >
> >
> > My problem: router could not see duplicity (and help) if at least legal host
> would not be persuasive to claim neighbor cache entry on the router.
> >
> > Override flag set does permit for router to understand that address has
> achieved Preferred status (not optimistic) - action could be taken now.
> >
> >
> >
> > In general, I do not respect this story about "first-come/first-serve" (I propose
> to block both). I have this text in my draft:
> >
> > It could be the temptation to minimize Intercepted Victim disruption by
> blocking only the second node (first-come/first-serve approach). The Intruder
> would be the second in the majority of cases that would minimize disruption for
> Intercepted Victim. Unfortunately, there are less probable cases when Intruder
> would be capable to catch server with popular application in reload or upgrade
> state - than legal node would be blocked. The Intruder would be capable to
> pretend to be the particular application and start collection of valuable
> information from users that would visit this application. It would be at least
> login credentials and could be much more depending on application type. It is
> the leakage of information again. The leakage of information is considered
> much high security problem then DoS, hence such conversion of DoS back into
> leakage is not acceptable. Vulnerability harm is more important than the
> probability of vulnerability. It is especially true for [ND] where we have other
> DoS vulnerabilities anyway.
> >
> > Only cryptographically based authentication does permit to really minimize
> DoS disruption for legal node.
> >
> > Eduard
> >
> > -----Original Message-----
> > From: Jen Linkova [mailto:furry13@gmail.com]
> > Sent: 16 сентября 2020 г. 5:29
> > To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> > Cc: ipv6@ietf.org
> > Subject: Re: I-D Action: draft-ietf-6man-grand-02 - override flag for
> > preferred address
> >
> >
> >
> > On Tue, Sep 15, 2020 at 10:55 PM Vasilenko Eduard
> <vasilenko.eduard@huawei.com> wrote:
> >
> > > I did believe that your draft has already passed last call, I was late. Hence, I
> did not make one important comment.
> >
> >
> >
> > That's perfectly fine - as the IESG asked for both drafts (v6ops-nd-cache-init
> and 6man-grand) to be merged, there will be another WGLC for 6man-grand.
> >
> >
> >
> > > Meanwhile, I was working on my draft how to block MITM in ND. I am very
> unhappy about the leakage of information - you probably remember.
> >
> > > I have almost finished - MITM blocked except very corner cases of host-to-
> host communication (no routers).
> >
> > > But after many discussions with co-author we have found 1 hole that has
> been patched in this way:
> >
> > >
> >
> > > * Section 7.2.6 (Sending unsolicited NA) of [ND], add at the end:
> >
> > > A node SHOULD send Neighbor Advertisement message with Override flag
> set to the all-routers multicast address after respective address would change
> state to preferred.
> >
> > >
> >
> > > There is the section later that explains interoperability with all ND-related
> extensions. Interoperability to GRAND is explained in this way:
> >
> > > [Gratuitous ND] operates as intended in the combination with [Optimistic
> DAD].
> >
> > > [Gratuitous ND] is effectively replaced by this document for the case when
> address is progressed to preferred, because stronger form of unsolicited NA
> (with override bit set) is proposed.
> >
> > >
> >
> > > May be I am asking too much (you better know IETF practices).
> >
> > > 1. Could you consider to set Override flag after address progressed to
> Preferred? I need SHOULD.
> >
> > > 2. Could you consider to recommend to send at least 1 unsolicited NA after
> address would go to preferred? I need SHOULD.
> >
> >
> >
> > Setting O=1 would drastically increase the risk of disruption for a 'rightful'
> address owner, in case of duplicated addresses.
> >
> > If a host configures a new preferred address while the same address is in use
> by another host:
> >
> > - [without GRAND] the rightful owner continues to receive its traffic (and,
> potentially, some packets which actually belong to the new host). The new host
> does not have connectivity.
> >
> > - [with GRAND] the same
> >
> > - [ GRAND + O=1] the rightful owner losing the connectivity, and the new host
> starts receiving traffic for its own flows and some traffic which belongs to the
> rightful address owner.
> >
> >
> >
> > --
> >
> > SY, Jen Linkova aka Furry
> 
> 
> 
> --
> SY, Jen Linkova aka Furry

v2.23.0 | Report a Bug | By Email