IETF Logo Mail Archive

Re: 6man w.g. last call for <draft-ietf-6man-grand>

Mark Smith <markzzzsmith@gmail.com> Thu, 23 July 2020 20:55 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A16F3A0D90 for <ipv6@ietfa.amsl.com>; Thu, 23 Jul 2020 13:55:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.598
X-Spam-Level:
X-Spam-Status: No, score=-0.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u6DypkzzFfBm for <ipv6@ietfa.amsl.com>; Thu, 23 Jul 2020 13:55:08 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB3253A0C03 for <ipv6@ietf.org>; Thu, 23 Jul 2020 13:55:08 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id h1so5399278otq.12 for <ipv6@ietf.org>; Thu, 23 Jul 2020 13:55:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=KPqDs3nsN2OL31eFvI4UsfiZqMLpyoHXxkCyrPvkzkM=; b=OGC+0mFGYyjXfRNVzbESlpKUR23SYRqPqesu9A6bOBxLIKw72C+NrfGOSIXER3gHwr 9XBgJUxsnpAGr5kO7lCGQW7Qk/t9Z/dXVBkgkQMErr629854/+JBbiiq3CtqjBF1EpkG bgXQ27rIzdAZYLLUaCV8tX60nkqUpbVmE9zSAo1InTHAImiXnyXsfI4OyHacHKqaxBRN Xv8zEjw5GvF9oFeFqEbNf4GVSowl6r5gt7WJMHTtq26ZzuCalbdMOzV0IZlUrLJ9+UT4 koelkds+BV5IWzw7i0Uzl+YFMpMgsQ9J5M2tcwnh0eh2kRkq4YSbquFd6VFq1pjzYPZN LIBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=KPqDs3nsN2OL31eFvI4UsfiZqMLpyoHXxkCyrPvkzkM=; b=SifzzNHuayshjcYnux01XqVE0Ez3vq2c0FlVYB5FQQB0kiya8SbHiBNT8dUVHhTdxI 9jem9P1f8WoaPwQwQhEVjlh4xl85mSGjqpWS7tMc9gtUz6jhgvnc4y7Dlg5gs0dZeRE2 B8HrUQyGCwrds/5bVfw843dTbi2o077nMkbucVNGHRPCeir8kHxVJI2f53ayiGycVHFB /QcCTA0DmHlq/aUL8j28IFTzAvjBDT4edQNKr1Dq02Y3Gq1Y5kJI67j5dvKv4gwEXbrt KVfogT6658ttJPIxwTsh5ujwENngly6FqC+DF9U2Vxu7zW42lbyJDXnZo9QhU2vGh95p qwvg==
X-Gm-Message-State: AOAM530hO2wYsh5RHh33dSb+7EnI/PN3VeMHB9UFYb87Oe2q2x2c6uUx gvmECakxXLHB+iY49VvHbXvZ94l5FRyVXDX43Lg=
X-Google-Smtp-Source: ABdhPJya11OwS4MowoyPiIZE1lxbPBojQyobnSJNlfsYzq99/TQcJttvxWDrqtzIXeAkfPEIC7viYmZx1KOf9LNwoZY=
X-Received: by 2002:a05:6830:4d9:: with SMTP id s25mr6121510otd.153.1595537707917; Thu, 23 Jul 2020 13:55:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAFU7BAQXYmig703yKsDLK-pb7KEd-PuiFQspWbhaZv-kzusAkw@mail.gmail.com> <4364CFFC-A501-48FA-ABC5-AA1DC984A945@cisco.com>
In-Reply-To: <4364CFFC-A501-48FA-ABC5-AA1DC984A945@cisco.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Fri, 24 Jul 2020 06:54:41 +1000
Message-ID: <CAO42Z2yvbzDBtQXRc1QYdpTO5exD5-O45=jvgTPY1pK2LW+UgQ@mail.gmail.com>
Subject: Re: 6man w.g. last call for <draft-ietf-6man-grand>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
Cc: Jen Linkova <furry13@gmail.com>, Jen Linkova <furry@google.com>, Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/vR5cmSdkC37RovH3kFMqiJUcs-A>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 20:55:10 -0000

Hi Pascal,

On Thu, 23 Jul 2020 at 17:47, Pascal Thubert (pthubert)
<pthubert@cisco.com> wrote:
>
>
> > Le 23 juil. 2020 à 03:44, Jen Linkova <furry13@gmail.com> a écrit :
> >
> > On Thu, Jul 23, 2020 at 11:15 AM Jen Linkova <furry13@gmail.com> wrote:
> >>> - helping mitigate ND cache exhaustion DoS attack by preloading the
> >>> cache with addresses
> >>
> >> I'm not sure I fully understand how it would help...Could you please elaborate?
> >> The attack is trying to create a lot of INCOMPLETE entries by sending
> >> packets to non-existing addresses.
> >> Unless we require that routers rely on GRAND only and never even try
> >> to create a new entry upon receiving a packet to an address never seen
> >> before, the router behaviour would still be the same.
>
> I hope it is clear by now that grand does not change the nature of the NCE, that is a cache. We cannot trust the ND cache to defeat a DoS attack. You can only do that when a hard state is proactively maintained for each address.
>

I agree, the way to prevent an ND cache resource exhaustion attack
from off-link nodes is to eliminate off-line nodes' ability to create
cache entries.

The fundamental problem with the ND cache (as well as IPv4's ARP
cache, just not to the same extent), is that data/forwarding plane
traffic from hosts that might not be trustworthy is being used to
create control plane state that is trusted.

> This means deploying an RFC 8505-only network. This is still allows both centralized (DHCP) and autoconf (SLAAC), address allocation is orthogonal to neighbor state management.
>

It seems to me that the harder issue is how to transition to an
address registration protocol like RFC 8505 incrementally, now that we
have billions of ND cache nodes and millions of ND cache routers
deployed. I think both routers and hosts would have to support both
methods concurrently.

Something like GRAND is not a solution to the ND cache DoS attack,
however it does improve the situation, and is a much smaller
incremental change compared to a transition to an address registration
protocol which still would have to co-exist with the ND cache
protocol.

Regards,
Mark.



> Keep safe,
>
> Pascal
>
>
> >
> > I stand corrected. Yeah, it might help as it makes it more likely that
> > an address which does not exist in the cache does not exist on the
> > network either.
> > So resolving such addresses could be deprioritized even more.
> > Funny enough the draft does say it already ;))
> >
> > --
> > SY, Jen Linkova aka Furry
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email