RE: Route Information Options in Redirect Messages (updated)

Mark Smith <> Wed, 08 February 2017 22:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A65CC1295F0 for <>; Wed, 8 Feb 2017 14:11:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MhQmYVbX6vZ4 for <>; Wed, 8 Feb 2017 14:10:57 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 227E812961F for <>; Wed, 8 Feb 2017 14:10:57 -0800 (PST)
Received: by with SMTP id 96so120653281uaq.3 for <>; Wed, 08 Feb 2017 14:10:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Dg2gW61wMzUdtjaJt69UpdtNb46dHLN2/GJvf7h4eRA=; b=JCtLBoQN/NNNif+jmCd0yZkf9yiyeTCFINgzyGYzsRDk8i/aeFOicuFMvvdT+v2Bfp jEz5sg2Iug8NoIwO2rkJlAdJ2/fXI6ZecjgF3KEYvF4LPF8aApOHNGXiCKvrtgPovugz mVtCLi9EZ0PB5yN0iwtn6X9pJRspnN9Iz//oVOkUWTYFmEySIZyzYp1b+HGB1nORjSLm 67eOU7T85u+Qifc1xJH8DMIooo9pWyCV+nxM4uCcc1pxBytWcMPf8qiB27Fx7r58Z/eb Z/xJ5tXV29dSt/VODU0w/4tUed288g5bgq+x3ziBWH+SlfP5o2LkMk/viCJrMqpo/U/E WOsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Dg2gW61wMzUdtjaJt69UpdtNb46dHLN2/GJvf7h4eRA=; b=SJ0nloomSf/H4ukdzzKiQdZkgov37LDB50yEm9cU65sCG75sZLl9OvhfJsUZ1ZVB9h kp6y0oCMwQFW1S4x7drYgcLKV6EL+nRR6QxdsvZ5VNzWH0Uywgzth5KklP1J/ZRIWtSW FVNvV9zw1elNuBw/yKUxNKW8r3+utW68HyAbhOzXi7MQB9BjDCy+Vk3nKfw8Jj1+coq5 6EbLT/cxsHQF7dPnl41eVb9qFvaZ/jP5Vdaxvms4SI6Xpim15kmRVhb2nhCitduzQ4W3 44ukjy+1+WC28JDW9Fc0FLXCFTewMaR5mb3axIgmt8tXI4rDd1VzoxvoCLsKzFIdjBjb paFA==
X-Gm-Message-State: AIkVDXL5xN7kc4aP++qHGKC9cz355Ow0mHrAlLSMqtjYlsm4cZxv36WrZeCSeg333NjqrEv1X4fA2x7/n446Gw==
X-Received: by with SMTP id 41mr12110369uat.157.1486591856127; Wed, 08 Feb 2017 14:10:56 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Wed, 8 Feb 2017 14:10:55 -0800 (PST)
Received: by with HTTP; Wed, 8 Feb 2017 14:10:55 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Mark Smith <>
Date: Thu, 9 Feb 2017 09:10:55 +1100
Message-ID: <>
Subject: RE: Route Information Options in Redirect Messages (updated)
To: "Templin, Fred L" <>
Content-Type: multipart/alternative; boundary=001a113d0df682b4ce05480c237c
Archived-At: <>
Cc: james woodyatt <>, 6man WG <>, =?UTF-8?B?56We5piO6YGU5ZOJ?= <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Feb 2017 22:11:00 -0000

Hi Fred,

On 9 Feb. 2017 08:37, "Templin, Fred L" <> wrote:

Hi Mark,

> -----Original Message-----
> From: Mark Smith []
> Sent: Wednesday, February 08, 2017 1:06 PM
> To: Templin, Fred L <>
> Cc: james woodyatt <>om>; 神明達哉 <>jp>; 6man WG <>
> Subject: Re: Route Information Options in Redirect Messages (updated)
> Hi Fred,
> On 9 February 2017 at 07:33, Templin, Fred L <>
> > Hi Mark,
> >
> > What you are digging into here is out of scope for this document in the
> > way that orchestrating redirects for singleton destinations is out of
scope for
> > RFC4861.
> What RFC covers redirects? RFC4443 doesn't.

No, I am only talking about RFC4861.

I'm afraid I don't still don't understand what you're saying.

This mechanism is, at face value, nothing more than a single message
carrying a redirect for a range of addresses.

However, because it can carry a range of addresses, it may be useful in
other contexts where single address redirects are either or nearly
worthless. For example, RFC4861 explicitly prohibits routers from
processing single address redirects, so there is no point sending them to

I think one of those scenarios where a prefix redirect would be useful (but
a single address redirect isn't) is a router control plane client/server
relationship, where this mechanism operates following the same model as the
Next Hop Resolution Protocol does - the server router instructs the client
routers to establish more direct paths between themselves across the shared
multi-access link, but the client routers do not make those shorter path
decisions. If they did, they would be control plane peers, not clients.

The validation rule you're describing allows the client routers to make
their own best path choices, which means the server router has lost its
ability to be the single decision maker and the single source of truth.

> >  All it says in the validation checks is:
> >
> >   - The IP source address of the Redirect is the same as the current
> >      router for the specified ICMP Destination Address.
> >
> > It does not say anything about how all of the potential first-hop
routers on
> > the link coordinate among themselves to make sure that the Redirects
> > steer hosts into a rat's nest of endless loops.
> >
> > Yes, just the same as for redirects of singleton destinations, there is
> > implied trust basis that routers that send Redirects will behave
> > and consistently. It is no different for Redirects that contain RIOs.
> >
> Then my use case is not a use case for this. I have to provide
> services to stub routers, but cannot trust them to act entirely
> benevolently, because I don't own, operate or even have much influence
> over what brand they are. I want to provide a the best and possibly
> better service to them because their owners are paying me to e.g.,
> local layer 2 switching in the exchange, but I cannot let one customer
> impact the service of any other customer.

OK, but then that sounds like either a different document or a Security
Considerations note for this document. But, the mainline validity check
needs to stay generic.

It seems to me that the default validity check needs to be the one that
provides the most robustness, which usually means the default setting needs
to suit the likely deployment environment it will be deployed in.

In my scenario, if you trusted and operated all of the routers, you could
run a dynamic IGP on them to provide optimal path information to them. A
new mechanism like a prefix redirect is an alternative to existing
mechanisms in this scenario.

If you can't trust the routers, then you either provide them with a default
route (either they configure statically or you provide via RAs) or run BGP
with them, which has all the policy knobs necessary to provide and receive
routing information securely. BGP of course isn't scalable to residential

The latter case is the most common, in the order of 100s of millions of
instances around the world. So I think the default validation for these
sorts of messages for stub routers should suit that scenario (requiring
non-technical users to switch on increased security features just doesn't


Thanks - Fred

> Regards,
> Mark.