Re: [savi] RFC6620 Page 15 - Data Trigger
"Leaf Yeh" <leaf.yeh.sdo@gmail.com> Thu, 08 May 2014 02:08 UTC
Return-Path: <leaf.yeh.sdo@gmail.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 10C951A01EE
for <savi@ietfa.amsl.com>; Wed, 7 May 2014 19:08:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id tuXxuUCdVTic for <savi@ietfa.amsl.com>;
Wed, 7 May 2014 19:08:45 -0700 (PDT)
Received: from mail-pd0-x234.google.com (mail-pd0-x234.google.com
[IPv6:2607:f8b0:400e:c02::234])
by ietfa.amsl.com (Postfix) with ESMTP id 4E2811A01EC
for <savi@ietf.org>; Wed, 7 May 2014 19:08:45 -0700 (PDT)
Received: by mail-pd0-f180.google.com with SMTP id y10so1797131pdj.39
for <savi@ietf.org>; Wed, 07 May 2014 19:08:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=from:to:references:in-reply-to:subject:date:message-id:mime-version
:content-type:content-transfer-encoding:thread-index
:content-language;
bh=rb6yvCy+/asiibmN9wFYUAl37UhE16O0uZx2CqCQbfE=;
b=uzi860yQe+njVqRNT8ELQDN4buU3KaXqVa0vvU/j8gp1RAJaLmDaFKJaOWHi57bl7z
zP/ZLFqauWbsdtpaSRC9a3YfU+WOKMVBgaTEp0DE++mDUnHi/h3TiMYBJ9owx9cQTmcX
7eI+fyAE/KrFRfY6cnz1tqIIfdDHh2zRufUazlr6/g6ofOghUUJtx2R/kfES37sJakrP
q8LCPjf76T3hkhE2hSML3ElQAFS+JjAh5B8gCIC2BEQTENM8EzCIyEik2p4LB72VRG1q
dvWM/K05T2184t8eKD56XTyBDkBmKYUmle1r9TDo6a1W2PKPk41LubcyJ7ymfgZgK8GQ
Wsag==
X-Received: by 10.66.249.233 with SMTP id yx9mr1552254pac.3.1399514921033;
Wed, 07 May 2014 19:08:41 -0700 (PDT)
Received: from PC ([218.241.103.130])
by mx.google.com with ESMTPSA id ak1sm5582082pbc.58.2014.05.07.19.08.37
for <multiple recipients>
(version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Wed, 07 May 2014 19:08:39 -0700 (PDT)
X-Google-Original-Message-ID: <001b01cf6a62$6cfa3570$46eea050$@yeh.sdo@gmail.com>
From: "Leaf Yeh" <leaf.yeh.sdo@gmail.com>
To: "'Joel Halpern Direct'" <jmh.direct@joelhalpern.com>,
"'Joel M. Halpern'" <jmh@joelhalpern.com>,
"'SAVI Mailing List'" <savi@ietf.org>,
"'marcelo bagnulo braun'" <marcelo@it.uc3m.es>,
"'Eric Levy- Abegnoli \(elevyabe\)'" <elevyabe@cisco.com>
References: <536846e7.637a420a.27dc.02df@mx.google.com>
<5368508C.9060205@joelhalpern.com>
<53685d07.8564420a.3494.3c0a@mx.google.com>
<5368EB4D.7000704@joelhalpern.com>
<5369a6d9.838f440a.7e55.1450@mx.google.com>
<536A4398.6070102@joelhalpern.com>
In-Reply-To: <536A4398.6070102@joelhalpern.com>
Date: Thu, 8 May 2014 10:08:34 +0800
Message-ID: <536ae727.41aa440a.69b1.fffff040@mx.google.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac9qAPIFVJwRNcA+TfeaqRYD2lAW1wAX2Xrg
Content-Language: zh-cn
Archived-At: http://mailarchive.ietf.org/arch/msg/savi/77qY2We51s_uGZJAUrqkWHtPO0k
Subject: Re: [savi] RFC6620 Page 15 - Data Trigger
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>,
<mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi/>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>,
<mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 02:08:47 -0000
Joel - If the SAVI function is on the device with a dedicated port to the end device (or an authenticated port) then there is no value in sending the NS back to the entity which sent it. (Some of this is conceptually buried in the definition of binding scopes in SAVI, and can be hard to realize.) Sending the DAD_NS intends to make sure the end device has initiated a interface with the source address in the data packet sent out. Otherwise, the end device could spoof a lot of source address at no cost within the same on-link prefix. The address space here is at least /64. Best Regards, Leaf -----Original Message----- From: Joel Halpern Direct [mailto:jmh.direct@joelhalpern.com] Sent: Wednesday, May 07, 2014 10:31 PM To: Leaf Yeh; 'Joel M. Halpern'; 'SAVI Mailing List'; 'marcelo bagnulo braun'; 'Eric Levy- Abegnoli (elevyabe)' Subject: Re: [savi] RFC6620 Page 15 - Data Trigger With regard to protecting hosts from "on-link" attackers, there are two different cases. If the SAVI function is on the device with a dedicated port to the end device (or an authenticated port) then there is no value in sending the NS back to the entity which sent it. (Some of this is conceptually buried in the definition of binding scopes in SAVI, and can be hard to realize.) In the case where the SAVI function is upstream of the usage port (for example, it is on the router port, with bridges / switches between the prot and the users) there are many weaknesses in SAVI efficacy. That is clearly stated in the documents. Sending the NS back on that port will not as far as I can tell help resolve much, if any, of those weaknesses. We did discuss this extensively in the working group. Yours, Joel On 5/6/14, 11:21 PM, Leaf Yeh wrote: > Joel - The goal of SAVI is very specific. it is to prevent one node > from claiming an address that is belongs to (by assignment or proper > claiming) another node. Can you please restate your concern with the > data trigger in terms of how it fails to meet that goal?.... > Sending solicitations back onto that LAN (which seems to be what you > are asking for) does not actually help with that problem. > > I guess your logic sounds right. DAD_NS should sent through the TP, > which may connect to other SAVI device (and more hosts) within the > same scope, i.e. the same link, or the same broadcast domain. But the > above logic sounds not cover my concern on the host to abuse the > source address within the on-link prefix. > > Sending DAD_NS back to the VP receiving the data trigger, sounds > useful for a check. Wrong or harmful? > > > Best Regards, > Leaf > >
- [savi] RFC6620 Page 15 - Data Trigger Leaf Yeh
- Re: [savi] RFC6620 Page 15 - Data Trigger Joel M. Halpern
- Re: [savi] RFC6620 Page 15 - Data Trigger Leaf Yeh
- Re: [savi] RFC6620 Page 15 - Data Trigger Joel M. Halpern
- Re: [savi] RFC6620 Page 15 - Data Trigger Leaf Yeh
- Re: [savi] RFC6620 Page 15 - Data Trigger Leaf Yeh
- Re: [savi] RFC6620 Page 15 - Data Trigger Joel Halpern Direct