Re: [savi] RFC6620 Page 15 - Data Trigger
"Joel M. Halpern" <jmh@joelhalpern.com> Tue, 06 May 2014 03:02 UTC
Return-Path: <jmh@joelhalpern.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 87B3F1A0204
for <savi@ietfa.amsl.com>; Mon, 5 May 2014 20:02:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id dBTjUyOwn_NH for <savi@ietfa.amsl.com>;
Mon, 5 May 2014 20:02:06 -0700 (PDT)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152])
by ietfa.amsl.com (Postfix) with ESMTP id 86D801A0114
for <savi@ietf.org>; Mon, 5 May 2014 20:02:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by maila2.tigertech.net (Postfix) with ESMTP id F29DD2404D2;
Mon, 5 May 2014 20:02:02 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at maila2.tigertech.net
Received: from Joels-MacBook-Pro.local
(pool-70-106-134-103.clppva.east.verizon.net [70.106.134.103])
(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
(No client certificate requested)
by maila2.tigertech.net (Postfix) with ESMTPSA id 15F782402C6;
Mon, 5 May 2014 20:02:01 -0700 (PDT)
Message-ID: <5368508C.9060205@joelhalpern.com>
Date: Mon, 05 May 2014 23:01:32 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Leaf Yeh <leaf.yeh.sdo@gmail.com>, 'SAVI Mailing List' <savi@ietf.org>,
'marcelo bagnulo braun' <marcelo@it.uc3m.es>,
"'Eric Levy- Abegnoli (elevyabe)'" <elevyabe@cisco.com>
References: <536846e7.637a420a.27dc.02df@mx.google.com>
In-Reply-To: <536846e7.637a420a.27dc.02df@mx.google.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/savi/e2Xv8PkbJmTeANbX_OIaHAnKBk4
Subject: Re: [savi] RFC6620 Page 15 - Data Trigger
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>,
<mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi/>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>,
<mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 03:02:08 -0000
I am not sure what threat you are trying to prevent in your description. The goal of the SAVI work was to prevent one host from claiming the address another host is using. The limits on the number of addresses a host can claim are related to keeping the bookkeeping state bounded. If a hsot causes his own claims to be lost, that is his problem, not SAVI's. Yours, Joel On 5/5/14, 10:20 PM, Leaf Yeh wrote: > I read RFC6620 again, still have some questions on it. > > Section 3.2.3 Page 15 @ the state of NO_BIND > > <quote> > > Upon the reception through a Validating Port (VP) of a DATA packet > > containing IPAddr as the source address, the SAVI device SHOULD > > execute the process of sending Neighbor Solicitation messages of > > the Duplicate Address Detection process ... The DAD_NS messages > are not > > sent through any of the ports configured as Validating Ports. The > > DAD_NSOL messages are sent through Trusted Ports (but, of course, > > subject to usual switch behavior and possible MLD snooping > > optimizations)... The state > > is moved to TENTATIVE. The LIFETIME is set to TENT_LT (i.e., LT: > > =TENT_LT), the BINDING ANCHOR is set to VP (i.e., P:=VP), and the > > Creation time is set to the current value of the local clock. > > </quote> > > It seems the DAD_NS are not sent to ‘any of VP’, but sent to TP, after > the VP received a data packet, whose source address are not in binding > table of the SAVI device. > > If this data packet use the prefix assigned on this link, we don’t > expect the DAD_NA from the TP. > > If the data packet use any IID-interface ID, i.e. the 64 bits of the > source address, the SAVI switch will set up a binding entry for each > source address. > > Then I guess we lost the finer-grained SAV here, and only can rely on > the SAVI (on-link) prefix list to filtering the ‘transit traffic’. Right? > > I mean the malicious host can create a huge number of **valid** source > address within the on-link prefix. What was the design philosophy here? > > How about send DAD_NS to the VP received data packet for the > double-check in the above process? > > Best Regards, > > Leaf > > > > _______________________________________________ > savi mailing list > savi@ietf.org > https://www.ietf.org/mailman/listinfo/savi >
- [savi] RFC6620 Page 15 - Data Trigger Leaf Yeh
- Re: [savi] RFC6620 Page 15 - Data Trigger Joel M. Halpern
- Re: [savi] RFC6620 Page 15 - Data Trigger Leaf Yeh
- Re: [savi] RFC6620 Page 15 - Data Trigger Joel M. Halpern
- Re: [savi] RFC6620 Page 15 - Data Trigger Leaf Yeh
- Re: [savi] RFC6620 Page 15 - Data Trigger Leaf Yeh
- Re: [savi] RFC6620 Page 15 - Data Trigger Joel Halpern Direct