[savi] SAVI SEND RADV validation (was RE: I-D Action: draft-ietf-savi-send-08.txt)

Greg Daley <gdaley@au.logicalis.com> Tue, 18 September 2012 04:35 UTC

Return-Path: <gdaley@au.logicalis.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6B5521E809E; Mon, 17 Sep 2012 21:35:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.605
X-Spam-Level:
X-Spam-Status: No, score=-1.605 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aMRcZEsWN1IJ; Mon, 17 Sep 2012 21:35:34 -0700 (PDT)
Received: from smtp1.netstarnetworks.com (smtp1.au.logicalis.com [203.8.7.132]) by ietfa.amsl.com (Postfix) with ESMTP id 7192121E80AC; Mon, 17 Sep 2012 21:35:32 -0700 (PDT)
Received-SPF: None identity=mailfrom; client-ip=203.8.7.161; receiver=smtp1.netstarnetworks.com; envelope-from="gdaley@au.logicalis.com"; x-sender="gdaley@au.logicalis.com"; x-conformance=spf_only
Received-SPF: None identity=helo; client-ip=203.8.7.161; receiver=smtp1.netstarnetworks.com; envelope-from="gdaley@au.logicalis.com"; x-sender="postmaster@sdcexchht.au.logicalis.com"; x-conformance=spf_only
Received: from unknown (HELO sdcexchht.au.logicalis.com) ([203.8.7.161]) by smtp1.netstarnetworks.com with ESMTP; 18 Sep 2012 14:32:03 +1000
Received: from SDCEXCHMS.au.logicalis.com ([10.18.196.50]) by sdcexchht.au.logicalis.com ([fe80::68b7:8880:fefb:f742%12]) with mapi id 14.02.0318.001; Tue, 18 Sep 2012 14:35:25 +1000
From: Greg Daley <gdaley@au.logicalis.com>
To: "'internet-drafts@ietf.org'" <internet-drafts@ietf.org>
Thread-Topic: SAVI SEND RADV validation (was RE: [savi] I-D Action: draft-ietf-savi-send-08.txt)
Thread-Index: Ac2VVc3PhaK8PjPoTpeMRIGk760m3A==
Date: Tue, 18 Sep 2012 04:35:25 +0000
Message-ID: <72381AF1F18BAE4F890A0813768D9928EB765B@sdcexchms.au.logicalis.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.196.143]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "savi@ietf.org" <savi@ietf.org>, "'alberto@it.uc3m.es'" <alberto@it.uc3m.es>
Subject: [savi] SAVI SEND RADV validation (was RE: I-D Action: draft-ietf-savi-send-08.txt)
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Sep 2012 04:35:35 -0000

Hi Marcelo and Alberto, 

Thanks for your work on this.

I am wondering how router validity can be ascertained by the SAVI devices when the only packets transmitted are:


S.3.3.2;
" The only messages the SEND SAVI device is required to generate for
      SEND SAVI operation are NUD_NSOL messages.  This also simplifies
      the state machine."

RFC 3971 relies not only upon the Cryptographically Generated Address (or other standalone signature) to validate the authorization of a router, but also Certificate Path Solicitation and Advertisement, which proves that a local routing authority has designated the device to be a router.

Reception of a RADV itself is not sufficient to prove the authorization, and SEND nodes have the potential to transmit an RA if misconfigured (or attacking).

Sincerely,

Greg Daley
Solutions Architect
Logicalis Australia Pty Ltd

m: +61 401 772 770
e: gdaley@au.logicalis.com

www.au.logicalis.com

Level 6, 616 St Kilda Road 
Melbourne VIC 3004 Australia





-----Original Message-----
From: savi-bounces@ietf.org [mailto:savi-bounces@ietf.org] On Behalf Of internet-drafts@ietf.org
Sent: Tuesday, 18 September 2012 12:12 AM
To: i-d-announce@ietf.org
Cc: savi@ietf.org
Subject: [savi] I-D Action: draft-ietf-savi-send-08.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
 This draft is a work item of the Source Address Validation Improvements Working Group of the IETF.

	Title           : SEND-based Source-Address Validation Implementation
	Author(s)       : Marcelo Bagnulo
                          Alberto Garcia-Martinez
	Filename        : draft-ietf-savi-send-08.txt
	Pages           : 32
	Date            : 2012-09-17

Abstract:
   This memo describes SEND SAVI, a mechanism to provide source address
   validation using the SEND protocol.  The proposed mechanism is
   intended to complement ingress filtering techniques to provide a
   finer granularity on the control of the source addresses used.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-savi-send

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-savi-send-08

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-savi-send-08


Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
savi mailing list
savi@ietf.org
https://www.ietf.org/mailman/listinfo/savi