IETF Logo Mail Archive

Re: comments on draft-ietf-v6ops-v6inixp-01.txt

Nick Hilliard <nick@inex.ie> Wed, 29 July 2009 10:59 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4A5423A6895 for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 29 Jul 2009 03:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.195
X-Spam-Level:
X-Spam-Status: No, score=-0.195 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EknV5zP5SxOF for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 29 Jul 2009 03:59:05 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 106AB3A6E7A for <v6ops-archive@lists.ietf.org>; Wed, 29 Jul 2009 03:58:39 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1MW6r1-000FoG-61 for v6ops-data0@psg.com; Wed, 29 Jul 2009 10:57:51 +0000
Received: from [87.198.142.193] (helo=mail.acquirer.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <nick@inex.ie>) id 1MW6qw-000Fn1-6b for v6ops@ops.ietf.org; Wed, 29 Jul 2009 10:57:49 +0000
X-Envelope-To: v6ops@ops.ietf.org
Received: from cupcake.internal.acquirer.com (cupcake.internal.acquirer.com [10.228.100.105]) (authenticated bits=0) by mail.acquirer.com (8.14.3/8.14.3) with ESMTP id n6TAv1FC021344 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 29 Jul 2009 11:57:02 +0100 (IST) (envelope-from nick@inex.ie)
Message-ID: <4A702AFD.6040803@inex.ie>
Date: Wed, 29 Jul 2009 11:57:01 +0100
From: Nick Hilliard <nick@inex.ie>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090223 Thunderbird/3.0b2
MIME-Version: 1.0
To: Roque Gagliano <roque@lacnic.net>
CC: v6ops@ops.ietf.org
Subject: Re: comments on draft-ietf-v6ops-v6inixp-01.txt
References: <4A6EE42A.7020809@inex.ie> <E38C65E0-F55D-49C5-9EA4-D4B594FB679A@lacnic.net>
In-Reply-To: <E38C65E0-F55D-49C5-9EA4-D4B594FB679A@lacnic.net>
X-Company-Info-1: Internet Neutral Exchange Association Limited. Registered in Ireland No. 253804
X-Company-Info-2: Registered Offices: 1-2, Marino Mart, Fairview, Dublin 3
X-Company-Info-3: Internet Neutral Exchange Association Limited is limited by guarantee
X-Company-Info-4: Offices: 4027 Kingswood Road, Citywest, Dublin 24.
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On 29/07/2009 00:21, Roque Gagliano wrote:
> as I mentioned in the WG I had several editorial text to change, I will
> go ahead and foward you the text before submission if that is ok.

No problem.

>> - it would probably be useful to mention that RA should be disabled on
>> all peering lan client routers and if possible, should be blocked at a
>> fabric level with some incantation of draft-ietf-v6ops-ra-guard.
>>
>
> In section 4 it says:
> " Configuring default routes in an IXP
> LAN without an agreement within the parties is normally against IXP
> policies. For that reason, eventhough routers should ignore them,
> rogue ICMPv6 route advertisements may be monitored in order to
> prevent configuration errors. "
>
> is that what you where looking for?

Partly, but it doesn't go far enough.  I'd suggest something like the 
following:

"IPv6 Router Advertisement packets should neither be issued nor accepted by 
routers connected to the IXP.  Where possible, the IXP operator should 
block link-local RA packets using IPv6 RA-Guard.  If this is not possible, 
the IXP operator should monitor the exchange for rogue Router Advertisement 
packets."

As an aside, it's very annoying that tshark doesn't dissect ND and RA 
packets properly and give complete information about source and dest hosts. 
  tcpdump works, but is limited in other areas.  So I end up using both, sigh.

>> - the ixp should maintain a list of
>>
>
> I cannot find this peace of text in the document.

Oops, silly me.  I meant to say that the IXP should maintain a list of all 
ipv6 addresses used by exchange participants.  Surprisingly, this is not 
the case for all IXPs today.

>> - section 6: there is no standard defined for TCP MD5 security for
>> ipv6 packets, although there are several interoperable implementations
>> out there in practice. RFC 2385 assumes ipv4.
>
> I just checked RFC2385 ad could not find a reference to IPv4 specific info.

No - there's no reference in there to ipv4 vs ipv6.  The calculation is 
similar but different due to differences in the ipv6 header.  For 
reference, take a look at tcp_signature_compute() in:

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_subr.c?rev=1.349

It's not hugely different or anything, but there may be enough difference 
there to warrant clarification in the RFC.

> I remember the IPv6 round table in NANOG
> in LA, and NTT mentioned that they used IPSEC in Japan....that is as
> close as I got

interesting.

>> - is it worth suggesting that ipv4 bgp afi over ipv6 transport and
>> ipv6 bgp afi over ipv4 transport should be explicitly frowned upon for
>> route servers? It adds complication for no gain whatever.
>
> The current text implicitly mentions this point:
>
> "A good practice is to have IPv6 SAFI (Subsequent Address Family
> Identifiers) information carried over sessions established also on
> top of the IPv6 IP/TCP stack and independently of the IPv4 sessions.
> This configuration allows that in the event of IPv6 reachability
> issues to any IPv6 peer, the IPv6 session will be turned down and the
> IPv4 session to the same peer will not be affected. "
>
> is this enough?

I'm talking about generic bgp session data rather than just SAFI, but the 
same principal applies.  Maybe if the text were changed to read something 
like this:

It is recommended that all BGP sessions used to exchange IPv6 network 
information are configured using IPv6 data transport.  This configuration 
style ensures that as both network reachability information and generic 
packet data transport use the same transport plane, in the event of IPv6 
reachability problems between IPv6 peers, the IPv6 BGP session may be 
terminated independently of any IPv4 sessions.

Hmmm, that's a bit messy, but you get the idea.

>> - security considerations - at face value none. Mind you, I could see
>> small exchange customers getting very upset if their IXP wasn't using
>> MLD snooping and one of their 1G or 10G customers decided to shift a
>> couple of hundred megs of multicast traffic in a moment of
>> experimental exuberance.
>
> MLD snooping will only help you to check the associations to the
> solicited-node multicast group for ND. I believe you are referring to
> PIM snooping, which is not defined in any RFC nor supported in many
> equipments.

It's still a worry though.   Unwanted multicast flooding is bad for those 
ports which don't want it.

>> - I'm still wrangling with myself about the value of an ipv6 ND
>> sponge. Is it better for an end-user DoS attacker to trash an ipv6 lan
>> by causing persistent icmp6 multicast flooding, or by filling up the
>> ipv6 neighbor cache on all connected routers with ipv6 address entries
>> associated the mac address of an ipv6 ND sponge? Has anyone actually
>> measured this in practice? Is the reaction vendor specific? My worry
>> is that attacks of this form will happen one day and right now we are
>> not ready.
>
> so what you are proposing is that we should be able to limit the number
> of IPv6 addresses for a given MAC addresses that is advertised through
> ND to the switch in order to avoid the flooding of unsolicited Neighbor
> advertisement messages that could eventually fill someone's cache
> entries? Looks like a nice question to the list.

It would be very nice to be able to limit this at the switch level.  Dunno 
how you'd do it or anything, but there is a serious security concern here.

I wonder if any vendors might have any ideas on whether it would be 
possible to count the number of different ICMP6 ND packets received on an 
interface and block further ones if this goes beyond a certain limit?  How 
does one go about asking this in IETF-land?

>> - is it worth recommending that the IXP use l3 ipv6 filters to permit
>> only link-local traffic from their assigned (or chosen) address for
>> the purposes of BGP and icmp6 only? What I'm thinking of here is how
>> to deal with people who will do broken stuff like configuring tunnels
>> using their IXP assigned address.
>
> but the IXP assigned address is Global Unicast , not link-local. I can
> see that filtering unicast link-local could be done but I do not see the
> relationship to BGP and tunnels. I know that some people have talk about
> terminating BGP session in link-loca addresses to avoid problem when
> renumbering, but never seeing done and.

I had a situation some while back where an exchange participant configured 
NAT using their exchange LAN ip address, and ended up getting connectivity 
transport using the IXP's routing policy (there was/is transit connectivity 
to the exchange).  They had no malicious intent - it was more a case of not 
realising that this was just a dumb thing to do.

So we sat down and thought about what are the legitimate reasons to use 
your exchange IP address for, and really it's just for icmp, bgp, arp and 
traceroute replies.  If you see an exchange IP address being used for other 
purposes, there's almost certainly a problem.

Similarly in the ipv6 world, do you think it's worth noting that the ipv6 
address assigned or chosen should be used only for bgp, icmp6 and 
traceroute traffic?  Maybe this is too much to suggest as good practice in 
an I-D, though.

Nick

v2.23.0 | Report a Bug | By Email