IETF Logo Mail Archive

Re: [v6ops] draft-xiao-v6ops-nd-deployment-guidelines discussion

Xipengxiao <xipengxiao@huawei.com> Sat, 27 August 2022 20:58 UTC

Return-Path: <xipengxiao@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A7D4C14F732 for <v6ops@ietfa.amsl.com>; Sat, 27 Aug 2022 13:58:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fa_RjM7C6-kS for <v6ops@ietfa.amsl.com>; Sat, 27 Aug 2022 13:57:59 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7146C14F5E1 for <v6ops@ietf.org>; Sat, 27 Aug 2022 13:57:59 -0700 (PDT)
Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4MFTTV24kHz67KsG; Sun, 28 Aug 2022 04:54:22 +0800 (CST)
Received: from fraeml712-chm.china.huawei.com (10.206.15.61) by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Sat, 27 Aug 2022 22:57:56 +0200
Received: from fraeml712-chm.china.huawei.com ([10.206.15.61]) by fraeml712-chm.china.huawei.com ([10.206.15.61]) with mapi id 15.01.2375.031; Sat, 27 Aug 2022 22:57:55 +0200
From: Xipengxiao <xipengxiao@huawei.com>
To: "buraglio@es.net" <buraglio@es.net>
CC: Gyan Mishra <hayabusagsm@gmail.com>, Fred Baker <fredbaker.ietf@gmail.com>, v6ops list <v6ops@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Thread-Topic: [v6ops] draft-xiao-v6ops-nd-deployment-guidelines discussion
Thread-Index: AQHYtjgPfp1Iqos3BEm6edphJmOcH629eYeAgAD/DQCAAUHJgIADDCwAgAB8BDA=
Date: Sat, 27 Aug 2022 20:57:55 +0000
Message-ID: <c338411fcfad45beae4e83c627db1ecf@huawei.com>
References: <CABKBHwdQLLN_TyGZvMWCJ6UsfFfo23ZsW_z3LKL_1Z_qecPTWA@mail.gmail.com> <CABNhwV2pwoQWPO6P2U1m3oPg8Us23M5NBfrNpB0=CNg3ccTAwg@mail.gmail.com> <9acd50c6-b9dd-0844-2f51-4c5419e4cd92@gmail.com> <CAM5+tA8NfVnP5JQ+iYgqGtFrD2tpk-AyA1cCZq8iXkzVzkbq4Q@mail.gmail.com> <CAM5+tA-AqrW=KVXa8gN-NCs1RFD8t+b0_8dV+ZS5hp1pe9nH9Q@mail.gmail.com>
In-Reply-To: <CAM5+tA-AqrW=KVXa8gN-NCs1RFD8t+b0_8dV+ZS5hp1pe9nH9Q@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.48.133.140]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/09HnCVYRsWfZYKgBmENRTA9H4So>
Subject: Re: [v6ops] draft-xiao-v6ops-nd-deployment-guidelines discussion
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Aug 2022 20:58:03 -0000

Hi Nick,

Thank you very much for the review and suggestion.  We will incorporate them in the next revision.

XiPeng 

-----Original Message-----
From: Nick Buraglio <buraglio@es.net> 
Sent: Saturday, August 27, 2022 5:33 PM
To: Xipengxiao <xipengxiao@huawei.com>
Cc: Gyan Mishra <hayabusagsm@gmail.com>; Fred Baker <fredbaker.ietf@gmail.com>; v6ops list <v6ops@ietf.org>; Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: [v6ops] draft-xiao-v6ops-nd-deployment-guidelines discussion

As requested here are my notes from the draft:


------

Section 1. Host isolation is not particularly well understood, this is a good breakdown.
---
Section 2.2:
Suggest rewording to ".....causing a victim's address configuration procedure to fail causing a denial of service to the host in question."

Suggest rewording :
Forged RAs: an attacker can send RAs to other hosts to claim to  be a router and also preempt the real router resulting in a redirect attack.
Forged Redirects: an attacker can pretend to be the router and send Redirects to other hosts to redirect their traffic to the router to itself resulting in a Redirect attack.

---
Section 2.3:
Suggest rewording: "The way ND does address resolution" to "The manner in which ND performs address resolution"

---
Section 3.2
FBBv6-P2MP bullet 2
Suggest re-wording: Trusting-all-host is only relevant to the router.
By applying some simple filtering at the router, e.g dropping RAs from the host, even malicious hosts cannot participate in most hijack attacks involved forged and erroneous RA or redirect attacks. --It further clarifies the benefit rather than a more general "security harm" statement that may not be universally accurate.

---
Section 3.3
Is it worthwhile to provide some of the details here? "RFC 8273 solves other ND issues discussed in Section 2."



----
nb

On Thu, Aug 25, 2022 at 12:00 PM Nick Buraglio <buraglio@es.net> wrote:
>
> Definitely agree that this is an important topic. I read over the 
> draft and believe it is a useful document that outlines the issues and 
> provides a roadmap for solutions. I have a few readability suggestions 
> in my notes, if there is interest. I support adoption - these are 
> real-world problems and solutions in a consumable and useful format.
>
>
> ----
> nb
>
> On Wed, Aug 24, 2022 at 4:48 PM Brian E Carpenter 
> <brian.e.carpenter@gmail.com> wrote:
> >
> > I agree on the importance of the topic. I don't have the time or expertise to comment in detail, but this is a topic the WG should tackle.
> >
> > Regards
> >     Brian Carpenter
> >
> > On 24-Aug-22 18:35, Gyan Mishra wrote:
> > >
> > >
> > > This draft had a tremendous amount of useful and highly valuable information for any operators looking at L2 and L3 host isolation.
> > >
> > > I support this work and I believe this work is ready for an adoption call.
> > >
> > > Kind Regards
> > >
> > > Gyan
> > > On Mon, Aug 22, 2022 at 11:01 AM Fred Baker <fredbaker.ietf@gmail.com <mailto:fredbaker.ietf@gmail.com>> wrote:
> > >
> > >     At IETF 114, XiPeng discussed the use of host isolation in the network to improve host behavior, and there was a discussion. Opinions?
> > >     _______________________________________________
> > >     v6ops mailing list
> > >     v6ops@ietf.org <mailto:v6ops@ietf.org>
> > >     https://www.ietf.org/mailman/listinfo/v6ops 
> > > <https://www.ietf.org/mailman/listinfo/v6ops>
> > >
> > > --
> > >
> > > <http://www.verizon.com/>
> > >
> > > *Gyan Mishra*
> > >
> > > /Network Solutions A//rchitect /
> > >
> > > /Email gyan.s.mishra@verizon.com 
> > > <mailto:gyan.s.mishra@verizon.com>//
> > > /
> > >
> > > /M 301 502-1347
> > >
> > > /
> > >
> > >
> > >
> > > _______________________________________________
> > > v6ops mailing list
> > > v6ops@ietf.org
> > > https://www.ietf.org/mailman/listinfo/v6ops
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email