IETF Logo Mail Archive

Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes

Mikael Abrahamsson <swmike@swm.pp.se> Tue, 23 September 2014 06:38 UTC

Return-Path: <swmike@swm.pp.se>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA971A0352 for <v6ops@ietfa.amsl.com>; Mon, 22 Sep 2014 23:38:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.437
X-Spam-Level:
X-Spam-Status: No, score=-2.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Bdsu2u8yMIE for <v6ops@ietfa.amsl.com>; Mon, 22 Sep 2014 23:38:16 -0700 (PDT)
Received: from uplift.swm.pp.se (ipv6.swm.pp.se [IPv6:2a00:801::f]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85C091A02FC for <v6ops@ietf.org>; Mon, 22 Sep 2014 23:38:16 -0700 (PDT)
Received: by uplift.swm.pp.se (Postfix, from userid 501) id 8FB05A8; Tue, 23 Sep 2014 08:38:14 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1411454294; bh=iJ9Q1myhlmeGot2ryZvkSqQJMHZadJGNIu6SYVpeUe0=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=cMiKO9y4Dr+8XALvOxW7yj+hB/AEtVZJld3wFSS7NhbodRckNp+0MtN+OD8wTxClM g7C5cD56d6zed/9tsGkxMUwV1w36PMABHAQ4x6l2Miu/4bivt7v5hztkbsYI5NxyHg wINbT+6bN5CSyv/AHAjbUtBlPeq9IxPodSSbAeuE=
Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id 87884A7; Tue, 23 Sep 2014 08:38:14 +0200 (CEST)
Date: Tue, 23 Sep 2014 08:38:14 +0200
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Nalini Elkins <nalini.elkins@insidethestack.com>
In-Reply-To: <1411408550.77000.YahooMailNeo@web125104.mail.ne1.yahoo.com>
Message-ID: <alpine.DEB.2.02.1409230832110.14735@uplift.swm.pp.se>
References: <201409191147.s8JBl1Fe016458@irp-lnx1.cisco.com> <CAPi140O_WkcS9uFCSK0+tVDF3Z1sB4_UF5Zv9kpNEMh7m94Vww@mail.gmail.com> <1411154671.21942.YahooMailNeo@web125102.mail.ne1.yahoo.com> <CAPi140Ob+TeDyYfw_1A2Q55gEF5-rNrLynQ1LkGHOVnGcNcpLA@mail.gmail.com> <1411164118.44574.YahooMailNeo@web125106.mail.ne1.yahoo.com> <CAPi140M+RjEr_edAXZBuUv9dYTztQUHq5J6rTd6Ca0qHcuhrCA@mail.gmail.com> <1411170563.16646.YahooMailNeo@web125101.mail.ne1.yahoo.com> <CAPi140PC_rjguOVpyes74=by-Y504hcpsbWFxVfQ8GiudbR6sA@mail.gmail.com> <1411185266.51203.YahooMailNeo@web125102.mail.ne1.yahoo.com> <541D45DB.5010703@foobar.org> <1411222548.10128.YahooMailNeo@web125105.mail.ne1.yahoo.com> <541DB824.7080408@foobar.org> <1411255504.4053.YahooMailNeo@web125102.mail.ne1.yahoo.com> <alpine.DEB.2.02.1409221003200.14735@uplift.swm.pp.se> <1411408550.77000.YahooMailNeo@web125104.mail.ne1.yahoo.com>
User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/0QLVSDBTs2Ux9w1DnmyOOK4oe28
Cc: "draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org" <draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2014 06:38:19 -0000

On Mon, 22 Sep 2014, Nalini Elkins wrote:

> If I have a 1,000 nodes under my control, then that is how many that 
> should be in my AD and BD.  IPv6 allows for large subnets so why not?

Because it's a bad idea. IPv4 allows for subnetting at /22 for your 1000 
nodes, that doesn't mean it's a good idea.

> Possibly not.  We wanted to raise the issue.  BTW, Pings, as you know,
> are the precursor to much malicious activity.  It is something that

No, I don't know that. ICMP PINGs are an essential diagnostic tool.

> someone with ill intent is liable to do readily.  And, it provides
> a huge amount of data on other nodes in a broadcast domain.

I don't believe in security by obscurity. I believe in real security.

> "The one MAC address that all devices share in common in normal 
> operation is the media broadcast, or FF:FF:FF:FF:FF:FF.  In this case, a 
> device will take the packet and send an interrupt for processing. Thus, 
> a flood of these broadcast frames will consume all available resources 
> on an end-system [9]. It is perhaps prudent that system administrators 
> should consider ensuring that their border routers do not allow directed 
> broadcast packets to be forwarded through their routers as a default."

... and this is exactly what happened in 1997 when smurf attacks were 
stopped by this exact feature. "no ip directed-broadcast" on Cisco 
routers. You can still ping the broadcast address from the router itself, 
it just won't allow remote pings to work as it won't forward packets to 
the network broadcast IP address. Exactly the same way it works in IPv6 
because Link local addresses aren't reachable from another interface and 
aren't forwarded between interfaces.

> On Linux, I believe when you do a PING, it is continuous until 
> intentionally stopped.  So, doing a Ping to FF02::1 from a Linux machine 
> will create havoc without having ill intent.  That is, accidentally.

Absolutely, and it's all due to the decision to put a lot of nodes in the 
same L2 domain which has been known for 20-30 years to be bad design and 
can cause the exact problems you're describing. If you ping the network 
broadcast address on IPv4 you get the exact same thing, I don't see why 
you blame IPv6 for this?

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se

v2.23.0 | Report a Bug | By Email