IETF Logo Mail Archive

Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes

Andrew 👽 Yourtchenko <ayourtch@gmail.com> Fri, 19 September 2014 22:24 UTC

Return-Path: <ayourtch@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E98031A88E4 for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 15:24:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E7cJLMXY107Q for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 15:24:34 -0700 (PDT)
Received: from mail-ie0-x230.google.com (mail-ie0-x230.google.com [IPv6:2607:f8b0:4001:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D481D1A88F6 for <v6ops@ietf.org>; Fri, 19 Sep 2014 15:24:32 -0700 (PDT)
Received: by mail-ie0-f176.google.com with SMTP id ar1so4490569iec.21 for <v6ops@ietf.org>; Fri, 19 Sep 2014 15:24:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WVx71wCoU5zjrOnt6K5sk8EEz+XpxyASacGr6w1O5UA=; b=ntjQ+WJNOg/64sUjzqb5kjb+C/cHLLvtLdTUMbVmS/Agz1Mo3MSj/FmPKvzmKiVDBW 72H7gL9fWgNy5/jfhJVUjRQlZhtaL2SCpX2RtohupLa3uEAF9RBemYGpinndJbN4bS9U HyloHTLN3erZoFX/YjcaRGZ6vFg+2773QQD1LPGwf5St75Mwyk3zssp8+SZRlSgbk8RD CIiB4GPfauSL3XFY9sMyEJ6qH3cgwcMPIZR5CXn6iBYOLGaWd9Aktn2fc4PpOuA03CPP CBUwtcYB+0hgp10qSDLTl1/cThS7ZPBuT+RKxqPSBju3FNM3JPblEqyVgtIDxChuL/QB VHag==
MIME-Version: 1.0
X-Received: by 10.50.61.99 with SMTP id o3mr1402520igr.30.1411165472237; Fri, 19 Sep 2014 15:24:32 -0700 (PDT)
Received: by 10.107.137.65 with HTTP; Fri, 19 Sep 2014 15:24:32 -0700 (PDT)
In-Reply-To: <4FC37E442D05A748896589E468752CAA0CCCABFB@PWN401EA160.ent.corp.bcbsm.com>
References: <201409191147.s8JBl1Fe016458@irp-lnx1.cisco.com> <CAPi140O_WkcS9uFCSK0+tVDF3Z1sB4_UF5Zv9kpNEMh7m94Vww@mail.gmail.com> <1411154671.21942.YahooMailNeo@web125102.mail.ne1.yahoo.com> <CAPi140Ob+TeDyYfw_1A2Q55gEF5-rNrLynQ1LkGHOVnGcNcpLA@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0CCCABFB@PWN401EA160.ent.corp.bcbsm.com>
Date: Sat, 20 Sep 2014 00:24:32 +0200
Message-ID: <CAPi140MfAqRpCV8cW50N0cGZsE4Q9CC0ZUB6xQoAgUn4F3P6WA@mail.gmail.com>
From: Andrew 👽 Yourtchenko <ayourtch@gmail.com>
To: "Ackermann, Michael" <MAckermann@bcbsm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/254FONkPecHMaUbzWpdfFuh_Erg
Cc: "draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org" <draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2014 22:24:36 -0000

Hi Michael,

On 9/19/14, Ackermann, Michael <MAckermann@bcbsm.com> wrote:
> HI Andrew
>
> Thanks for the great responses and related information.
>
> My comment on the inclusion of MLD,  is that we talked a lot about MLD
> during the creation of this draft and it certainly is consistent with the
> theme and adds to the issues.   However, we chose to leave MLD out of this
> draft, in an effort to keep the draft smaller and more focused.   We do
> mention MLD as being a related factor but state it is outside of the scope
> of the draft.     Given that, a question for you is if you feel this draft
> SHOULD include MLD?

No, my point was about the overall approach of the draft - there
seemed to be two aims:

1) the "TBD" placed into the section aiming at general design of subnets,

2) a question "should the hosts respond to ff0x::1?" following after
the description of a link-local equivalent of a smurf attack.

If the draft had just the (2) above (even limit it to just
observations, maybe? Could someone else from the community chime in
who thinks it is a problem?), and also discussed whether one can use
larger scopes (what happens if ff05::1?), and the *operational*
measures that can be taken today to prevent that threat, this would
make it self-contained. As of now, it reads a bit unclear, and (1) is
a rather broad topic to cover adequately while keeping it a short
read, if you wanted to do so.

>
> One other comment is that although there is education and information about
> these types of IPv6 subjects/issues, most large enterprises are unaware of
> any of this.   Our hope was to spare them from having an unpleasant initial
> experience with IPv6, by pointing out some issues  and pitfalls we have run
> into.   There is enough reluctance to pursue IPv6, in the corporate and
> large enterprise environments today and we want to eliminate as many
> negatives from that decision process as possible.
>
> Hope that makes sense.

My general feeling: if a network is designed/operated in such a way
that ping6 ff02::1 is an unpleasant experience, there should be a big
warning sign "this is the least of your worries, you did not do your
homework, so buckle up for the real fun to come".

At the same time,  if you indeed saw someone operationally messing up
the network due to this issue - a short focused document discussing
the observations and mitigations would be useful to point those people
to.

--a

>
> Thanks again
>
> Mike
>
>
>
> -----Original Message-----
> From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Andrew ??
> Yourtchenko
> Sent: Friday, September 19, 2014 4:27 PM
> To: Nalini Elkins
> Cc: draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org;
> v6ops@ietf.org
> Subject: Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes
>
> On 9/19/14, Nalini Elkins <nalini.elkins@insidethestack.com> wrote:
>>
>>>A directed broadcast ping on IPv4 gives pretty much the same result.
>>>Did you test the effects of that ?
>>
>> I had not.  But, since you mentioned it, I did it on two different
>> Windows machines.  The one that is the server in question had the
>> following results:
>>
>> C:\Users\Administrator>ping x.x.x.255
>>
>> Pinging x.x.x.255 with 32 bytes of data:
>> Request timed out.
>> Request timed out.
>> Request timed out.
>> Request timed out.
>>
>> Ping statistics for x.x.x.255:
>>     Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
>>
>> Arp cache was not updated.   I did a packet trace in the background and
>> indeed no ICMP replies were seen.
>>
>> I did the same ping x.x.x.255 on one of my client PCs and saw:
>>
>> Pinging x.x.x.255 with 32 bytes of data:
>> Request timed out.
>> Request timed out.
>> Request timed out.
>> Request timed out.
>>
>> But this time the packet trace showed that actually ICMP replies were
>> sent.
>>
>
> So, besides this cosmetic difference the behavior is identical for the case
> of IPv4 ping ?
>
>>>Of course, private VLANs or (if we are talking VMs) or just using p2p
>>>links with /128s would help this in the environments where the hosts
>>>can not be trusted - and this of course is not virtual/physical
>>>specific.
>>
>> Yes.  We wanted to bring up the topic of isolation of nodes for
>> discussion.
>
> This is a useful topic in general - especially in light of the MLD-related
> thread, but the draft seems to focus on a very corner case
> - there are many much better reasons not to do large L2 networks.
>
>>
>>>If we're talking specifically virtual environment, here's an approach
>>>on how to use ebtables to isolate the hosts:
>>
>>>ebtables -P FORWARD DROP
>>>ebtables -F FORWARD
>>>ebtables -A FORWARD -i $uplinkPort -j ACCEPT # let the traffic flow
>>>from uplink to any ports ebtables -A FORWARD -o $uplinkPort -j ACCEPT
>>># let the traffic flow from any ports to uplink
>>
>>>(source:http://serverfault.com/questions/388544/is-it-possible-to-enab
>>>le-port-isolation-on-linux-bridges)
>>
>> I think this is very good.  But, unfortunately not very well known.
>> Also,
>> is this possible for all platforms or just Linux?
>
> This was just my first google.com search result when searching for "private
> vlans linux".
>
> The first google.com search result on "private vlans windows" brings up
> http://blogs.technet.com/b/scvmm/archive/2013/06/04/logical-networks-part-iv-pvlan-isolation.aspx
> which seems to document similar technique.
>
> "private vlan vmware" results in
> http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010691
> as its first hit.
>
> Would an IETF publication be easier to find than the above ?
>
>>
>>>So looks like the question at hand is:
>>
>>>"Should IPv6 nodes respond to Ping to FF0x::1?"
>>
>>>Which can be rephrased differently to ease the start of the discussion:
>>
>>>"What are the legitimate uses of a ping to ff0x::1 ?"
>>
>>>Right ?
>>
>> Yes.
>
> Allright, so I'll mention my use of ping6 ff0x::1:
>
> * quick check to find "a few hosts that are alive on this link"
> (obviously not to be done on large segments).
>
> * A way to trigger the remote side's ND process without having to do one
> myself (I know the multicast packet to all-hosts *will* usually get received
> regardless of the underlying issues with the L2.5 infrastructure (snooping,
> etc.)
>
> * A way to further debug malfunctioning L2.5 infra, by comparing the
> reaction to pings to ff02::1, solicited node multicast, other multicast
> groups, etc.
>
> Summary: the ff02::1 current ping behavior does help in a non-trivial amount
> of cases.
>
> The security aspects the draft mentions indeed do exist, but in a properly
> configured network can be easily mitigated as I've shown above. So I'd be
> against changing the functionality in the existing stacks.
>
> On the education side: the existing search results
> https://www.google.com/?gws_rd=ssl#q=ping6+ff02::1 show 8000-something
> results - so indeed probably this behavior may be highlighted more during
> the IPv6 education. However: every IPv6 course I've heard says "there is no
> broadcast in IPv6, but there is all-hosts multicast" which should not make
> the behavior the draft describes a major surprise.
>
> --a
>
>>
>> --a
>>
>>
>> On 9/19/14, fred@cisco.com <fred@cisco.com> wrote:
>>> A new draft has been posted, at
>>> http://tools.ietf.org/html/draft-elkins-v6ops-multicast-virtual-nodes.
>>> Please take a look at it and comment.
>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>
>
> The information contained in this communication is highly confidential and
> is intended solely for the use of the individual(s) to whom this
> communication is directed. If you are not the intended recipient, you are
> hereby notified that any viewing, copying, disclosure or distribution of
> this information is prohibited. Please notify the sender, by electronic mail
> or telephone, of any unintended receipt and delete the original message
> without making any copies.
>
>  Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are
> nonprofit corporations and independent licensees of the Blue Cross and Blue
> Shield Association.
>

v2.23.0 | Report a Bug | By Email