IETF Logo Mail Archive

Re: [v6ops] Mitigation against IPv6 Router Advertisements flooding - draft-moonesamy-ra-flood-limit-00

David Farmer <farmer@umn.edu> Fri, 05 July 2013 15:53 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45E7E11E8302 for <v6ops@ietfa.amsl.com>; Fri, 5 Jul 2013 08:53:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lNvOwEizydIi for <v6ops@ietfa.amsl.com>; Fri, 5 Jul 2013 08:53:11 -0700 (PDT)
Received: from vs-m.tc.umn.edu (vs-m.tc.umn.edu [134.84.135.97]) by ietfa.amsl.com (Postfix) with ESMTP id 95F1B11E8127 for <v6ops@ietf.org>; Fri, 5 Jul 2013 08:53:11 -0700 (PDT)
Received: from mail-oa0-f51.google.com (mail-oa0-f51.google.com [209.85.219.51]) by vs-m.tc.umn.edu (UMN smtpd) with ESMTP for <v6ops@ietf.org>; Fri, 5 Jul 2013 10:53:01 -0500 (CDT)
X-Umn-Remote-Mta: [N] mail-oa0-f51.google.com [209.85.219.51] #+LO+TR
X-Umn-Classification: local
Received: by mail-oa0-f51.google.com with SMTP id i4so3573748oah.10 for <v6ops@ietf.org>; Fri, 05 Jul 2013 08:53:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:reply-to:organization:user-agent:mime-version :to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding:x-gm-message-state; bh=ICtzxFs5A4JxQyUsphOfJndZ772QULNA+yQA4sELBVk=; b=KOcFz8bdyiczh+UKlS2WyF/JuwPL9kaExdiXkqJqIVdGb2hK9zHxNKPpqVq/eLtgIT /+VD0PVURcdz1f5Y6FgsW4AHmmFk6zCvCC7mxErrqRi9+sQ9WzbAcTkkmsN6LxUoIace rceO6Avi6kwK7PF2aZqP1Ej+Z1IHroH/Z1lDSdWt4ds9PPb5Ni7MfpNWoL2oKo9nj7Ij 01D+Bj5cgpeaZz57WOzY6nf8QBUfEf1NOnMgGg727zJx0GdzQtAmxGzapTPeOnIMcXzY PKADRmMqUbSpKx9e2agnVHFyGwEnV7Mn7ouNFfRPejMi2C9kkOdeHvnIbyX4BskASFgf V2IQ==
X-Received: by 10.60.57.164 with SMTP id j4mr11694071oeq.10.1373039581498; Fri, 05 Jul 2013 08:53:01 -0700 (PDT)
X-Received: by 10.60.57.164 with SMTP id j4mr11694061oeq.10.1373039581406; Fri, 05 Jul 2013 08:53:01 -0700 (PDT)
Received: from oit201651646.local ([2001:470:1f11:821:ccb8:28da:84a7:c9df]) by mx.google.com with ESMTPSA id tv3sm15234137obb.8.2013.07.05.08.52.59 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 05 Jul 2013 08:53:00 -0700 (PDT)
Message-ID: <51D6EBDB.3030309@umn.edu>
Date: Fri, 05 Jul 2013 10:52:59 -0500
From: David Farmer <farmer@umn.edu>
Organization: University of Minnesota
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: S Moonesamy <sm+ietf@elandsys.com>, Arturo Servin <arturo.servin@gmail.com>
References: <6.2.5.6.2.20130702145424.0af37160@elandnews.com> <51D4CD90.5070005@gmail.com> <6.2.5.6.2.20130703220114.0c8241b8@resistor.net> <51D55CF0.9010301@gmail.com> <6.2.5.6.2.20130704192850.0d06e8b8@elandnews.com>
In-Reply-To: <6.2.5.6.2.20130704192850.0d06e8b8@elandnews.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQkMrP5q9Q2lo8XThK+5yJ18wPpd2ECHXumCWKsX43u2//VgNHf+/CbzG/iOO6g1If/fx2bwzU5RhSFhibVoHRuZCbzstaVP4w78F6dqGcjCqXBwp4Pr52XO8CWlKK5a3+SMGlc5
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Mitigation against IPv6 Router Advertisements flooding - draft-moonesamy-ra-flood-limit-00
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: David Farmer <farmer@umn.edu>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2013 15:53:18 -0000

On 7/4/13 22:27 , S Moonesamy wrote:
> Hi Arturo,
> At 04:30 04-07-2013, Arturo Servin wrote:
>>     Sorry, I should have said "Or are these recommendations orthogonal
>> to a network applying RA Guard?"
>
> Yes.
>
>>     I think the ansewer is still yes. But for that reason I think that
>> you should mention that this is an add-on to RA Guard (not instead of,
>> not criticizing it) and it is intended to provide some security
>> mechanisms to the host when the network administrator do not have this
>> capability (RA-Guard) in its network.
>
> I think that we are looking at this from two different angles.  I can
> look at this in terms of:
>
>   (a) how does the network protect the host
>
>   (b) how is the host protected
>
> If there is a protection for (a), for example, Router Advertisement
> Guard, (b) might not be much of a problem.  If the host is protected,
> the question being asked is whether (a) is needed or not.  I am not
> trying to answer that question as there is existing code for doing (b)
> and that is what the draft is talking about.  What the person writing
> the code for the host may wish to say is that their system provides for
> the limits mentioned in draft-moonesamy-ra-flood-limit-00.

I think some kind of applicability statement would be a useful addition 
to the Draft.  I'm less worried about a network operators deciding that 
they don't need to implement RA-Guard because their hosts implement 
RA-Flood-Limit.  I'm more concerned about OS vendors or implementors 
deciding they don't need to implement RA-Flood-Limit because they view 
this as a network operator issue and if only the network operators would 
just implement RA-Guard then RA-Flood-Limit wouldn't be necessary.

I think it needs to be made clear that both RA-Guard and RA-Flood-Limit 
are independently necessary to ensure both the security and stability of 
a network and its hosts.

1. RA-Guard or the other the techniques discussed in RFC6104 can 
effectively prevent RAs sourced from hosts either by malicious activity 
or simple miss-configuration.  But, RA-Guard can do little to prevent 
RAs caused by software or hardware bugs within, or miss-configuration of 
the network itself.

2. RA-Flood-Limit prevents the consequences of many different RAs being 
seen by a host, regardless of the source of those RAs.  But, can not 
distinguish between the source of the RAs, and may allow malicious 
configuration of the host.

3. Therefore, implementation of BOTH RA-Guard and RA-Flood-Limit are 
necessary to ensure BOTH the security and stability of a network and its 
hosts.

>>     In the end, having RA-Guard could solve enteraly this problem, but
>> when it is not provided by the network the host should have mechanisms
>> to defend itself. Then is when your draft applies. Does it make sense my
>> comment?

I disagree, RA-Guard can effectively deal with RA-Floods caused by hosts 
either through malicious activity or miss-configuration, but can not 
necessarily deal with RA-Floods caused by miss-configuration or bugs 
within the network itself.

> Yes, I understood what you wrote.  In my opinion it depends on your
> security posture.  Some people may prefer to put security closer to the
> end whereas others might find it better to do it centrally.  RFC 6104
> discusses about scenarios and different methods to mitigate against
> rogue Router Advertisements.  In my opinion that is where the above is
> more relevant.  What the code does is to prevent the host it is running
> on from crashing.

Security posture is only part of the issue, this is both a security and 
stability issue, that needs both host based and network based mitigation 
strategies.  Neither, RA-Guard or RA-Flood-Limit can ensure both the 
stability and security of a network and it hosts independently, they are 
complementary strategies, and are both necessary for a complete 
solution.  I think it is important for the Draft makes this point one 
way or another.

Thanks

-- 
================================================
David Farmer               Email: farmer@umn.edu
Office of Information Technology
University of Minnesota
2218 University Ave SE     Phone: 1-612-626-0815
Minneapolis, MN 55414-3029  Cell: 1-612-812-9952
================================================

v2.23.0 | Report a Bug | By Email