IETF Logo Mail Archive

Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes

Nalini Elkins <nalini.elkins@insidethestack.com> Fri, 19 September 2014 23:49 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 405091A8902 for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 16:49:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.6
X-Spam-Level:
X-Spam-Status: No, score=-1.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ayYfe2vjYuSC for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 16:49:24 -0700 (PDT)
Received: from nm27-vm2.bullet.mail.ne1.yahoo.com (nm27-vm2.bullet.mail.ne1.yahoo.com [98.138.91.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 224021A8901 for <v6ops@ietf.org>; Fri, 19 Sep 2014 16:49:24 -0700 (PDT)
Received: from [98.138.100.111] by nm27.bullet.mail.ne1.yahoo.com with NNFMP; 19 Sep 2014 23:49:23 -0000
Received: from [98.138.87.3] by tm100.bullet.mail.ne1.yahoo.com with NNFMP; 19 Sep 2014 23:49:23 -0000
Received: from [127.0.0.1] by omp1003.mail.ne1.yahoo.com with NNFMP; 19 Sep 2014 23:49:23 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 377330.16916.bm@omp1003.mail.ne1.yahoo.com
Received: (qmail 39108 invoked by uid 60001); 19 Sep 2014 23:49:23 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1411170563; bh=lv3AU1vmZC2YcwpP44GN18GXk4sE+Rhgf9I5B1zjbuc=; h=References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=UcwMyQ7bp1V0XNS1/xHosecSBVttItIXshwZnHUFURSZwBnLApLbbG7cGmxGFnrAPgONxmgmegfsawBI/zGAOqLgK3PY6yfoRUtkVSa3oEbhplSBL6wXTNqHRhbpwRyaqcW0pLzZLggISzlJUNIQc9TREoeXTkeyOYJWkZ+34g0=
X-YMail-OSG: yxo8W14VM1lnxsVhfZmsl5JQgpDT9GHDGqs0Ce1wcmVZwLm 0Gz.vQVaudeorRbd6KSg3y1yHdDRFb_Hr4KLmmlxsT7TsgCm6giSLhzJJcNW bocDXw8ytjEaCVmG8mAToICbQ6x4T8lbQRYvUHYKbYY0ajaaE1ELTxQO8GBN eUJ9cxJLsGuRJRHeVkrqdTcUd0WBaufg3YY_bwrOxaJpbElwnTOq._86kCnM dzxnB9tLBzGwW8QI9bfOEqL8PH4cIUfJjjF1fKGqznCYTCwuU_fPUTtuMGgP af2ReJEAmEdHhXsUa9fv042qnsw.OMaGURceqyJ2xyTKHcmlWWERPnzWPRpj i3aSUCFdO.HFUOHE4Gvpf6fJPTsfQR1FSckcHPEL1HxD1InxkuZrmgIZ3T9_ KSmB.XUsS6Mop1WfnYNqZbtsYfHJ7dOBaU08zkiuDOY0QSmbYJsZ.5YGZ32Z mW3D4qRuuv0TjQwk9YNCpQpoYtMKoF_o.dJWft3pDHLbCIDIhB3kTVa0wxXy joUIVRBSV23O3ICP7K7JWJnwuipgOH1eNu9LJgDHbh41j.f9QL5LnBcuknvN xaakhN3Ur8QYLWZcjKYJZtMuYziOQtiLmXm2tNRS2U2u8fU.W05NW2OHfRGP Ib.pa.ltnrIDsS2NSckdM4oo0hClV982eJbDMiZ1fNXRGnLzBoikpDXdu.HK gRVEoCiHHIhirKGy9HLGouzIwnnqBVGkS9jRfkjMMdy3j4i_hZlvHyu630sZ pNsOzVQytIxuIT_eXnr3nfKHawo8z2YWGgRQQ3Cfn.xnWFxlnkPt2KDXWftV utgiSaR0APpmzTwiPVU_JC3.17jGSdFajkr_qpzipFXBktqT_rloH_hDzDU8 KNdx6rSKgnQylIsqfbMZVvQWaXYlTYFdgdVNZnvpUrGEvxFAxHlVoLSlUKCQ t3bkJLvp.itrVDuAlvkSMGz54YI1gRPRpyx_ixrU.W.pgmuphE1uXsrhmoMM 9mUQggsn1fu1M.OM_z_KmHaO4_2WCXhwytzq3x63GSn7w2en3r4O80G.shTG eQMik.sYpncXuBdJR1fjCY3ed368JZcCfv6331VrB1iOax57uzERxXjluqr0 Sw.XVAm0fLIjST2SPhJKjqtALtbWoSBI_Dguq2UNhvP9iKHrbPVmjsfm2KB_ q9GoMrvZk8r5c0WxFCEt2ANACsGjGh8tVkWegUOjVzj1VJdBERljB4eTCIcc MxbIGSU1BhbRnDw--
Received: from [24.130.244.175] by web125101.mail.ne1.yahoo.com via HTTP; Fri, 19 Sep 2014 16:49:23 PDT
X-Rocket-MIMEInfo: 002.001, Cgo.Pgo.Pj5BIGRpcmVjdGVkIGJyb2FkY2FzdCBwaW5nIG9uIElQdjQgZ2l2ZXMgcHJldHR5IG11Y2ggdGhlIHNhbWUgcmVzdWx0Lgo.Pj5EaWQgeW91IHRlc3QgdGhlIGVmZmVjdHMgb2YgdGhhdCA_Cj4.Cj4.IEkgaGFkIG5vdC4gIEJ1dCwgc2luY2UgeW91IG1lbnRpb25lZCBpdCwgSSBkaWQgaXQgb24gdHdvIGRpZmZlcmVudCBXaW5kb3dzCj4.IG1hY2hpbmVzLiAgVGhlIG9uZSB0aGF0IGlzIHRoZSBzZXJ2ZXIgaW4gcXVlc3Rpb24gaGFkIHRoZSBmb2xsb3dpbmcKPj4gcmVzdWx0czoKPj4KPj4gQzpcVXMBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.203.696
References: <201409191147.s8JBl1Fe016458@irp-lnx1.cisco.com> <CAPi140O_WkcS9uFCSK0+tVDF3Z1sB4_UF5Zv9kpNEMh7m94Vww@mail.gmail.com> <1411154671.21942.YahooMailNeo@web125102.mail.ne1.yahoo.com> <CAPi140Ob+TeDyYfw_1A2Q55gEF5-rNrLynQ1LkGHOVnGcNcpLA@mail.gmail.com> <1411164118.44574.YahooMailNeo@web125106.mail.ne1.yahoo.com> <CAPi140M+RjEr_edAXZBuUv9dYTztQUHq5J6rTd6Ca0qHcuhrCA@mail.gmail.com>
Message-ID: <1411170563.16646.YahooMailNeo@web125101.mail.ne1.yahoo.com>
Date: Fri, 19 Sep 2014 16:49:23 -0700
From: Nalini Elkins <nalini.elkins@insidethestack.com>
To: Andrew 👽 Yourtchenko <ayourtch@gmail.com>
In-Reply-To: <CAPi140M+RjEr_edAXZBuUv9dYTztQUHq5J6rTd6Ca0qHcuhrCA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/3hEpN9fJHuONAalr2EQ9t4odPtU
Cc: "draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org" <draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Nalini Elkins <nalini.elkins@insidethestack.com>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2014 23:49:26 -0000


>>
>>>A directed broadcast ping on IPv4 gives pretty much the same result.
>>>Did you test the effects of that ?
>>
>> I had not.  But, since you mentioned it, I did it on two different Windows
>> machines.  The one that is the server in question had the following
>> results:
>>
>> C:\Users\Administrator>ping x.x.x.255
>>
>> Pinging x.x.x.255 with 32 bytes of data:
>> Request timed out.
>> Request timed out.
>> Request timed out.
>> Request timed out.
>>
>> Ping statistics for x.x.x.255:
>>     Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
>>
>> Arp cache was not updated.   I did a packet trace in the background and
>> indeed no ICMP replies were seen.
>>
>> I did the same ping x.x.x.255 on one of my client PCs and saw:
>>
>> Pinging x.x.x.255 with 32 bytes of data:
>> Request timed out.
>> Request timed out.
>> Request timed out.
>> Request timed out.
>>
>> But this time the packet trace showed that actually ICMP replies were
>> sent.
>>
>
>>So, besides this cosmetic difference the behavior is identical for the
>>case of IPv4 ping ?
>
> Andrew, I think you may have misunderstand me.  The behavior is very
> definitely not
> identical in IPv4.   In IPv4, many people block or disable directed
> broadcast PING.  Such

>On the same subnet ? You wrote that the replies were indeed amplified
>and sent, or did I misunderstand ?

The replies on the same subnet appear to be blocked in one case and not blocked in another case.  
So, one cannot make a blanket statement (at least based on two data points!).


> PINGs can be used for amplification in Smurf attacks.
>
> http://www.techrepublic.com/article/understanding-a-smurf-attack-is-the-first-step-toward-thwarting-one/
>
> Ping to FF02::1 is definitely amplification when 10 echo requests can create
> 2,000+
> echo replies.   When you do a Ping on Linux, it is continuous until you stop
> it.
> So, you may very easily do amplification without even meaning to.

>This is all link-local. The reason Smurf is dangerous is that one can
>send the request from across the internet. Here it's on the same
>segment - so it's a customer-provider relationship, and there are ton
>of the existing operational mechanisms that can be used to take care
>of this if this is a concern - documenting them might be useful.
>Saying that the hosts should not reply altogether - not; for the
>reasons outlined in the previous mail.

>(Of course this is just my experience, would be interesting to hear
>others' opinions).

As I said in another response, in IPv6 subnets, there may be many other nodes
on link with you.   We were using the
 Ping to FF02::1 as a graphic example of how
it is possible to impact both yourself and other nodes without even meaning to. 

We discovered this by accident.   We were doing testing for another
purpose and were quite surprised to see that both servers were seeing all the
multicast packets and even more surprised when we did the PING to FF02::1.

>
>
>>>Of course, private VLANs or (if we are talking VMs) or just using p2p
>>>links with /128s would help this in the environments where the hosts
>>>can not be trusted - and this of course is not virtual/physical
>>>specific.
>>
>> Yes.  We wanted to bring up the topic of isolation of nodes for
>> discussion.
>
>>This is a useful topic in general - especially in light of the
>>MLD-related thread, but the draft seems to focus on a very corner case
>>- there are many much better reasons not to do large L2 networks.
>
> We wanted to pick one specific instance.  Maybe we went TOO small!

No, the more focused the doc is, the better.

>
>>
>>>If we're talking specifically virtual environment, here's an approach
>>>on how to use ebtables to isolate the hosts:
>>
>>>ebtables -P FORWARD DROP
>>>ebtables -F FORWARD
>>>ebtables -A FORWARD -i $uplinkPort -j ACCEPT # let the traffic flow
>>>from uplink to any ports
>>>ebtables -A FORWARD -o $uplinkPort -j ACCEPT # let the traffic flow
>>>from any ports to uplink
>>
>>>(source:http://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges)
>>
>> I think this is very good.  But, unfortunately not very well known.
>> Also,
>> is this possible for all platforms or just Linux?
>
>>This was just my first google.com search result when searching for
>>"private vlans linux".
>
>>The first google.com search result on "private vlans windows" brings
>>up
>> http://blogs.technet.com/b/scvmm/archive/2013/06/04/logical-networks-part-iv-pvlan-isolation.aspx
>>which seems to document similar technique.
>
>>"private vlan vmware" results in
>>http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010691
>>as its first hit.
>
>>Would an IETF publication be easier to find than the above ?
>
> Maybe not but the hosting company who provided us the service where we did
> this real life test does not seem to have read any of the documents you
> reference.

>If you were not spoofing the source, then the only DoS target was
>yourself, and the inter-customer resource isolation should take care
>of the rest. This is relates to "Oops I don't know what I'm doing"
>part.

Actually, not.  In this case, there was no inter-customer resource
isolation.  So, we were impacting everyone.   As I say, we discovered
this by accident.

I am thinking that the bigger question that we should address is
node isolation.  I think that people implementing IPv6 have got the
/64 for subnet in their heads pretty well.  But, not the other part
about how multicast - and other packets impact nodes on link with you.
And that they should do node isolation.

What do you think?

>Now, if you start to spoof your source and send the traffic at high
>rates, we're into the ToS violation territory, and the hosting company
>probably assumes a certain degree of good citizenship from its clients
>towards each other.

>If you were to try this kind of link-local smurf, why not
>try stealing other VM's IPv4 addresses and running MITM on them ? Or
>try spoofing the default router ? Or try sweep-scanning their entire
>/64 from Internet at high rate ? Or get into legacy and try
>ARP-flooding with broadcast ARP requests/replies at line rate ?

>There usually is a very simple mitigation to all of the above: first
>warn the hosting customer that is being naughty, then terminate the
>contract. I know for sure it is being practiced.

We discovered this by accident & were using the example of Ping FF02::1 to
illustrate what can happen. 



--a

>
> What to do is a good question.  IPv6 implementation at end user sites is new
> to many & mistakes are being made.  I do not know what is the answer.
>
>>
>>>So looks like the question at hand is:
>>
>>>"Should IPv6 nodes respond to Ping to FF0x::1?"
>>
>>>Which can be rephrased differently to ease the start of the discussion:
>>
>>>"What are the legitimate uses of a ping to ff0x::1 ?"
>>
>>>Right ?
>>
>> Yes.
>
>>Allright, so I'll mention my use of ping6 ff0x::1:
>
>>* quick check to find "a few hosts that are alive on this link"
>>(obviously not to be done on large segments).
>
>>* A way to trigger the remote side's ND process without having to do
>>one myself (I know the multicast packet to all-hosts *will* usually
>>get received regardless of the underlying issues with the L2.5
>>infrastructure (snooping, etc.)
>
>>* A way to further debug malfunctioning L2.5 infra, by comparing the
>>reaction to pings to ff02::1, solicited node multicast, other
>>multicast groups, etc.
>
>>Summary: the ff02::1 current ping behavior does help in a non-trivial
>>amount of cases.
>
>>The security aspects the draft mentions indeed do exist, but in a
>>properly configured network can be easily mitigated as I've shown
>>above. So I'd be against changing the functionality in the existing
>>stacks.
>
> I don't know, Andrew.  I worry about the broadcast nature of the ping.
> I feel like it is trouble waiting to happen.
>
>
> --a
>
>>
>> --a
>>
>>
>> On 9/19/14, fred@cisco.com <fred@cisco.com> wrote:
>>> A new draft has been posted, at
>>> http://tools.ietf.org/html/draft-elkins-v6ops-multicast-virtual-nodes.
>>> Please take a look at it and comment.
>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>
>

v2.23.0 | Report a Bug | By Email