IETF Logo Mail Archive

Re: [v6ops] control and security of DHCP

Mark ZZZ Smith <markzzzsmith@yahoo.com.au> Tue, 14 January 2014 23:33 UTC

Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B7AA1AE0CC for <v6ops@ietfa.amsl.com>; Tue, 14 Jan 2014 15:33:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.802
X-Spam-Level: *
X-Spam-Status: No, score=1.802 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, J_CHICKENPOX_26=0.6, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xJJbKblc9x6H for <v6ops@ietfa.amsl.com>; Tue, 14 Jan 2014 15:33:55 -0800 (PST)
Received: from nm41.bullet.mail.ne1.yahoo.com (nm41.bullet.mail.ne1.yahoo.com [98.138.120.48]) by ietfa.amsl.com (Postfix) with ESMTP id 428961AE077 for <v6ops@ietf.org>; Tue, 14 Jan 2014 15:33:54 -0800 (PST)
Received: from [127.0.0.1] by nm41.bullet.mail.ne1.yahoo.com with NNFMP; 14 Jan 2014 23:33:42 -0000
Received: from [98.138.100.113] by nm41.bullet.mail.ne1.yahoo.com with NNFMP; 14 Jan 2014 23:30:42 -0000
Received: from [98.139.215.141] by tm104.bullet.mail.ne1.yahoo.com with NNFMP; 14 Jan 2014 23:30:42 -0000
Received: from [98.139.212.205] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 14 Jan 2014 23:30:42 -0000
Received: from [127.0.0.1] by omp1014.mail.bf1.yahoo.com with NNFMP; 14 Jan 2014 23:30:42 -0000
X-Yahoo-Newman-Property: ymail-4
X-Yahoo-Newman-Id: 226126.35753.bm@omp1014.mail.bf1.yahoo.com
Received: (qmail 14155 invoked by uid 60001); 14 Jan 2014 23:30:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s1024; t=1389742242; bh=MGUB2PYdp4vR7FXxFwjk/qp8hgAwFt7Zay5mL+B4GPQ=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Q/0XploN9svpJxIjBGZ7mqZ7TIj8hibLBpNv7+A030k7IcK0HJONyFM4Q4UV+pZdhwBS1u4ezGggjJNetf3b51yjrQIx1ArXKz8tFODb471NB+UMhXkrSnwKY6iNz3QDoqXh+Gm1sxUWKmoP6sv636AecLFS5p59qskN6GtTmao=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.au; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=D2ZrrQNjhhpBs50aozZKBNaecmK5OY7k4c1Jv2yai9ACF+DyrkhmEss1CupP7aQYOl0TRCT1zYzUUSR0UwICng/HHkS27Bh4e8AWZBcSpGGbEt3Tp8kKQo6RNQKVo3m8HqaOdCEhg/5F+CW3t7ld2p8cCu3XSwpb0jB3na2knjU=;
X-YMail-OSG: 4NlKs2AVM1kFzssM9hfZ0GOxSbFoyOsnjhka_HGa05us02O j7GNAQwQGuddSgkiLbKZMRZ5jvDJ6mO0O0Z04RgkljnArkcrmjy1vNGvCaoK Tay5bG08u264NWxvbMIAidANCoHyYjn4.mlOsTfoYs_cPMB7j5y9xHToTZxT kyBIU0Hqi7y1gF9hCu2ucpy1CYhdImBhTmoQdcS3ZNDwvjmJlJevj_ogOjfo NbvYZuRhFo5sXV7tLRPO9O5jxNeszeE6yU7y2kWLxmgyjeHk1chEl1yf_pDl AFlehze.HDKz2krbSZXfPWspP5nySpfQODyhazeQILWLGaaRNM1eDoQOzGM_ nNpg6lCFVilj6xhBSfaMROn.5VfcPlhdmWE4WoTBlP5QuGik70TD8sUaL8ka w6_vTzpPUKxeFc.jRoUlzAMxxyExMzzdF8xjHpD7DnhwbrQ2ooSAC2A7YOv4 l7UTwosL6V5068fw8Sl3bSAaMFYsh9WogSrPt3GnM9mJikNa02vds4ewUF4O GPNRp09PP2.mehSq.oAyRyq44Yeazq72ctObXTpBALV.GPjqQiEJRLleeWCw jcKoKd3lLG5qQwrzpvdpG9CkZ
Received: from [121.200.231.211] by web161903.mail.bf1.yahoo.com via HTTP; Tue, 14 Jan 2014 15:30:41 PST
X-Rocket-MIMEInfo: 002.001, CgoKCgo.X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KPiBGcm9tOiBPd2VuIERlTG9uZyA8b3dlbkBkZWxvbmcuY29tPgo.VG86IFJheSBIdW50ZXIgPHY2b3BzQGdsb2Jpcy5uZXQ.IAo.Q2M6ICJ2Nm9wc0BpZXRmLm9yZyBXRyIgPHY2b3BzQGlldGYub3JnPiAKPlNlbnQ6IFdlZG5lc2RheSwgMTUgSmFudWFyeSAyMDE0IDY6NTAgQU0KPlN1YmplY3Q6IFJlOiBbdjZvcHNdIGNvbnRyb2wgYW5kIHNlY3VyaXR5IG9mIERIQ1AKPiAKPgo.Cj4KPgo.T24gSmFuIDE0LCAyMDE0LCBhdCAxMToyMyAsIFIBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.172.614
References: <1808340F7EC362469DDFFB112B37E2FCDA31A30EB1@SRVHKE02.rdm.cz> <52CFB8D5.70900@gmail.com> <B54D5283-8880-434A-A3C0-9BFF0081E13B@gmail.com> <20140110.124610.74672987.sthaug@nethelp.no> <60C5513D-B8DA-48D6-82D3-53E148F9F7BA@gmail.com> <52D0157D.6040009@foobar.org> <alpine.DEB.2.02.1401101651580.20074@uplift.swm.pp.se> <D1FC3C0B-CC5D-44BC-B753-2F1BD94A48FA@nominum.com> <CAKD1Yr1C0jRNq-ta=HeGFusC8VFGGg1ffDFLoroUoiHmX-KYiA@mail.gmail.com> <52D18F22.1070708@foobar.org> <CAKD1Yr2PrG_Rit2YCAkep4_-LUSqNpEU-t+ttRsLPpSbYVLoig@mail.gmail.com> <1389490607.51957.YahooMailNeo@web161904.mail.bf1.yahoo.com> <52D2A8EF.2040901@foobar.org> <52D4E794.3070109@globis.net> <52D57214.1070505@foobar.org> <52D57DC5.9080603@globis.net> <807E80E4-40CA-49CD-AC7D-F512D5B51B23@delong.com> <52D58EBB.1070008@globis.net> <B7B5CFF3-F6E9-4CF6-AD8C-4E9CE665C5B5@delong.com>
Message-ID: <1389742241.49365.YahooMailNeo@web161903.mail.bf1.yahoo.com>
Date: Tue, 14 Jan 2014 15:30:41 -0800
From: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
To: Owen DeLong <owen@delong.com>, Ray Hunter <v6ops@globis.net>
In-Reply-To: <B7B5CFF3-F6E9-4CF6-AD8C-4E9CE665C5B5@delong.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] control and security of DHCP
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 23:33:57 -0000





>________________________________
> From: Owen DeLong <owen@delong.com>
>To: Ray Hunter <v6ops@globis.net> 
>Cc: "v6ops@ietf.org WG" <v6ops@ietf.org> 
>Sent: Wednesday, 15 January 2014 6:50 AM
>Subject: Re: [v6ops] control and security of DHCP
> 
>
>
>
>
>On Jan 14, 2014, at 11:23 , Ray Hunter <v6ops@globis.net> wrote:
>
>Owen DeLong <mailto:owen@delong.com>
>>>14 January 2014 19:17
>>>On Jan 14, 2014, at 10:11 , Ray Hunter<v6ops@globis.net>  wrote:
>>>
>>>
>>>Nick Hilliard<mailto:nick@foobar.org>
>>>>>14 January 2014 18:21
>>>>>
>>>>>private vlans are troublesome, to say the least. In a virtualised
>>>>>environment, you need multi-switch support for specific types of pvlans.
>>>>>This places vendor restrictions on the types of kit you need to deploy.
>>>>>
>>>>>Nick
>>>>>------------------------------------------------------------------------
>>>>>Yes.
>>>>
>>>>I've read posts from a number of DC operators who have expressly chosen for PVLANs compared to deploying dedicated L3 ports per server/ customer in multi-tenant environments, driven by a desire to save on very scarce public IPv4 addresses.
>>>>
>>>Which might make sense when the customers are on separate hardware.
>>>Agreed. But if you can emulate a L2 LAN, or a L3 router, you can presumably also emulate a PVLAN.
>>
>
>That doesn't necessarily follow, actually. At least in Linux, to the best of my knowledge, it's easy to set up multiple bridge groups, route between them and connect your virtual hosts accordingly. I don't know of any way to set up PVLAN emulation.
>
>
>OTOH, I've always regarded PVLAN as a really horrible hackish technique for IPv4 address conservation where segmentation would be the preferred solution, so I can't imagine preferring a PVLAN solution when a VLAN solution is available unless I'm stuck in IPv4 land and short on addresses.
>
>
>When the customers are separate virtuals on the same hardware, PVLANs become a bit less useful, though at that point, dedicated L3 ports in the virtual switch on the host become much more feasible, though you still have the network addressing cost issue if you're tied to IPv4.
>>>Right..
>>
>>That of course will likely bring problems migrating to IPv6 in the future e.g. DAD is probably not going to be able to detect duplicate addresses via multicast.
>>>>
>>>Depends on how the PVLANs treat link-scoped IPv6 multicast.
>>>Yes. There's no standard AFAIK.
>>
>
>There are no standards for PVLANs at all to the best of my knowledge. I suspect each vendor has a subtly different implementation and definition of the term to begin with. They're simply a terrible terrible hack that makes sense only in the context of extreme address shortage.
>

TR-101 from the Broadband Forum would be close to a standard.

>
>
>>>
>>>Hence my suggestion of prefix length>>  64 + PVLAN + DHCPv6 + DHCPv6 setting default router + HSRPv6/VRRPv3 to exactly mirror the IPv4 setup.
>>>>
>>>Not sure how that really helps. Why is a longer prefix length allegedly useful in this context?
>>>
>>>Owen
>>>
>>>
>>>The context of this thread was a request for DHCPv6 to be able to set the default router, and avoid using RA.
>>That's an interesting topic.
>>
>
>Still not understanding how the longer prefix helps with that.
>
>
>
>>I'm happy to continue the discussion about prefix length in detail, but shall we do that another time?
>>
>>Is it sufficient for now to say that in a virtual environment, I think it's even more important to contain resource depletion problems and potential cross-contamination between environments? The memory used to contain e.g. an ND table on one virtual LAN switch or router is almost certainly allocated from a shared pool that may not be well protected from overflowing. And it's going to be very easy to fill up the TCP session tables in e.g. machine firewalls using ip6tables, if a single rogue source on the local DC LAN can spoof source addresses from the equivalent of an entire continent today.
>>
>
>I still don't see the cost benefit ratio of such attacks being such that they are all that likely to occur. There are easy enough ways to commit such attacks in IPv4, yet they remain quite rare. I don't see any reason they would increase in IPv6. They are high risk, low reward types of attacks.
>
>
>Owen
>
>
>
>_______________________________________________
>v6ops mailing list
>v6ops@ietf.org
>https://www.ietf.org/mailman/listinfo/v6ops
>
>
>

v2.23.0 | Report a Bug | By Email