Re: [v6ops] Fw: New Version Notification for draft-smith-v6ops-mitigate-rtr-dos-mld-slctd-node-00.txt
Mark ZZZ Smith <markzzzsmith@yahoo.com.au> Sun, 20 April 2014 04:38 UTC
Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E32AC1A0126 for <v6ops@ietfa.amsl.com>; Sat, 19 Apr 2014 21:38:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.312
X-Spam-Level: ***
X-Spam-Status: No, score=3.312 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_ADSP_CUSTOM_MED=0.001, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_REPLYTO=0.999, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIM_INVALID=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FJspLJrGKvYU for <v6ops@ietfa.amsl.com>; Sat, 19 Apr 2014 21:38:07 -0700 (PDT)
Received: from nm41.bullet.mail.ne1.yahoo.com (nm41.bullet.mail.ne1.yahoo.com [98.138.120.48]) by ietfa.amsl.com (Postfix) with SMTP id B9F9F1A00FF for <v6ops@ietf.org>; Sat, 19 Apr 2014 21:38:06 -0700 (PDT)
Received: from [127.0.0.1] by nm41.bullet.mail.ne1.yahoo.com with NNFMP; 20 Apr 2014 04:38:02 -0000
Received: from [98.138.100.102] by nm41.bullet.mail.ne1.yahoo.com with NNFMP; 20 Apr 2014 04:35:03 -0000
Received: from [98.139.212.152] by tm101.bullet.mail.ne1.yahoo.com with NNFMP; 20 Apr 2014 04:35:03 -0000
Received: from [98.139.212.203] by tm9.bullet.mail.bf1.yahoo.com with NNFMP; 20 Apr 2014 04:35:03 -0000
Received: from [127.0.0.1] by omp1012.mail.bf1.yahoo.com with NNFMP; 20 Apr 2014 04:35:03 -0000
X-Yahoo-Newman-Property: ymail-4
X-Yahoo-Newman-Id: 269357.85071.bm@omp1012.mail.bf1.yahoo.com
Received: (qmail 25343 invoked by uid 60001); 20 Apr 2014 04:35:03 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s1024; t=1397968503; bh=hffOXDudBswcghXjcuLnZqYBSS10rHOMGh5nLpOurVE=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=FeHj133qzU3mSxnop9XrJ+oeqBROKJwX8dD/WhLiHyXtwXhoAtlDOXNUKPt0B/B+GFcTZGdOC4h8DSGkozTMoF6gYyKAoe6LEGsT+wvvy2wQtHusyU+bd91VyNQAFSSZ25+9mcP7v414OsV/s1DIrdMKIXZMvtxYAYDaweGt8bM=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.au; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=yRJMT9JCd+6wnXbWj9nKtNBqOaWq5wWU9OAH/9u9OkoCW37Hrio6u7G24QBCSIqypHNmE8pltOLZi6Dh1x/nxJv95pdpjue7k/eKrGUoWDq1Udiv8b7S/IDPSfjnNNW5J5e7grasNWRb0Go8aRSqm3DChKhyy6fdNbfkkxqymQI=;
X-YMail-OSG: Kd99jcMVM1lFrqFTPdQYxpsKJKF7MJMPDBeGo0Il7mfWKQ2 7GspKhjk4Id0jeykpUfhEOjaJLOtn0vMzvj4Pb.RSMDb330eXl9vTN15RhWf HjW8uqU4TOabSbpVSXyOTv1yfC775ZBdEofqI8FrIUzJ4lVWPGbE3U5XxuRJ Kqc7I9i4xpcHJUPzA.ZzOJeNiTg3vgOtmq9MQLk1VjR.xnZP1PYc2JOOMzuf HAXkXuRFAc8BZKtvy9JLigc91rhnmlzI6L3KZezBBaZ8jsjn13saoIL.zkT6 5SzXkXvH2ZooHSPrRfantwzuzcQipcq8m6jZ.Jgc0f_vnMYbWKWs2hh27GcY mjyeynLfTEIG5Lv_QkJMDhG.Mg5bqiLFH7m5K7EgUW.paR1pJ6n77NjJUBOt BXiX7kBsKuLWpNpvgg_P1xCorGbCgKC0XxvBEO2PBY666.U49MrpM6TkVbX7 rT25wJhARbBw67feYda_vvtkQZTJbNP3WuHTA3JAAIDDL4hNzghi0lW9KU9u 2iTQ2_5ggp0oqnI_l48sVIijQsSSpZW203ucziELU41OSboIkT.6wnqE9oN9 2p.NQPgXuevW6Sc82Ycwkwgo_mTbS1Mi36ep3iDiGKDEPYcvbNhXI4ciNHA- -
Received: from [150.101.221.237] by web162203.mail.bf1.yahoo.com via HTTP; Sat, 19 Apr 2014 21:35:03 PDT
X-Rocket-MIMEInfo: 002.001, SGkgRXJpYywKClRoYW5rcyBmb3IgeW91ciB0aW1lIGFuZCBjb21tZW50cy4KClNvIEkndmUgYmVlbiBkb2luZyBzb21lIGZ1cnRoZXIgaW52ZXN0aWdhdGlvbiBpbiB0byBob3N0IHN0YWNrIE1MRCBiZWhhdmlvdXIuIEkgaGF2ZW4ndCBmaW5pc2hlZCB0aGF0LCBob3dldmVyIEkgY2FuIGFkZHJlc3Mgc29tZSBwb2ludHMgYmVsb3csIHdoaWNoIGhhdmUgYWxzbyBiZWVuIHJhaXNlZCBieSBMb3JlbnpvLgoKCi0tLS0tIE9yaWdpbmFsIE1lc3NhZ2UgLS0tLS0KPiBGcm9tOiBFcmljIExldnktIEFiZWdub2xpICgBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.185.657
References: <1396905670.42588.YahooMailNeo@web162205.mail.bf1.yahoo.com> <CF7476F7.38B12%elevyabe@cisco.com>
Message-ID: <1397968503.65061.YahooMailNeo@web162203.mail.bf1.yahoo.com>
Date: Sat, 19 Apr 2014 21:35:03 -0700
From: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
To: "Eric Levy- Abegnoli (elevyabe)" <elevyabe@cisco.com>, V6 Ops List <v6ops@ietf.org>
In-Reply-To: <CF7476F7.38B12%elevyabe@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/EeMgOLYLL880Vg_-3FlWGfMUslg
Subject: Re: [v6ops] Fw: New Version Notification for draft-smith-v6ops-mitigate-rtr-dos-mld-slctd-node-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Apr 2014 04:38:11 -0000
Hi Eric, Thanks for your time and comments. So I've been doing some further investigation in to host stack MLD behaviour. I haven't finished that, however I can address some points below, which have also been raised by Lorenzo. ----- Original Message ----- > From: Eric Levy- Abegnoli (elevyabe) <elevyabe@cisco.com> > To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>; V6 Ops List <v6ops@ietf.org> > Cc: > Sent: Thursday, 17 April 2014 2:24 AM > Subject: Re: [v6ops] Fw: New Version Notification for draft-smith-v6ops-mitigate-rtr-dos-mld-slctd-node-00.txt > > Hi, > I took a look at the draft, and found it "protocolly" interesting but > "operationally" flawed. > - some host stacks (last time I checked was a few years ago, so hopefully > that has changed) don't bother sending the MLD join for solicited-node > groups, mainly because it's not very relevant. Linux (Fedora 20) does and probably that means Android does. I'm running up some Windows VMs to see what that does (http://www.modern.ie/ for a legal variety of them). Apart from being required by RFC2710 and RFC4862, hosts have an interest in sending these so that MLD snooping layer 2 devices can suppress unwanted multicasts to them. If it was quite a while ago, then perhaps these hosts were IPv6 implementations that existed before MLDv1/RFC2710, as RFC2710 introduced the requirement to join the Solicited-Node multicast groups. One broader question I have is how much tolerance for lack of features in implementations is necessary? RFC2710 was published in 1999, and the IPv6 Node Requirements RFC from 2006 made MLD a requirement. Implementations before RFC2710 aren't going to support off-link sourced multicast applications, because they can't tell a router they want to join multicast groups. > Currently, stacks don't > bother storing mld state received in join, for any link-local scope mc, > and simply forward multicast regardless (I understand that the draft is > suggesting to make them relevant, but the amount of router-to-network > interactions is not worth the value in my opinion). And the fact that so > far, these states were useless make me think there are not generally > available. > > - When the MLD join is sent, it is sent once, when link goes up. Firstly, note that from the perspective of MLDv1/MLDv2, there is nothing special about Solicited-Node multicast groups. So the standard MLDv1/MLDv2 join etc. procedures apply. In the case of RFC2710/MLDv1 it is recommended to send more than one: " When a node starts listening to a multicast address on an interface, it should immediately transmit an unsolicited Report for that address on that interface, in case it is the first listener on the link. To cover the possibility of the initial Report being lost or damaged, it is recommended that it be repeated once or twice after short delays [Unsolicited Report Interval]. (A simple way to accomplish this is to send the initial Report and then act as if a Multicast-Address- Specific Query was received for that address, and set a timer appropriately)." In the case of MLDv2, they explicitly made sending at least two MLD state change reports a requirement: " As opposed to Current State Reports, State Change Reports are retransmitted several times, in order to avoid them being missed by one or more multicast routers. The number of retransmissions depends on the so-called Robustness Variable. This variable allows tuning the protocol according to the expected packet loss on a link. If a link is expected to be lossy (e.g., a wireless connection), the value of the Robustness Variable may be increased. MLD is robust to [Robustness Variable]-1 packet losses. This document recommends a default value of 2 for the Robustness Variable (see section 9.1)." > It's easy > to miss it for the router, for many reasons (split network, no retry, > reboot, etc.). The router could send a periodic MLD query, That is what the designated querier multicast router does to track the continued existence of multicast group presence on a link. Solicited-Node multicast group membership is reported in response to these queries. These queries are sent approximately once every 2 minutes respectively by MLD or MLDv2. That would too long to wait to discover Solicited-Node membership for a new device if the initial reports had been lost. It's tempting to suggest setting this interval to something much lower e.g. 3 to 5 seconds, however that is really trying to make up for the lack of reliability of implementations that haven't either followed the recommendations in MLDv1 or the requirements in MLDv2 for group joins. While I think tolerating faulty or unreliable implementations is generally a good thing, I always wonder how far to go before saying, "the implementation is too broken, can't be supported." > but that would > generate quite a bit of overhead, and I suspect that while some host > stacks still bother sending the mld report on link-up, they might not > bother sending then on mld-query (I don't know that for a fact). > Bottom line, the router is not likely to have an accurate table at any > given time of all listeners (even if it polls, can't do it too often for > obvious scalability reasons). If it doesn't, the MLD/MLDv2 has failed to successfully discover multicast listeners. That means the all of the following won't work reliably: - the method proposed in this memo - MLD snooping by layer 2 devices - all multicast applications where the multicast sources are off-link While I accept that the consequences of this DoS mitigation method failing are the most severe (all off-link unicast fails), end-users will probably consider the failure of off-link multicast applications to be nearly as severe - they just expect things to work, and don't really care why they don't. So if MLD is failing, something needs to be done to make it more reliable, either tuning, or fixing of the MLD/MLDv2 protocol. I accept that this method could uncover the lack of MLD reliability on a link, that hasn't previously been discovered because off-link source multicast applications haven't been used. I'll have a think about that case further. > So we can't really base a resolution decision on this table (unless the > router is under attack and has no other choice). > > - In addition, to come back to the purpose (mitigate resolution DoS), it > would "only: divide by 2**24 the address space. So a DoS attack would > still have plenty of addresses to use for his attack (2**40 per known > address, which is way enough to fill a cache). > True, as I've described in the Security Considerations section. This is not a stand alone method, I think it is a further compliment to other methods to protect the ND cache. Ultimately the only way to absolutely solve this problem is to have a node registration protocol, so that routers have absolute knowledge of all hosts. However, in the interim, I think methods such as this one can be useful mitigations. > > If this is "just" to mitigate a DoS resolution attack, it would be > more > efficient to store the (savi) binding table on the router, so that it > knows the address, not the the slctd (I think someone proposed a solution > like that at last ietf). I think one of the advantages of this method is that it is likely to require very minimal changes to routers' implementations of features they probably already have - enabling MLDv1/MLDv2 capability all of the time rather than just when it is a multicast (forwarding) router, and a slight change to their neighbor discovery procedure. Thanks, Mark. > Eric > > > > On 07/04/14 23:21, "Mark ZZZ Smith" <markzzzsmith@yahoo.com.au> > wrote: > >> Hi, >> >> I've just posted the following ID, grateful for any feedback. >> >> Regards, >> Mark. >> >> >> ----- Forwarded Message ----- >>> From: "internet-drafts@ietf.org" > <internet-drafts@ietf.org> >>> To: Mark Smith <markzzzsmith@yahoo.com.au>; Mark Smith >>> <markzzzsmith@yahoo.com.au> >>> Cc: >>> Sent: Tuesday, 8 April 2014 7:19 AM >>> Subject: New Version Notification for >>> draft-smith-v6ops-mitigate-rtr-dos-mld-slctd-node-00.txt >>> >>> >>> A new version of I-D, >>> draft-smith-v6ops-mitigate-rtr-dos-mld-slctd-node-00.txt >>> has been successfully submitted by Mark Smith and posted to the >>> IETF repository. >>> >>> Name: draft-smith-v6ops-mitigate-rtr-dos-mld-slctd-node >>> Revision: 00 >>> Title: Further Mitigating Router ND Cache Exhaustion DoS Attacks >>> Using >>> Solicited-Node Group Membership >>> Document date: 2014-04-07 >>> Group: Individual Submission >>> Pages: 6 >>> URL: >>> >>> http://www.ietf.org/internet-drafts/draft-smith-v6ops-mitigate-rtr-dos-ml >>> d-slctd-node-00.txt >>> Status: >>> >>> https://datatracker.ietf.org/doc/draft-smith-v6ops-mitigate-rtr-dos-mld-s >>> lctd-node/ >>> Htmlized: >>> >>> http://tools.ietf.org/html/draft-smith-v6ops-mitigate-rtr-dos-mld-slctd-n >>> ode-00 >>> >>> >>> Abstract: >>> For each of their IPv6 unicast or anycast addresses, nodes join a >>> Solicited-Node multicast group, formed using the lower 24 bits of > the >>> address. This group membership can be used by routers to further >>> mitigate the Neighbor Discovery cache Denial of Service attack. >>> >>> >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> The IETF Secretariat >>> >> >> _______________________________________________ >> v6ops mailing list >> v6ops@ietf.org >> https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] Fw: New Version Notification for draft-sm… Mark ZZZ Smith
- [v6ops] draft-smith-v6ops-mitigate-rtr-dos-mld-sl… Fred Baker (fred)
- Re: [v6ops] draft-smith-v6ops-mitigate-rtr-dos-ml… Lorenzo Colitti
- Re: [v6ops] draft-smith-v6ops-mitigate-rtr-dos-ml… Fred Baker (fred)
- Re: [v6ops] draft-smith-v6ops-mitigate-rtr-dos-ml… Mark ZZZ Smith
- Re: [v6ops] draft-smith-v6ops-mitigate-rtr-dos-ml… Mark ZZZ Smith
- Re: [v6ops] draft-smith-v6ops-mitigate-rtr-dos-ml… Lorenzo Colitti
- Re: [v6ops] Fw: New Version Notification for draf… Eric Levy- Abegnoli (elevyabe)
- Re: [v6ops] Fw: New Version Notification for draf… Mark ZZZ Smith