IETF Logo Mail Archive

Re: [v6ops] control and security of DHCP

Mark ZZZ Smith <markzzzsmith@yahoo.com.au> Tue, 14 January 2014 23:29 UTC

Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A62C1AE101 for <v6ops@ietfa.amsl.com>; Tue, 14 Jan 2014 15:29:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tV8UmnPksNPH for <v6ops@ietfa.amsl.com>; Tue, 14 Jan 2014 15:29:32 -0800 (PST)
Received: from nm45.bullet.mail.ne1.yahoo.com (nm45.bullet.mail.ne1.yahoo.com [98.138.120.52]) by ietfa.amsl.com (Postfix) with ESMTP id 41C981ADBE5 for <v6ops@ietf.org>; Tue, 14 Jan 2014 15:29:32 -0800 (PST)
Received: from [127.0.0.1] by nm45.bullet.mail.ne1.yahoo.com with NNFMP; 14 Jan 2014 23:29:20 -0000
Received: from [98.138.226.180] by nm45.bullet.mail.ne1.yahoo.com with NNFMP; 14 Jan 2014 23:26:34 -0000
Received: from [98.139.214.32] by tm15.bullet.mail.ne1.yahoo.com with NNFMP; 14 Jan 2014 23:26:34 -0000
Received: from [98.139.212.198] by tm15.bullet.mail.bf1.yahoo.com with NNFMP; 14 Jan 2014 23:26:34 -0000
Received: from [127.0.0.1] by omp1007.mail.bf1.yahoo.com with NNFMP; 14 Jan 2014 23:26:34 -0000
X-Yahoo-Newman-Property: ymail-4
X-Yahoo-Newman-Id: 480471.24474.bm@omp1007.mail.bf1.yahoo.com
Received: (qmail 76797 invoked by uid 60001); 14 Jan 2014 23:26:34 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s1024; t=1389741994; bh=ufDMgo/BEJiJu34+coPHhM2raBICUh5nwdLBcm7SoLg=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=PmlSKuuXTrCH+5yMweczgJFi9S6CygxvXzlgmHk01yzJF7ImZbp1KkKLwew5IKsFLhsNyORjL75YccslXrrq4eN3cdjiS/KR+Xsu/fHF7ucYQdoox6jkYI/1jVzUqjf1vLGFPtGOrVLiAXZ/+XPA84yZUVeUlaRbfVP3QmtTaUQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.au; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=2LHCvvKnnJ+78g6Fl+6urao5xIwkoIpWIpXy2+FPvpdJC1Ng9K4ilV0PDtlsglDIlx0u5qACbgWJn3YcqatZ92zyy+kD+cc7LXquy+qa7yQ6yO09JozGjpNaA0QGQoXPq2buhbvvC9mSQL8bpVzdqcFPFKZFJos9H6wmjiuxz0o=;
X-YMail-OSG: kJKg6dYVM1knhAXbDiOhu_E5NTjsCRBNuLrsSaaSmCo1S05 XA9C0KvyHxMzS9QxddYaaqF_.gOZ.HHhadueypNtZuEAs6WKmVOM_7KUzYXZ YfC.0B3pnQcXTmVZedre8dIyM8RxhOWjC_IdEwm.3AiOtuUSiowFOS8fLP4A haJES4ilMZbfZzkOEOt8oVcSxL87_9n7HvXKVrFHCBby0GknsTULyIu.Jxhm O.d9WHBTr1Qm_6GnvpK0dCzXCO1Zk9Niiv0IBr.AwoLU7V_G7XrFthOlbXtg Lk0Xop8aTUmkni7D_n1dDwUTY2AWcSmUy6lyTpWm9nBdkTP24rQDsMlUWDbN YgKoTIJBSfuZouhl0fG2nxBsAx7dNMsNhdZG9QxKyX.xisMB.3X.z2jhiSVv zUX9U7_Zi9biDiVNKDG8aEwtjgcB005aSCA6JoOzM1AxPfU3JhVhSY_Rru7m Mp8fMAu00HbYqDGfj9lAGOpgXs6rMvmyPse8RuLVgkeb8aoun4f_lbz0bpu7 XT_ZD5lPSpYhTixYD4X.iFPJY9ezPOKoCP85fgeLmAwlMeqmklV7vQInrfxV SIr35R80jww0DNwEB087wdL.BipbdMqc-
Received: from [121.200.231.211] by web161905.mail.bf1.yahoo.com via HTTP; Tue, 14 Jan 2014 15:26:34 PST
X-Rocket-MIMEInfo: 002.001, CgoKCi0tLS0tIE9yaWdpbmFsIE1lc3NhZ2UgLS0tLS0KPiBGcm9tOiBSYXkgSHVudGVyIDx2Nm9wc0BnbG9iaXMubmV0Pgo.IFRvOiBOaWNrIEhpbGxpYXJkIDxuaWNrQGZvb2Jhci5vcmc.Cj4gQ2M6ICJ2Nm9wc0BpZXRmLm9yZyBXRyIgPHY2b3BzQGlldGYub3JnPgo.IFNlbnQ6IFdlZG5lc2RheSwgMTUgSmFudWFyeSAyMDE0IDU6MTEgQU0KPiBTdWJqZWN0OiBSZTogW3Y2b3BzXSBjb250cm9sIGFuZCBzZWN1cml0eSBvZiBESENQCj4gCj4.ICBOaWNrIEhpbGxpYXJkIDxtYWlsdG86bmlja0Bmb29iYXIub3IBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.172.614
References: <1808340F7EC362469DDFFB112B37E2FCDA31A30EB1@SRVHKE02.rdm.cz> <52CFB8D5.70900@gmail.com> <B54D5283-8880-434A-A3C0-9BFF0081E13B@gmail.com> <20140110.124610.74672987.sthaug@nethelp.no> <60C5513D-B8DA-48D6-82D3-53E148F9F7BA@gmail.com> <52D0157D.6040009@foobar.org> <alpine.DEB.2.02.1401101651580.20074@uplift.swm.pp.se> <D1FC3C0B-CC5D-44BC-B753-2F1BD94A48FA@nominum.com> <CAKD1Yr1C0jRNq-ta=HeGFusC8VFGGg1ffDFLoroUoiHmX-KYiA@mail.gmail.com> <52D18F22.1070708@foobar.org> <CAKD1Yr2PrG_Rit2YCAkep4_-LUSqNpEU-t+ttRsLPpSbYVLoig@mail.gmail.com> <1389490607.51957.YahooMailNeo@web161904.mail.bf1.yahoo.com> <52D2A8EF.2040901@foobar.org> <52D4E794.3070109@globis.net> <52D57214.1070505@foobar.org> <52D57DC5.9080603@globis.net>
Message-ID: <1389741994.37525.YahooMailNeo@web161905.mail.bf1.yahoo.com>
Date: Tue, 14 Jan 2014 15:26:34 -0800
From: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
To: Ray Hunter <v6ops@globis.net>, Nick Hilliard <nick@foobar.org>
In-Reply-To: <52D57DC5.9080603@globis.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] control and security of DHCP
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 23:29:34 -0000




----- Original Message -----
> From: Ray Hunter <v6ops@globis.net>
> To: Nick Hilliard <nick@foobar.org>
> Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
> Sent: Wednesday, 15 January 2014 5:11 AM
> Subject: Re: [v6ops] control and security of DHCP
> 
>>  Nick Hilliard <mailto:nick@foobar.org>
>>  14 January 2014 18:21
>> 
>>  private vlans are troublesome, to say the least. In a virtualised
>>  environment, you need multi-switch support for specific types of pvlans.
>>  This places vendor restrictions on the types of kit you need to deploy.
>> 
>>  Nick
>>  ------------------------------------------------------------------------
> Yes.
> 
> I've read posts from a number of DC operators who have expressly chosen 
> for PVLANs compared to deploying dedicated L3 ports per server/ customer 
> in multi-tenant environments, driven by a desire to save on very scarce 
> public IPv4 addresses.
> 
> That of course will likely bring problems migrating to IPv6 in the 
> future e.g. DAD is probably not going to be able to detect duplicate 
> addresses via multicast.
> 

Just an FYI,

Duplicate Address Detection Proxy
http://tools.ietf.org/html/rfc6957


My perspective on private VLANs etc. type problem has come from experience in the residential broadband environment with BYO CPE. Not only can't you control the type of CPE that is purchased, you can't assume that the people who operate them are capable of even the most basic security administration. It is a completely untrusted environment, and therefore I think solutions that work in that environment are also going to be quite effective in DC or enterprise environments.

These sorts of spoofing etc. problems are solved by per-subscriber PPPoE sessions, per subscriber single or double VLAN tags, or the N:1 / "private VLAN" model. All of them are isolating subscribers/CPE/hosts, however from a routing perspective the last one is the most scalable, because multiple subscribers/CPE/hosts are collected together within a single subnet (obviously we get use things such as routing aggregation to scale further, however there can still can be value in reducing FIB entries/PPPoE/QinQ session entries on the BRAS itself.)



> Hence my suggestion of prefix length >> 64 + PVLAN + DHCPv6 + DHCPv6 
> setting default router + HSRPv6/VRRPv3 to exactly mirror the IPv4 setup.
> 
> It would also mean that any failovers are likely to be very similar for 
> both IPv4 and IPv6 paths, and that HSRPv6//VRRPv3 generally has more 
> features (track/ preempt/ MD5 authentication) which RA clearly doesn't 
> have (yet), which I see as clear operational advantages. My opinion is 
> that combination is a pretty valid use case for transitioning a 
> multi-tenant IPv4 environment to IPv6 using dual stack, and which 
> requires the additional functionality you want. Otherwise people running 
> IPv4 PVLANs are going to get painted into a corner.
> 
> 
> So what security are you suggesting to deploy to ensure that your set up 
> remains sufficiently isolated between customers, even though they share 
> a L2 LAN?
> 
> I'm not saying necessarily that RA should be the only game in town, but 
> it is there today. And we all know how hard it is to prevent attacks by 
> on-link attackers (not just RA).
> 
> -- 
> Regards,
> 
> RayH
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email