Re: [v6ops] SLAAC security concerns

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Tue, 04 August 2020 20:41 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 398BB3A0B7E; Tue, 4 Aug 2020 13:41:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=HzkwKwwn; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Dim4Pddb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KtaYh1fgQkjJ; Tue, 4 Aug 2020 13:41:50 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BF233A0B85; Tue, 4 Aug 2020 13:41:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8101; q=dns/txt; s=iport; t=1596573710; x=1597783310; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=dtJi3rBKlhIir7sjsIkpi8c6Pv+x57091lkNhOqq4ao=; b=HzkwKwwnkKJSbT0mHfBaVtkFwxgVM//RR2XyhoA7X/o9JN177u6aW5Mg zOTdeUOBPnIPI6+uIAD+O7K7pI0E1214Nkh47lDvm4Ubu0aNPso5qQ1Of VdMj9gdDaAp+MMFaL28m2AzUsvxrtN064eNa5yn2gSPMFCO64sd02xoAH Y=;
IronPort-PHdr: =?us-ascii?q?9a23=3A40h9ZhGRKzWopylgoala1J1GYnJ96bzpIg4Y7I?= =?us-ascii?q?YmgLtSc6Oluo7vJ1Hb+e401QObRp3S4P8CjefK4OjsWm0FtJCGtn1KMJlBTA?= =?us-ascii?q?QMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS93mblbf5Hu/8W1aFh?= =?us-ascii?q?D2LwEgIOPzF8bbhNi20Obn/ZrVbk1IiTOxbKk0Ig+xqFDat9Idhs1pLaNixw?= =?us-ascii?q?=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0APDgBGxylf/5FdJa1gHgEBCxIMgy0?= =?us-ascii?q?vUQdvWC8shDWDRgONLpQchGyCUwNVCwEBAQwBARgBCgoCBAEBhEwCF4INAiQ?= =?us-ascii?q?4EwIDAQELAQEFAQEBAgEGBG2FXAyFcgIEAQEQER0BASwLAQ8CAQgOMQMCAgI?= =?us-ascii?q?lCxQRAQEEDgUigwQBgX5NAy4BDqg2AoE5iGF2gTKDAQEBBYEzAYNvGIIOAwa?= =?us-ascii?q?BOIJwg19KgXaCYYEeGoFBP4E4DBCCTT6CXAEBhHUzgi2SeIZenEEKgmKaCwM?= =?us-ascii?q?VCZ97jWGjagIEAgQFAg4BAQWBaiOBV3AVOyoBgj5QFwINjh+DcYUUhUJ0NwI?= =?us-ascii?q?GAQcBAQMJfI9YAQE?=
X-IronPort-AV: E=Sophos;i="5.75,435,1589241600"; d="scan'208,217";a="537881375"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 04 Aug 2020 20:41:49 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 074KfnGU012216 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 4 Aug 2020 20:41:49 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 4 Aug 2020 15:41:48 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 4 Aug 2020 16:41:47 -0400
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 4 Aug 2020 16:41:47 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BKX0sNLzAI8GBif4fhNIlTQZw4L8H1OTTLp6Xkm1KjPqIlRmyypEONMDGjrrZcMOoi0/jNB8hO/v2+lTcg8Yz3ZCcNGzt1A2yJ92owVMJOQR0nfRUzbTzlRT+nBUcEX631Yxs2Xx4XgmgEUmhoJQrBGszXnDNtXN7AkHsBMhDpUo+4eat0QoZZADeMTGq0aHpirFFBZsrPWDOgUVxkJJzTH29AN3g9h6tu/Cs2+LyqJaVnWN9HuCUndv7Qwv3/s9gO7fM/otYE/z7h4bi4cr8TuIKkyuoWFDkycTQ5fn/xjlB99V7dUWAIfn94/tmsq9BTu4DGn9Gp3sU6ply4mJVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dtJi3rBKlhIir7sjsIkpi8c6Pv+x57091lkNhOqq4ao=; b=e8ltU1RYYwSJOSFWC0fz5NWbE5CCV1cXriIs/YOjwOqnLa5cDlz19+M1UoxAwG2b8hmLaVtD99XpVb+k4MGgpXXHHbFppdUazLrjGnTWaQAndT7Xs10WS7dXILHh345w/MqG5du/tebrbsjpRaahFpC/nO1669NsX74D+kV92yFr2mG/nXZulct9hcOg3GWHpWcA2nnhq9+2dEgOGiOhNJpDzBaXVrq6B0EbmdPdWjBH3fbh6FER0r3NDC8+Wo6frG0U0dhcFvv9vSR3iM9qiH77ry4aMC1+8zlAr86VDR3ceVYb0C2ORUXm8cZeieRcszT4Fttgl0Dzq9TWuCLCIg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dtJi3rBKlhIir7sjsIkpi8c6Pv+x57091lkNhOqq4ao=; b=Dim4Pddbd/4KT2JpYXwCgltqSipJIeU3NwaUJcIMsoOdXWLASrJum5h956JhBEXIV/9aS5sSQAWeHoKui+QYeX+fUpR1qJljlPtbTlFqHQsx5Me4mGitRDko1AVU0Ek5ejH7HI6NPMGAA09LWzOJ4URl6OglfiH2VCmTS0giFyM=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (2603:10b6:208:ea::31) by MN2PR11MB3759.namprd11.prod.outlook.com (2603:10b6:208:f2::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.20; Tue, 4 Aug 2020 20:41:46 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::a53e:5801:92cc:3204]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::a53e:5801:92cc:3204%5]) with mapi id 15.20.3239.022; Tue, 4 Aug 2020 20:41:46 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Ted Lemon <mellon@fugue.com>
CC: Gert Doering <gert@space.net>, Michael Richardson <mcr+ietf@sandelman.ca>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Thread-Topic: [v6ops] SLAAC security concerns
Thread-Index: AdZqh2IDVN0JAX5fTSutty/fgHiG3AAEFP4AAAERSgAAAOwUNw==
Date: Tue, 4 Aug 2020 20:41:46 +0000
Message-ID: <E26455BF-5BA3-4382-AF1D-04698E8BC53A@cisco.com>
References: <f52c4463862f44b5ba2a9d41db86d231@huawei.com> <20200804194448.GA2485@Space.Net>, <6370DE53-9EC6-4141-97C6-3B223939012A@fugue.com>
In-Reply-To: <6370DE53-9EC6-4141-97C6-3B223939012A@fugue.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: space.net; dkim=none (message not signed) header.d=none;space.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2a01:cb15:25e:cc00:6914:eede:94b8:2d56]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a3b97325-e1a0-457e-fc40-08d838b6ce1c
x-ms-traffictypediagnostic: MN2PR11MB3759:
x-microsoft-antispam-prvs: <MN2PR11MB37592D602C20FA600B4428F7D84A0@MN2PR11MB3759.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 02kKEnCDbxSPCcX7I4TAT4UGaYTw2pe6O3UgqnCLAnItUS1n4ahd3hIeSgAek533wFKgw5YwrEWRUflCXAH52NEn9iJoL9MD6hQZmyNMpIvS7315bTjMdcz+SmdD7Do/beGmdJfuYbC8QTQySyMy3MSerY51S4af6ZAVUvq95T+UX8kcS0KAQ0l2Bra4GgD2wsovS8tNPeAH+anESTI3Raa5yWW62ClaDEZnZ371L1T3lK6Ib9jmhCjaCk3SGG3X0JDaSXR6Bce5UnqdrCnSvNpUVPFjNRLqvQ1q+TcMckpiw7Mk9g/la5BnhPCce+PgPhyfU2u/gnUsbpHbNU2tyms37Err1qZX4XmtqMbikgncpUX2lf1luvoULNcXsbdob8tvK6cW3gyCoBlu/fgbvZZIzF2/83OkRVbEly7kOOAtqyDQG8qHXPgd9XLdrrFBKIJdBUvjkIZMqBkJGX6D7Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB3565.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(346002)(366004)(396003)(136003)(376002)(91956017)(53546011)(316002)(36756003)(478600001)(71200400001)(4326008)(186003)(6506007)(8676002)(966005)(8936002)(5660300002)(2906002)(86362001)(54906003)(33656002)(66556008)(66946007)(66446008)(2616005)(66574015)(6916009)(6512007)(76116006)(6486002)(66476007)(64756008)(244885003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: pQaTF0SeEljI/c2SfY+Q1nDNBhyHJsTbdwZ1KxRqLM4WdLquFihcb/THmHBWmjRpovo92YuvXxmcDzGHpSly+ozx/pFcGi0LHiE1Z1x5nkeksrNgdC0P4kUgqmeIwSOUYztR2sbc9cgOd/O0M4nA7T2OHk/3vZLykAqOgQFUG4EgNrZq9ZiygCtvO3YaupoSB2Rk5KWZQ9dIbVp3o/NMDjpMIGIbTG1k2mCHfCTZCjUETRjfmLs+lHdRcjQVHdm7EeduWdppTaFGfwW8tJxoxC9EdBleRI/jfE75IlrREXeEvVvF1KzdREud5XmWvDSOxmhUP27aaJ7mOHbh3F2AZn8Gf6RyxFV9qdJ40n90DgMkcdFX7F34m3acr1dF/ang5lrTRPAQQVAidac+F3Bo3rLPXvLh+Wr3aPfpt8B67GpfiEJpkuXXZjk7Zy2Nz5lvmyxi+RoGQT2aJZ5+PHmy73jnxZrEL18WxLkMjUjih9S0tbeY+roGrOkMjYg0/huH/Jk09vNe7HgltHkaJRrfl49AVqe+2P85W71lAhNfNZ6li/sSKg9wDibAVzGwj3vXvf5mnfRw4LYuLlUYqAP3OViBMbZNcOu4dCsXB1ti7VHPZoswuR49tmSV09UYuhdCYd0hzyOJ1A6p5U112g3QVWYLqkJ28lVyUFvYy5LQD0wY3EMOby505fWlLfSGi2839PuHSarRycIn/FbL9LinsA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_E26455BF5BA34382AF1D04698E8BC53Aciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB3565.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a3b97325-e1a0-457e-fc40-08d838b6ce1c
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Aug 2020 20:41:46.5774 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mmx9UGuTeHZAcna+GjL18dAcPSElSG+VXDpv8TnMvfqChwrNqzDgyAYADB5+s4VV4gjCibzbLKd1unXuC5sgyQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3759
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Lis1y-wn8W-aNTrwASkMm6z6DJo>
Subject: Re: [v6ops] SLAAC security concerns
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 20:41:55 -0000

Talking about multicast might be misleading. Has anyone deployed L2 multicast? IEEE people told me they designed one and that after some hiccups it was made to work but not much implemented and deployed.

Even then this is pushing the scalability problem one layer down not solving it, like almost as many groups as there are addresses so what’s the point?

Else for all I know we are mostly broadcasting any DAD and lookup over the whole L2, causing storms and wasting the wireless bandwidth. This is also a major pain point for the deployment of large multi site fabrics.

Disclaimer: I have not seen IGMP snooping successfully turned on for link scope multicast; unclear if and how that can help or if as hinted in this thread it should be turned off. I’d be interested in return from experience there :)

Keep safe,

Pascal

Le 4 août 2020 à 22:17, Ted Lemon <mellon@fugue.com> a écrit :

 On Aug 4, 2020, at 3:44 PM, Gert Doering <gert@space.net<mailto:gert@space.net>> wrote:
There is too many broken switch vendors out there that show again and
again that "implementing multicast is hard", breaking IPv6 ND in the
process.

Why don’t you return that switch for a refund?

(I’ve never run into a switch that had trouble with IPv6 multicast, but admittedly I only have four different switches in my house, so that’s not a very big sample.)

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops