Re: [v6ops] PD to hosts [was: DAD again [was: draft-ietf-v6ops-host-addr-availability discussion] ]

["Templin, Fred L" <Fred.L.Templin@boeing.com>]

Hi Philip,

> -----Original Message-----
> From: pch-bBB316E3E@u-1.phicoh.com [mailto:pch-bBB316E3E@u-1.phicoh.com] On Behalf Of Philip Homburg
> Sent: Monday, November 16, 2015 9:04 AM
> To: v6ops@ietf.org
> Cc: Templin, Fred L; Hemant Singh (shemant)
> Subject: PD to hosts [was: DAD again [was: draft-ietf-v6ops-host-addr-availability discussion] ]
> 
> >This is starting to diverge from the case I originally intended this discussion
> > to
> >examine. The case I am interested in is as follows:
> >
> >- Node N receives a /64 prefix delegation for prefix P over interface eth0.
> >- N assigns P to the lo interface as a /64 route. This is done to black-hole
> >   unused portions of P.
> >- N configures address A from prefix P, and assigns it to eth0.
> >- N need not perform DAD for A over eth0, because the delegating router
> >   has made sure that the routing system will route all packets with a
> >   destination address from P to node N, and not to any other node.
> >
> >In this way, N can function as an ordinary host according to the strong end
> >system model even though it acted as a "requesting router" in procuring a
> >prefix from the delegating router. No other node X on the same link as
> >N can therefore configure an address from P and have the routing system
> >return packets to X. In fact, any node X that configures an address from P
> >can be considered an "attacker", and the use or non-use of DAD has no
> >way of preventing that. In fact, the use of DAD could give X a clue as to
> >which addresses from P are ripe for attacking. So, it is in fact better to
> >NOT do DAD.
> 
> I have a two questions about this, sort of unrelated to DAD (so I changed the
> subject).
> 
> 1) How do packets reach the host. Is that documented somewhere?

RFC3633 is largely silent on this, but when P is delegated to N, it is
implied that the delegating router must somehow inject information
into the routing system that will guide packets with destination
address A to N.

>    I assume that in this case a router will send packets with destination
>    prefix P to the link local address of N. But is that specified somewhere?

That is correct, but again RFC3633 is largely silent.

> 2) If a node M on the same ethernet link wants to communicate with address
>    A, it creates a destination cache entry for A picking a default router
>    as next hop (because P is not onlink). Later, A can send the reply
>    directly to M if M's address is onlink. That is likely to cause a
>    neighbor cache entry for A at M, which will not be used because the
>    destination cache entry is still in place.

In this instance, the default router would return a Redirect to M to inform
it that N is a better first hop for reaching address A. The Redirect would
cause M to update its destination cache accordingly.

Thanks - Fred
fred.l.templin@boeing.com

>    Not good if you ever want to debug something.
>