Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01
Tim Chown <tjc@ecs.soton.ac.uk> Wed, 09 June 2010 13:33 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 47DA83A6879 for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 9 Jun 2010 06:33:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.556
X-Spam-Level:
X-Spam-Status: No, score=-100.556 tagged_above=-999 required=5 tests=[AWL=-0.557, BAYES_50=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XLlDEkqagX1p for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 9 Jun 2010 06:33:45 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0FBD63A6973 for <v6ops-archive@lists.ietf.org>; Wed, 9 Jun 2010 06:33:45 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1OMLKc-000Eoy-7J for v6ops-data0@psg.com; Wed, 09 Jun 2010 13:28:34 +0000
Received: from [2001:630:d0:f102::25e] (helo=falcon.ecs.soton.ac.uk) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.71 (FreeBSD)) (envelope-from <tjc@ecs.soton.ac.uk>) id 1OMLKZ-000EoO-DS for v6ops@ops.ietf.org; Wed, 09 Jun 2010 13:28:31 +0000
Received: from falcon.ecs.soton.ac.uk (localhost [127.0.0.1]) by falcon.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id o59DSRfh028378 for <v6ops@ops.ietf.org>; Wed, 9 Jun 2010 14:28:27 +0100
X-DKIM: Sendmail DKIM Filter v2.8.2 falcon.ecs.soton.ac.uk o59DSRfh028378
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ecs.soton.ac.uk; s=200903; t=1276090107; bh=sAroDOBYUUBmsybaT6MKjSesIIE=; h=References:In-Reply-To:Mime-Version:From:Subject:Date:To; b=HQb2pv8qBAHkXyx6lVeTxXqxU2+cPXmPCXfUnn5IeeKgYHBdgN1EAiz/8nAdRVLQG Dw7t15iVlxef1pzRACYuB5KrKzJLU3GIAoeQ/JgHrelPF+YI+9q06twtkyF84z87JB XeZktw68cn60EOH4pPqupcklZGG0iMjXfrRTHxYg=
Received: from gander.ecs.soton.ac.uk (gander.ecs.soton.ac.uk [2001:630:d0:f102::25d]) by falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [2001:630:d0:f102::25e]) envelope-from <tjc@ecs.soton.ac.uk> with ESMTP id m58ESQ0540040883wQ ret-id none; Wed, 09 Jun 2010 14:28:27 +0100
Received: from cerf.ecs.soton.ac.uk (cerf.ecs.soton.ac.uk [152.78.69.39]) by gander.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id o59DSOB0001797 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <v6ops@ops.ietf.org>; Wed, 9 Jun 2010 14:28:25 +0100
References: <291B137B-7316-49A9-8C19-A606DCFCD019@wisc.edu> <5A07BF4F-33AB-4DB5-847B-EA1DF944C9C3@ecs.soton.ac.uk>
In-Reply-To: <291B137B-7316-49A9-8C19-A606DCFCD019@wisc.edu>
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
Message-ID: <EMEW3|561d2bae90c9ddf8f65add274697b1eem58ESQ03tjc|ecs.soton.ac.uk|5A07BF4F-33AB-4DB5-847B-EA1DF944C9C3@ecs.soton.ac.uk>
Content-Transfer-Encoding: quoted-printable
From: Tim Chown <tjc@ecs.soton.ac.uk>
Subject: Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01
Date: Wed, 09 Jun 2010 14:28:24 +0100
To: v6ops@ops.ietf.org
X-Mailer: Apple Mail (2.1078)
X-ECS-MailScanner: Found to be clean, Found to be clean
X-smtpf-Report: sid=m58ESQ054004088300; tid=m58ESQ0540040883wQ; client=relay,ipv6; mail=; rcpt=; nrcpt=1:0; fails=0
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: o59DSRfh028378
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
On 8 Jun 2010, at 22:24, Dale W. Carder wrote: > In the latest version of draft-ietf-v6ops-rogue-ra-01, section > 5.5 talks about recovering from an invalid configuration state > w.r.t. the M & O bits. > > Should the document also mentioned that the host may also have > incorrect, non-functional, or potentially malicious DNS > configuration due to the host believing bogus RFC 5006 > advertisements? The host may also need to recover from this > as well. So that's a good question. When the rogue RA draft was first written, RFC5006 was I recall itself a draft in its infancy. It's pretty clear that a rogue RA may also be an RA with 'bad' DNS resolver information in it. We could add text about this. That would involve some mention of the problem in Section 1 (introduction), perhaps a brief discussion as an extra point in Section 5, and adding the mitigation mentioned in draft-ietf-6man-dns-options-bis-02 of disabling the host from processing DNS options in the RA (assuming the host implementation supports that of course, which isn't a MUST in the draft as far as I can see). Other than that, I think the text in the draft about rogue RA 'badness' is generic enough to cover bad DNS information. I'm happy to work with Stig on such text if it's deemed useful, and won't hold up publication too much more. I note that draft-ietf-6man-dns-options-bis-02, which passed 6man WG last call, makes no reference to the rogue RA draft in its own security discussion, and also no mention of RA Guard. Tim
- RFC 5006 and draft-ietf-v6ops-rogue-ra-01 Dale W. Carder
- Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01 Tim Chown
- Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01 Roque Gagliano
- Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01 Roque Gagliano
- Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01 Tim Chown
- Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01 Roque Gagliano
- Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01 Tim Chown
- Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01 Doug Barton
- Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01 Tim Chown