Re: [v6ops] SLAAC renum: Problem Statement & Operational workarounds

Owen DeLong <owen@delong.com> Tue, 29 October 2019 02:58 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 015FD120046 for <v6ops@ietfa.amsl.com>; Mon, 28 Oct 2019 19:58:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.999
X-Spam-Level:
X-Spam-Status: No, score=-6.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=delong.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMWpOd4kK45z for <v6ops@ietfa.amsl.com>; Mon, 28 Oct 2019 19:58:29 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id 99B3512008D for <v6ops@ietf.org>; Mon, 28 Oct 2019 19:58:29 -0700 (PDT)
Received: from [172.20.0.85] (rrcs-97-79-186-2.sw.biz.rr.com [97.79.186.2]) (authenticated bits=0) by owen.delong.com (8.15.2/8.15.2) with ESMTPSA id x9T2wQMW028968 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Oct 2019 19:58:27 -0700
DKIM-Filter: OpenDKIM Filter v2.11.0 owen.delong.com x9T2wQMW028968
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delong.com; s=mail; t=1572317909; bh=IoyhnknFiFkNM6tW/WK/9diygnK5jlzVCXz7YHc8Dcs=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=HqWgqIhDNnh2xXcS+iaQyNHkRlPcoV6iQRZdJcpGpaUY7IhuRoUnMNeZ3+DBxXIRb tKeJRXXjqdhtPnMo8wZvkw/9U2r/dRBq0Fn2Fn+Ti+RIINLzWZqH/zpiqE6v3Thrhq S0CNZ1S8oC+1MXBVhcedSXt55x0dbt1lJXXjlG2M=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Owen DeLong <owen@delong.com>
In-Reply-To: <m1iOokE-0000KvC@stereo.hq.phicoh.net>
Date: Mon, 28 Oct 2019 19:58:26 -0700
Cc: v6ops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <670EDAE2-D472-45BB-9888-27D0D03BEEB9@delong.com>
References: <CAO42Z2yQ_6PT3nQrXGD-mKO1bjsW6V3jZ_2kNGC2x586EMiNZg@mail.gmail.com> <B53CE471-C6E8-4DC1-8A72-C6E23154544F@fugue.com> <m1iOk6q-0000IyC@stereo.hq.phicoh.net> <855496CB-BF7E-41E6-B273-41C4AA771E41@fugue.com> <m1iOokE-0000KvC@stereo.hq.phicoh.net>
To: Philip Homburg <pch-v6ops-9@u-1.phicoh.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (owen.delong.com [192.159.10.2]); Mon, 28 Oct 2019 19:58:29 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Zp4atq0BDBa44gFlSPsVSu-BjbY>
Subject: Re: [v6ops] SLAAC renum: Problem Statement & Operational workarounds
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 02:58:31 -0000


> On Oct 27, 2019, at 1:02 PM, Philip Homburg <pch-v6ops-9@u-1.phicoh.com>; wrote:
> 
>>   I think you missed my point.  You can't do flash renumbering by
>>   advertising a prefix with a valid lifetime of zero, because that
>>   will be ignored by hosts.   If it were not ignored by hosts, it
>>   would be a very effective DoS vector.    And so if you want to
>>   be able to flash deprecate a route, you need some way to validate
>>   that the deprecation is coming from the same source as the route.
>>   Hence my suggested "limited SEND".
> 
> Today, you can deprecate a prefix by sending an RA with the preferred lifetime
> set to zero. That is enough to get IPv6 at the same level as IPv4.

No, this only deprecates it for new sessions. Existing sessions will still need to time
out before they stop trying to use the old prefix. In an ideal world, a mechanism to
signal the need to immediately error out such existing sessions is preferable.

> Without RA-guard or SEND there are already quite a lot of opportunities to
> perform both a denial of service attack and a man in the middle attack
> on a local LAN.

This is equally true in both IPv4 and IPv6.

> I'm not sure if the protection against advertising a zero valid lifetime
> is actually worth it. Any network that worries about local malicious 
> hosts probably already uses RA-guard (or possibly SEND). 

One would certainly hope so.

> In any case, it doesn't matter to the CPE whether the host will accept
> zero valid time or not. The CPE can just send them and then a separate
> document can either instruct hosts to accept all RAs with zero valid time
> or require some for of SEND.

Agreed.

> The key thing is that without any protocol modifications we can get IPv6
> at the same level as IPv4. 
> 
> If we make more extensive modifications to the host, then there is no 
> reason to rely on RA timers and the host could handle unmodified CPEs.

I don’t think such a solution is as likely to succeed or be widely deployed in the
near term.

Updating CPEs is generally a much more dependable and faster process than
updating all hosts.

Owen