Re: [v6ops] Question regarding RA-Guard evasion (ND and extension headers)
Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org> Fri, 24 June 2011 04:30 UTC
Return-Path: <ipng@69706e6720323030352d30312d31340a.nosense.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3733811E8197; Thu, 23 Jun 2011 21:30:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.795
X-Spam-Level:
X-Spam-Status: No, score=-1.795 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DnUo0D4gj7yc; Thu, 23 Jun 2011 21:30:09 -0700 (PDT)
Received: from smtp2.adam.net.au (smtp2.adam.net.au [202.136.110.251]) by ietfa.amsl.com (Postfix) with ESMTP id EDB1011E80AF; Thu, 23 Jun 2011 21:30:08 -0700 (PDT)
Received: from 114-30-114-141.ip.adam.com.au ([114.30.114.141] helo=opy.nosense.org) by smtp2.adam.net.au with esmtp (Exim 4.63) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1QZy1m-0003Gr-Kr; Fri, 24 Jun 2011 13:59:58 +0930
Received: from opy.nosense.org (localhost.localdomain [IPv6:::1]) by opy.nosense.org (Postfix) with ESMTP id 048653B33E; Fri, 24 Jun 2011 13:59:58 +0930 (CST)
Date: Fri, 24 Jun 2011 13:59:57 +0930
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
To: Fernando Gont <fernando@gont.com.ar>
Message-ID: <20110624135957.0664aa5e@opy.nosense.org>
In-Reply-To: <4E0401AD.8070108@gont.com.ar>
References: <282787FA-C418-430C-B473-152B4FFE900C@gmail.com> <m1QZLSP-0001h8C@stereo.hq.phicoh.net> <20110622210451.60ad8bce@opy.nosense.org> <4E0401AD.8070108@gont.com.ar>
X-Mailer: Claws Mail 3.7.9 (GTK+ 2.24.5; x86_64-unknown-linux-gnu)
X-Location: Lower Mitcham, South Australia, 5062
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Cc: v6ops@ietf.org, ipv6@ietf.org
Subject: Re: [v6ops] Question regarding RA-Guard evasion (ND and extension headers)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2011 04:30:10 -0000
Hi Fernando, On Fri, 24 Jun 2011 00:17:01 -0300 Fernando Gont <fernando@gont.com.ar> wrote: > On 06/22/2011 08:34 AM, Mark Smith wrote: > > >> I think it is a bit ironic that if a L2 device has to parse all extension > >> headers, that then L2 switching of IPv6 packets will be more expensive that > >> L3 routing them. > > > > It may be getting to the point where it'd probably be easier > > to address these issues by taking away hosts' ability to multicast to > > other hosts on the same segment i.e. switch to an NBMA/hub-and-spoke > > mode of LAN operation, allowing the designated routers to also act as > > traffic sanitisers for on-link inter-host traffic. > > Two comments: > > * Hosts would still need to multicast RSs Yes, but the layer 2 device only delivers those multicast RSes to ports that it has been told are attached to authorised routers. > * This does nto prevent attackers from sending ND packets *unicast* to > their victims. > Actually it can. Have a look at the following - http://tools.ietf.org/html/draft-ietf-6man-dad-proxy-01 The layer 3 hub-and-spoke forwarding topology described can also be and is likely to also be enforced at layer 2, by preventing layer 2 forwarding of traffic between designated host ports, limiting it to host port to router port, or router port to host port. It's interesting to look back on where we've come from. On simple 10BASE2 and earlier Ethernet, broadcast/multicast was cheap, because it was the inherent nature of it's bus topology. After we moved to bridges/switches with individual devices attached to each port, this broadcast/multicast capability had to be actively emulated, because a star topology does not have a natural broadcast/multicast capability. Implementing hub-and-spoke forwarding paths in a bridge/switch is not much more than reducing the requirement to emulate something that fundamentally wasn't natural in the first place. Regards, Mark.
- Re: [v6ops] Question regarding RA-Guard evasion (… RJ Atkinson
- Re: [v6ops] Question regarding RA-Guard evasion (… RJ Atkinson
- Re: [v6ops] Question regarding RA-Guard evasion (… Mikael Abrahamsson
- Re: [v6ops] Question regarding RA-Guard evasion (… Philip Homburg
- Re: [v6ops] Question regarding RA-Guard evasion (… RJ Atkinson
- Re: [v6ops] Question regarding RA-Guard evasion (… Mark Smith
- Re: [v6ops] Question regarding RA-Guard evasion (… Mikael Abrahamsson
- Re: [v6ops] Question regarding RA-Guard evasion (… RJ Atkinson
- Re: [v6ops] Question regarding RA-Guard evasion (… Joel Jaeggli
- Re: [v6ops] Question regarding RA-Guard evasion (… Templin, Fred L
- Re: [v6ops] Question regarding RA-Guard evasion (… Fred Baker
- Re: [v6ops] Question regarding RA-Guard evasion (… Ted Lemon
- Re: [v6ops] Question regarding RA-Guard evasion (… Mark Smith
- Re: [v6ops] Question regarding RA-Guard evasion (… Mark Smith
- Re: [v6ops] Question regarding RA-Guard evasion (… Ted Lemon
- Re: [v6ops] Question regarding RA-Guard evasion (… Mikael Abrahamsson
- Re: [v6ops] Question regarding RA-Guard evasion (… Mikael Abrahamsson
- Re: [v6ops] Question regarding RA-Guard evasion (… Mikael Abrahamsson
- Re: [v6ops] Question regarding RA-Guard evasion (… Ray Hunter
- Re: [v6ops] Question regarding RA-Guard evasion (… Mikael Abrahamsson
- Re: [v6ops] Question regarding RA-Guard evasion (… Tim Chown
- Re: [v6ops] Question regarding RA-Guard evasion (… Ray Hunter
- Re: [v6ops] Question regarding RA-Guard evasion (… Ted Lemon
- Re: [v6ops] Question regarding RA-Guard evasion (… Manfredi, Albert E
- Re: [v6ops] Question regarding RA-Guard evasion (… Ted Lemon
- Re: [v6ops] Question regarding RA-Guard evasion (… Manfredi, Albert E
- Re: [v6ops] Question regarding RA-Guard evasion (… Ted Lemon
- Re: [v6ops] Question regarding RA-Guard evasion (… Philip Homburg
- Re: [v6ops] Question regarding RA-Guard evasion (… Ted Lemon
- Re: [v6ops] Question regarding RA-Guard evasion (… Mark Andrews
- Re: [v6ops] Question regarding RA-Guard evasion (… Mark Smith
- Re: [v6ops] Question regarding RA-Guard evasion (… David Farmer
- Re: [v6ops] Question regarding RA-Guard evasion (… Fernando Gont
- Re: [v6ops] Question regarding RA-Guard evasion (… Mark Smith
- Re: [v6ops] Question regarding RA-Guard evasion (… Mikael Abrahamsson
- Re: [v6ops] Question regarding RA-Guard evasion (… Mikael Abrahamsson
- Re: [v6ops] Question regarding RA-Guard evasion (… Mark Smith
- Re: [v6ops] Question regarding RA-Guard evasion (… Philip Homburg
- Re: [v6ops] Question regarding RA-Guard evasion (… Philip Homburg
- Re: [v6ops] Question regarding RA-Guard evasion (… Fernando Gont
- Re: [v6ops] Question regarding RA-Guard evasion (… David Farmer
- Re: [v6ops] Question regarding RA-Guard evasion (… Fernando Gont
- Re: [v6ops] Question regarding RA-Guard evasion (… Mark Smith
- Re: [v6ops] Question regarding RA-Guard evasion (… Fernando Gont
- Re: [v6ops] Question regarding RA-Guard evasion (… Joel Jaeggli