Re: [v6ops] privacy point re. unsolicited NA / router neighbor cache
David Lamparter <equinox@diac24.net> Tue, 23 July 2019 00:00 UTC
Return-Path: <equinox@diac24.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35472120094 for <v6ops@ietfa.amsl.com>; Mon, 22 Jul 2019 17:00:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k0PKofWWasLp for <v6ops@ietfa.amsl.com>; Mon, 22 Jul 2019 17:00:53 -0700 (PDT)
Received: from eidolon.nox.tf (eidolon.nox.tf [IPv6:2a07:2ec0:2185::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B32AA120045 for <v6ops@ietf.org>; Mon, 22 Jul 2019 17:00:53 -0700 (PDT)
Received: from equinox by eidolon.nox.tf with local (Exim 4.92) (envelope-from <equinox@diac24.net>) id 1hpiEb-000lIn-RB; Tue, 23 Jul 2019 02:00:50 +0200
Date: Tue, 23 Jul 2019 02:00:49 +0200
From: David Lamparter <equinox@diac24.net>
To: Mark Smith <markzzzsmith@gmail.com>
Cc: v6ops list <v6ops@ietf.org>
Message-ID: <20190723000049.GJ34551@eidolon.nox.tf>
References: <20190722213727.GI34551@eidolon.nox.tf> <CAO42Z2zn-V9HrKGDC_api7BE4Sy6jmcrfKR7nbnSrHA5NpxYjQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAO42Z2zn-V9HrKGDC_api7BE4Sy6jmcrfKR7nbnSrHA5NpxYjQ@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/dPnnaAh0ODKWe4G2uLJpIoZHW7Y>
Subject: Re: [v6ops] privacy point re. unsolicited NA / router neighbor cache
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 00:00:56 -0000
On Tue, Jul 23, 2019 at 09:13:19AM +1000, Mark Smith wrote: > On Tue., 23 Jul. 2019, 07:37 David Lamparter, <equinox@diac24.net> wrote: > > I'm generating a privacy address. I do DAD for it, and I send it to, > > say, ff02::1:ffc6:3a4b. On shitty networks, this will be a broadcast, > > so everyone knows the address I'm using and can associate the MAC. But > > on non-shitty networks, it doesn't go anywhere because no one is > > interested in that particular group. [...] > > The third option is for the router to pick up all DAD groups. It > > certainly won't report /ALL/ DAD groups in MLD, so this would break if > > you have MLD-snooping switches... unless you configure multicast routing > > properly with "all multicast on router ports". > > > > Is there another choice? How about ff02::16 (All MLDv2-capable routers)? > > > > Why not have routers on the link learn of a node's link-local address via > source addresses of the node's RSes and MLDv2 joins, and then have the > routers query the node via unicast for all its other addresses. Neither of these contains the global address(es) that a host generated, so you would need... > There's already two ways the unicast query could be supported to collect > the node's other addresses, via ICMPv6 Node Information queries (RFC 4620) > , or Inverse ND (RFC 3122). ... either of these options, which I strongly hope no one implements because then I can just chuck all my privacy considerations straight out the window... (Coincidentally, I'm pretty sure most hosts won't respond to either of these two.) I'm tentatively in the DAD snooping camp, but this is a tricky problem. My decision tree for DAD is this: 1. do you have a network with multicast snooping / limited multicast propagation? => No: your router sees all DAD anyway, but also your privacy is already f*cked from the DADs you sent. Either way we're not making it worse by picking the DADs up on the router. End tree. => Yes: it seems someone configured multicast. (You don't get this without config, it's a bit of a PITA honestly.) Proceed to 2. 2. is whoever configured multicast competent? => No: you're screwed already because broken multicast is broken DAD. So if not all DAD makes it to the router, some or all clients will experience connectivity delays. ff02::1 or ff02::2 could /lessen/ these issues, but they come with their own bag of troubles and your broken multicast setup might be messing with them anyway. => Yes: the competent person needs to understand that unicast routers need to receive all multicast traffic in order to catch and snoop DAD. Set the "multicast router present" bits on the appropriate ports on your L2 devices and you're golden. Also, this is the only scenario where some measure of address privacy can be provided, since this is the only scenario in which DAD wouldn't turn into a broadcast, and it remains so even with the router picking up all DAD. -David
- [v6ops] privacy point re. unsolicited NA / router… David Lamparter
- Re: [v6ops] privacy point re. unsolicited NA / ro… Mark Smith
- Re: [v6ops] privacy point re. unsolicited NA / ro… David Lamparter
- Re: [v6ops] privacy point re. unsolicited NA / ro… Mark Smith
- Re: [v6ops] privacy point re. unsolicited NA / ro… Gert Doering
- Re: [v6ops] privacy point re. unsolicited NA / ro… Sander Steffann
- Re: [v6ops] privacy point re. unsolicited NA / ro… Gert Doering
- Re: [v6ops] privacy point re. unsolicited NA / ro… Sander Steffann
- Re: [v6ops] privacy point re. unsolicited NA / ro… David Lamparter
- Re: [v6ops] privacy point re. unsolicited NA / ro… Gert Doering
- Re: [v6ops] privacy point re. unsolicited NA / ro… Nick Hilliard
- Re: [v6ops] privacy point re. unsolicited NA / ro… Fred Baker
- Re: [v6ops] privacy point re. unsolicited NA / ro… Mark Smith
- Re: [v6ops] privacy point re. unsolicited NA / ro… Jen Linkova
- Re: [v6ops] privacy point re. unsolicited NA / ro… Gert Doering
- Re: [v6ops] privacy point re. unsolicited NA / ro… Pascal Thubert (pthubert)