IETF Logo Mail Archive

Re: [v6ops] privacy point re. unsolicited NA / router neighbor cache

David Lamparter <equinox@diac24.net> Tue, 23 July 2019 00:00 UTC

Return-Path: <equinox@diac24.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35472120094 for <v6ops@ietfa.amsl.com>; Mon, 22 Jul 2019 17:00:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k0PKofWWasLp for <v6ops@ietfa.amsl.com>; Mon, 22 Jul 2019 17:00:53 -0700 (PDT)
Received: from eidolon.nox.tf (eidolon.nox.tf [IPv6:2a07:2ec0:2185::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B32AA120045 for <v6ops@ietf.org>; Mon, 22 Jul 2019 17:00:53 -0700 (PDT)
Received: from equinox by eidolon.nox.tf with local (Exim 4.92) (envelope-from <equinox@diac24.net>) id 1hpiEb-000lIn-RB; Tue, 23 Jul 2019 02:00:50 +0200
Date: Tue, 23 Jul 2019 02:00:49 +0200
From: David Lamparter <equinox@diac24.net>
To: Mark Smith <markzzzsmith@gmail.com>
Cc: v6ops list <v6ops@ietf.org>
Message-ID: <20190723000049.GJ34551@eidolon.nox.tf>
References: <20190722213727.GI34551@eidolon.nox.tf> <CAO42Z2zn-V9HrKGDC_api7BE4Sy6jmcrfKR7nbnSrHA5NpxYjQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAO42Z2zn-V9HrKGDC_api7BE4Sy6jmcrfKR7nbnSrHA5NpxYjQ@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/dPnnaAh0ODKWe4G2uLJpIoZHW7Y>
Subject: Re: [v6ops] privacy point re. unsolicited NA / router neighbor cache
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 00:00:56 -0000

On Tue, Jul 23, 2019 at 09:13:19AM +1000, Mark Smith wrote:
> On Tue., 23 Jul. 2019, 07:37 David Lamparter, <equinox@diac24.net> wrote:
> > I'm generating a privacy address.  I do DAD for it, and I send it to,
> > say, ff02::1:ffc6:3a4b.  On shitty networks, this will be a broadcast,
> > so everyone knows the address I'm using and can associate the MAC.  But
> > on non-shitty networks, it doesn't go anywhere because no one is
> > interested in that particular group.
[...]
> > The third option is for the router to pick up all DAD groups.  It
> > certainly won't report /ALL/ DAD groups in MLD, so this would break if
> > you have MLD-snooping switches... unless you configure multicast routing
> > properly with "all multicast on router ports".
> >
> > Is there another choice? How about ff02::16 (All MLDv2-capable routers)?
> >
> 
> Why not have routers on the link learn of a node's link-local address via
> source addresses of the node's RSes and MLDv2 joins, and then have the
> routers query the node via unicast for all its other addresses.

Neither of these contains the global address(es) that a host generated,
so you would need...

> There's already two ways the unicast query could be supported to collect
> the node's other addresses, via ICMPv6 Node Information queries (RFC 4620)
> , or Inverse ND (RFC 3122).

... either of these options, which I strongly hope no one implements
because then I can just chuck all my privacy considerations straight out
the window...

(Coincidentally, I'm pretty sure most hosts won't respond to either of
these two.)



I'm tentatively in the DAD snooping camp, but this is a tricky problem.
My decision tree for DAD is this:

1. do you have a network with multicast snooping / limited multicast
   propagation?

=> No: your router sees all DAD anyway, but also your privacy is already
   f*cked from the DADs you sent.  Either way we're not making it worse
   by picking the DADs up on the router.  End tree.

=> Yes: it seems someone configured multicast.  (You don't get this
   without config, it's a bit of a PITA honestly.)  Proceed to 2.

2. is whoever configured multicast competent?

=> No: you're screwed already because broken multicast is broken DAD.
   So if not all DAD makes it to the router, some or all clients will
   experience connectivity delays.  ff02::1 or ff02::2 could /lessen/
   these issues, but they come with their own bag of troubles and your
   broken multicast setup might be messing with them anyway.

=> Yes: the competent person needs to understand that unicast routers
   need to receive all multicast traffic in order to catch and snoop
   DAD.  Set the "multicast router present" bits on the appropriate
   ports on your L2 devices and you're golden.  Also, this is the only
   scenario where some measure of address privacy can be provided, since
   this is the only scenario in which DAD wouldn't turn into a
   broadcast, and it remains so even with the router picking up all DAD.


-David

v2.23.0 | Report a Bug | By Email