[v6ops] PD to hosts [was: DAD again [was: draft-ietf-v6ops-host-addr-availability discussion] ]

Philip Homburg <pch-v6ops-3@u-1.phicoh.com> Mon, 16 November 2015 17:03 UTC

Message-Id: <m1ZyNBq-0000HnC@stereo.hq.phicoh.net>
To: v6ops@ietf.org
From: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
Sender: pch-bBB316E3E@u-1.phicoh.com
Date: Mon, 16 Nov 2015 18:03:32 +0100
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/hKiLUAvTook8oLWxKwZa-ykA9kk>
Subject: [v6ops] PD to hosts [was: DAD again [was: draft-ietf-v6ops-host-addr-availability discussion] ]
Precedence: list

>This is starting to diverge from the case I originally intended this discussion
> to
>examine. The case I am interested in is as follows:
>
>- Node N receives a /64 prefix delegation for prefix P over interface eth0.
>- N assigns P to the lo interface as a /64 route. This is done to black-hole
>   unused portions of P.
>- N configures address A from prefix P, and assigns it to eth0.
>- N need not perform DAD for A over eth0, because the delegating router
>   has made sure that the routing system will route all packets with a
>   destination address from P to node N, and not to any other node.
>
>In this way, N can function as an ordinary host according to the strong end
>system model even though it acted as a "requesting router" in procuring a
>prefix from the delegating router. No other node X on the same link as
>N can therefore configure an address from P and have the routing system
>return packets to X. In fact, any node X that configures an address from P
>can be considered an "attacker", and the use or non-use of DAD has no
>way of preventing that. In fact, the use of DAD could give X a clue as to
>which addresses from P are ripe for attacking. So, it is in fact better to
>NOT do DAD.

I have a two questions about this, sort of unrelated to DAD (so I changed the
subject).

1) How do packets reach the host. Is that documented somewhere?
   I assume that in this case a router will send packets with destination
   prefix P to the link local address of N. But is that specified somewhere?

2) If a node M on the same ethernet link wants to communicate with address
   A, it creates a destination cache entry for A picking a default router
   as next hop (because P is not onlink). Later, A can send the reply 
   directly to M if M's address is onlink. That is likely to cause a
   neighbor cache entry for A at M, which will not be used because the 
   destination cache entry is still in place.

   Not good if you ever want to debug something.

Re: [v6ops] PD to hosts [was: DAD again [was: dra… Philip Homburg
[v6ops] PD to hosts [was: DAD again [was: draft-i… Philip Homburg
Re: [v6ops] PD to hosts [was: DAD again [was: dra… Templin, Fred L
Re: [v6ops] PD to hosts [was: DAD again [was: dra… Templin, Fred L
Re: [v6ops] PD to hosts sthaug
Re: [v6ops] PD to hosts [was: DAD again [was: dra… Philip Homburg
Re: [v6ops] PD to hosts [was: DAD again [was: dra… Templin, Fred L
Re: [v6ops] PD to hosts [was: DAD again [was: dra… Philip Homburg
Re: [v6ops] PD to hosts [was: DAD again [was: dra… Alexandre Petrescu
Re: [v6ops] PD to hosts [was: DAD again [was: dra… Alexandre Petrescu
Re: [v6ops] PD to hosts [was: DAD again [was: dra… Alexandre Petrescu
Re: [v6ops] PD to hosts [was: DAD again [was: dra… mohamed.boucadair
Re: [v6ops] PD to hosts [was: DAD again [was: dra… Templin, Fred L