IETF Logo Mail Archive

Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes

Andrew 👽 Yourtchenko <ayourtch@gmail.com> Fri, 19 September 2014 20:27 UTC

Return-Path: <ayourtch@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 612181A04E7 for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 13:27:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ybwxz0dbsssq for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 13:27:14 -0700 (PDT)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0A651A0476 for <v6ops@ietf.org>; Fri, 19 Sep 2014 13:27:14 -0700 (PDT)
Received: by mail-ig0-f173.google.com with SMTP id l13so190066iga.12 for <v6ops@ietf.org>; Fri, 19 Sep 2014 13:27:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mqygEQMxzBshxgZ/a8ce300zHPn+GCL2z1keGO597rs=; b=urXIH2EfIMu+mSTZmtUU8aAvcgkCD/vZaDyMVJb/t9JidYsPN2topN1HYPxkXfqCiG RrY2F0QmXnKOzgoiEDbc5hVuAoF6h8ZWdmU9Eu+fYRukYX+35iQH+V3iL6K34YBO/+Fq C9EXQ1jlwPGcTv1MiPl49RzLxQq0udPwcFdi1tyRrKTyZRXYbsVrBndRTrXNytNd4Rio HWZBCGUxKAtpfL+FpF3Sj+Bb7XOaLOKWxcu4oVPJIDe/EBoPviRWls3UwHImn2bl5ivB qW0dP2fmxxHqQDl8IyGXIUYrPlrGQU2iH7Cku2z9k5scVVUAIaxGuf5sjKEp7EFE4Tgf Ue/A==
MIME-Version: 1.0
X-Received: by 10.43.61.4 with SMTP id wu4mr1755565icb.77.1411158434065; Fri, 19 Sep 2014 13:27:14 -0700 (PDT)
Received: by 10.107.137.65 with HTTP; Fri, 19 Sep 2014 13:27:14 -0700 (PDT)
In-Reply-To: <1411154671.21942.YahooMailNeo@web125102.mail.ne1.yahoo.com>
References: <201409191147.s8JBl1Fe016458@irp-lnx1.cisco.com> <CAPi140O_WkcS9uFCSK0+tVDF3Z1sB4_UF5Zv9kpNEMh7m94Vww@mail.gmail.com> <1411154671.21942.YahooMailNeo@web125102.mail.ne1.yahoo.com>
Date: Fri, 19 Sep 2014 22:27:14 +0200
Message-ID: <CAPi140Ob+TeDyYfw_1A2Q55gEF5-rNrLynQ1LkGHOVnGcNcpLA@mail.gmail.com>
From: Andrew 👽 Yourtchenko <ayourtch@gmail.com>
To: Nalini Elkins <nalini.elkins@insidethestack.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/l3RaFesPWyJwvyz9ViunlQstAuc
Cc: "draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org" <draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2014 20:27:16 -0000

On 9/19/14, Nalini Elkins <nalini.elkins@insidethestack.com> wrote:
>
>>A directed broadcast ping on IPv4 gives pretty much the same result.
>>Did you test the effects of that ?
>
> I had not.  But, since you mentioned it, I did it on two different Windows
> machines.  The one that is the server in question had the following results:
>
> C:\Users\Administrator>ping x.x.x.255
>
> Pinging x.x.x.255 with 32 bytes of data:
> Request timed out.
> Request timed out.
> Request timed out.
> Request timed out.
>
> Ping statistics for x.x.x.255:
>     Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
>
> Arp cache was not updated.   I did a packet trace in the background and
> indeed no ICMP replies were seen.
>
> I did the same ping x.x.x.255 on one of my client PCs and saw:
>
> Pinging x.x.x.255 with 32 bytes of data:
> Request timed out.
> Request timed out.
> Request timed out.
> Request timed out.
>
> But this time the packet trace showed that actually ICMP replies were sent.
>

So, besides this cosmetic difference the behavior is identical for the
case of IPv4 ping ?

>>Of course, private VLANs or (if we are talking VMs) or just using p2p
>>links with /128s would help this in the environments where the hosts
>>can not be trusted - and this of course is not virtual/physical
>>specific.
>
> Yes.  We wanted to bring up the topic of isolation of nodes for discussion.

This is a useful topic in general - especially in light of the
MLD-related thread, but the draft seems to focus on a very corner case
- there are many much better reasons not to do large L2 networks.

>
>>If we're talking specifically virtual environment, here's an approach
>>on how to use ebtables to isolate the hosts:
>
>>ebtables -P FORWARD DROP
>>ebtables -F FORWARD
>>ebtables -A FORWARD -i $uplinkPort -j ACCEPT # let the traffic flow
>>from uplink to any ports
>>ebtables -A FORWARD -o $uplinkPort -j ACCEPT # let the traffic flow
>>from any ports to uplink
>
>>(source:http://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges)
>
> I think this is very good.  But, unfortunately not very well known.   Also,
> is this possible for all platforms or just Linux?

This was just my first google.com search result when searching for
"private vlans linux".

The first google.com search result on "private vlans windows" brings
up http://blogs.technet.com/b/scvmm/archive/2013/06/04/logical-networks-part-iv-pvlan-isolation.aspx
which seems to document similar technique.

"private vlan vmware" results in
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010691
as its first hit.

Would an IETF publication be easier to find than the above ?

>
>>So looks like the question at hand is:
>
>>"Should IPv6 nodes respond to Ping to FF0x::1?"
>
>>Which can be rephrased differently to ease the start of the discussion:
>
>>"What are the legitimate uses of a ping to ff0x::1 ?"
>
>>Right ?
>
> Yes.

Allright, so I'll mention my use of ping6 ff0x::1:

* quick check to find "a few hosts that are alive on this link"
(obviously not to be done on large segments).

* A way to trigger the remote side's ND process without having to do
one myself (I know the multicast packet to all-hosts *will* usually
get received regardless of the underlying issues with the L2.5
infrastructure (snooping, etc.)

* A way to further debug malfunctioning L2.5 infra, by comparing the
reaction to pings to ff02::1, solicited node multicast, other
multicast groups, etc.

Summary: the ff02::1 current ping behavior does help in a non-trivial
amount of cases.

The security aspects the draft mentions indeed do exist, but in a
properly configured network can be easily mitigated as I've shown
above. So I'd be against changing the functionality in the existing
stacks.

On the education side: the existing search results
https://www.google.com/?gws_rd=ssl#q=ping6+ff02::1 show
8000-something results - so indeed probably this behavior may be
highlighted more during the IPv6 education. However: every IPv6 course
I've heard says "there is no broadcast in IPv6, but there is all-hosts
multicast" which should not make the behavior the draft describes a
major surprise.

--a

>
> --a
>
>
> On 9/19/14, fred@cisco.com <fred@cisco.com> wrote:
>> A new draft has been posted, at
>> http://tools.ietf.org/html/draft-elkins-v6ops-multicast-virtual-nodes.
>> Please take a look at it and comment.
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>

v2.23.0 | Report a Bug | By Email