Re: [v6ops] Fwd: Fwd: I-D Action: draft-halpern-6man-nddos-mitigation-00.txt
Philip Homburg <pch-v6ops-3a@u-1.phicoh.com> Tue, 25 October 2011 12:28 UTC
Return-Path: <pch-b29AA871B@u-1.phicoh.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A26E221F8B16 for <v6ops@ietfa.amsl.com>; Tue, 25 Oct 2011 05:28:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.299
X-Spam-Level:
X-Spam-Status: No, score=-7.299 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id upB82D60OEc6 for <v6ops@ietfa.amsl.com>; Tue, 25 Oct 2011 05:28:33 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [130.37.15.35]) by ietfa.amsl.com (Postfix) with ESMTP id 7FF8221F8B0D for <v6ops@ietf.org>; Tue, 25 Oct 2011 05:28:32 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (Smail #76) id m1RIg7H-0001jXC; Tue, 25 Oct 2011 14:28:27 +0200
Message-Id: <m1RIg7H-0001jXC@stereo.hq.phicoh.net>
To: Ray Hunter <v6ops@globis.net>
From: Philip Homburg <pch-v6ops-3a@u-1.phicoh.com>
Sender: pch-b29AA871B@u-1.phicoh.com
References: <4EA5C0B1.9080106@globis.net> <49044C2B7F64814BAA8D09EA7B8D72321D0CC6DFFF@EUSAACMS0701.eamcs.ericsson.se> <4EA5C8D8.5010506@globis.net> <4EA5CD7A.704@joelhalpern.com> <4EA65A79.5090709@globis.net>
In-reply-to: Your message of "Tue, 25 Oct 2011 08:43:05 +0200 ." <4EA65A79.5090709@globis.net>
Date: Tue, 25 Oct 2011 14:28:24 +0200
Cc: Joel Halpern <joel.halpern@ericsson.com>, "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] Fwd: Fwd: I-D Action: draft-halpern-6man-nddos-mitigation-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2011 12:28:33 -0000
(Do we want this discussion in v6ops if the draft belongs to 6man?) >So then indeed there is a trade off to be made of how noisy you find it >acceptable for ND to be by default versus overall reliability. > >Given that 6LoWPAN found even the current specification of ND too >chatty, and went ahead and developed their own solution, it could be >argued that the design goal of low chattiness should be de-weighted for >vanilla ND, and we accept that there'll be two ND implementations with >different design goals. > >On the other hand, multicast is an expensive operation. The days of LANs >being passive buses are long gone, and multicast actually has to be >emulated in silicon. Any increase in chattiness will likely impose an >upper limit on the number of nodes per link, that is probably much lower >than the limit with today's ND. One question that needs to be answered is whether we want to completely replace ND or augment it to just deal with an ND attack. My preference is to just survive an attack. The advantage of the multicast option is that it doesn't require any protocol changes. The disadvantage is that it will never work on networks where multicast is very expensive (for example wifi). On other networks, for example a wired network in a datacenter, MLD snooping may even reduce the impact on the actual network to almost zero. Of course that does require routers that can generate NS messages at wire speed and switches that can do multicast filtering/forwarding also at wire speed. Going beyond that, a 'please register option' in an RS message can be sent always by a router to ensure that the router always has a complete list of neighbors or just when the router is under attack. Doing it always makes ND more chatty but may simplify router design. And also weeds out bad hosts. Doing it only when under attack makes to option more error prone (because it is not used until it is really needed) but doesn't cause any load on the network during normal operation. >It also loses the solution to the >half-open pipe problem, which means ND is no longer a reliable >indication of two-way communications being possible. How are you going >to do reachability confirmation if the router does not send out Neighbor >Solicitation messages? There is of course some interaction with NUD, but to a large extent that is a separate problem. A router can use any of the techniques that protect against a DoS to find out where a node is (find its link layer address) and then use point-to-point communication for verifying the reachability of the node.
- [v6ops] Fwd: Fwd: I-D Action: draft-halpern-6man-… Joel jaeggli
- Re: [v6ops] Fwd: Fwd: I-D Action: draft-halpern-6… Ray Hunter
- [v6ops] Fwd: Fwd: I-D Action: draft-halpern-6man-… Ray Hunter
- Re: [v6ops] Fwd: Fwd: I-D Action: draft-halpern-6… Ray Hunter
- Re: [v6ops] Fwd: Fwd: I-D Action: draft-halpern-6… Joel M. Halpern
- Re: [v6ops] Fwd: Fwd: I-D Action: draft-halpern-6… Philip Homburg
- Re: [v6ops] Fwd: Fwd: I-D Action: draft-halpern-6… Joel Halpern