IETF Logo Mail Archive

Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes

Nick Hilliard <nick@foobar.org> Fri, 19 September 2014 23:34 UTC

Return-Path: <nick@foobar.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 238061A88F9 for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 16:34:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.6
X-Spam-Level:
X-Spam-Status: No, score=-1.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eoVIEfy5TSPl for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 16:34:55 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADD501A8715 for <v6ops@ietf.org>; Fri, 19 Sep 2014 16:34:54 -0700 (PDT)
X-Envelope-To: v6ops@ietf.org
Received: from cupcake.foobar.org (xe-0-0-2.transit07.phb1.foobar.org [87.192.56.84]) (authenticated bits=0) by mail.netability.ie (8.14.9/8.14.5) with ESMTP id s8JNYPUh006787 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sat, 20 Sep 2014 00:34:45 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.netability.ie: Host xe-0-0-2.transit07.phb1.foobar.org [87.192.56.84] claimed to be cupcake.foobar.org
Message-ID: <541CBD81.20209@foobar.org>
Date: Sat, 20 Sep 2014 00:34:25 +0100
From: Nick Hilliard <nick@foobar.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Andrew 👽 Yourtchenko <ayourtch@gmail.com>
References: <201409191147.s8JBl1Fe016458@irp-lnx1.cisco.com> <CAPi140O_WkcS9uFCSK0+tVDF3Z1sB4_UF5Zv9kpNEMh7m94Vww@mail.gmail.com> <1411154671.21942.YahooMailNeo@web125102.mail.ne1.yahoo.com> <CAPi140Ob+TeDyYfw_1A2Q55gEF5-rNrLynQ1LkGHOVnGcNcpLA@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0CCCABFB@PWN401EA160.ent.corp.bcbsm.com> <CAPi140MfAqRpCV8cW50N0cGZsE4Q9CC0ZUB6xQoAgUn4F3P6WA@mail.gmail.com>
In-Reply-To: <CAPi140MfAqRpCV8cW50N0cGZsE4Q9CC0ZUB6xQoAgUn4F3P6WA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/sQSjyoDDHz3SFNNKAoJCCFD-J_E
Cc: "draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org" <draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2014 23:34:56 -0000

On 19/09/2014 23:24, Andrew 👽  Yourtchenko wrote:
> If the draft had just the (2) above (even limit it to just
> observations, maybe? Could someone else from the community chime in
> who thinks it is a problem?),and also discussed whether one can use
> larger scopes (what happens if ff05::1?), and the *operational*
> measures that can be taken today to prevent that threat, this would
> make it self-contained. 

the draft describes that when pinging the mcast all-hosts address, a bunch
of replies are received from third party hosts which populated the nd cache
on the author's machine with a bunch of entries.  The authors have not
provided enough detail in the email to show the cause of the amplification;
 anecdotally on my home network, pinging ff02::1%en0 causes some ND packets
and gets a single echo reply per node, which is nothing like what the
authors of this draft are seeing.

It would be more useful at this stage for the authors to upload a pcap file
for analysis rather than assuming there is a protocol level problem.  It
seems unusual that 10 icmp requests would result in 2840 replies but
without details, it's not possible to tell what's going on and on that
basis, an ID seems premature.

As a side note, the ND cache entries look like they're derived from Xen MAC
adddresses (00:16:3E:*).  If the virtual hosting provider in question has
made ipv6 end-user access available on a shared broadcast domain on Xen,
then large ND caches are probably the least of their worries: neither Xen
nor openvswitch support RA guard at the time of writing, which means that
if the authors were to inject fake RAs, they could trivially take over the
entire ipv6 network.

Nick

v2.23.0 | Report a Bug | By Email