Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes
Nick Hilliard <nick@foobar.org> Fri, 19 September 2014 23:34 UTC
Return-Path: <nick@foobar.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 238061A88F9 for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 16:34:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.6
X-Spam-Level:
X-Spam-Status: No, score=-1.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eoVIEfy5TSPl for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 16:34:55 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADD501A8715 for <v6ops@ietf.org>; Fri, 19 Sep 2014 16:34:54 -0700 (PDT)
X-Envelope-To: v6ops@ietf.org
Received: from cupcake.foobar.org (xe-0-0-2.transit07.phb1.foobar.org [87.192.56.84]) (authenticated bits=0) by mail.netability.ie (8.14.9/8.14.5) with ESMTP id s8JNYPUh006787 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sat, 20 Sep 2014 00:34:45 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.netability.ie: Host xe-0-0-2.transit07.phb1.foobar.org [87.192.56.84] claimed to be cupcake.foobar.org
Message-ID: <541CBD81.20209@foobar.org>
Date: Sat, 20 Sep 2014 00:34:25 +0100
From: Nick Hilliard <nick@foobar.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Andrew 👽 Yourtchenko <ayourtch@gmail.com>
References: <201409191147.s8JBl1Fe016458@irp-lnx1.cisco.com> <CAPi140O_WkcS9uFCSK0+tVDF3Z1sB4_UF5Zv9kpNEMh7m94Vww@mail.gmail.com> <1411154671.21942.YahooMailNeo@web125102.mail.ne1.yahoo.com> <CAPi140Ob+TeDyYfw_1A2Q55gEF5-rNrLynQ1LkGHOVnGcNcpLA@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0CCCABFB@PWN401EA160.ent.corp.bcbsm.com> <CAPi140MfAqRpCV8cW50N0cGZsE4Q9CC0ZUB6xQoAgUn4F3P6WA@mail.gmail.com>
In-Reply-To: <CAPi140MfAqRpCV8cW50N0cGZsE4Q9CC0ZUB6xQoAgUn4F3P6WA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/sQSjyoDDHz3SFNNKAoJCCFD-J_E
Cc: "draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org" <draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2014 23:34:56 -0000
On 19/09/2014 23:24, Andrew 👽 Yourtchenko wrote: > If the draft had just the (2) above (even limit it to just > observations, maybe? Could someone else from the community chime in > who thinks it is a problem?),and also discussed whether one can use > larger scopes (what happens if ff05::1?), and the *operational* > measures that can be taken today to prevent that threat, this would > make it self-contained. the draft describes that when pinging the mcast all-hosts address, a bunch of replies are received from third party hosts which populated the nd cache on the author's machine with a bunch of entries. The authors have not provided enough detail in the email to show the cause of the amplification; anecdotally on my home network, pinging ff02::1%en0 causes some ND packets and gets a single echo reply per node, which is nothing like what the authors of this draft are seeing. It would be more useful at this stage for the authors to upload a pcap file for analysis rather than assuming there is a protocol level problem. It seems unusual that 10 icmp requests would result in 2840 replies but without details, it's not possible to tell what's going on and on that basis, an ID seems premature. As a side note, the ND cache entries look like they're derived from Xen MAC adddresses (00:16:3E:*). If the virtual hosting provider in question has made ipv6 end-user access available on a shared broadcast domain on Xen, then large ND caches are probably the least of their worries: neither Xen nor openvswitch support RA guard at the time of writing, which means that if the authors were to inject fake RAs, they could trivially take over the entire ipv6 network. Nick
- [v6ops] new draft: draft-elkins-v6ops-multicast-v… fred
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Andrew 👽 Yourtchenko
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nalini Elkins
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Andrew 👽 Yourtchenko
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Ackermann, Michael
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nalini Elkins
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Andrew 👽 Yourtchenko
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nick Hilliard
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Andrew 👽 Yourtchenko
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nick Hilliard
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nalini Elkins
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nalini Elkins
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nalini Elkins
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Andrew 👽 Yourtchenko
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nalini Elkins
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Andrew 👽 Yourtchenko
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nick Hilliard
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nalini Elkins
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nalini Elkins
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nick Hilliard
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nalini Elkins
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Bill Cerveny
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Ackermann, Michael
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Mikael Abrahamsson
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nalini Elkins
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… sthaug
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Bill Cerveny
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… sthaug
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Mikael Abrahamsson
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Nalini Elkins
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Randy Bush
- [v6ops] new draft: draft-elkins-v6ops-multicast-v… fred
- Re: [v6ops] new draft: draft-elkins-v6ops-multica… Ray Hunter