Re: [v6ops] SLAAC security concerns

Vasilenko Eduard <vasilenko.eduard@huawei.com> Wed, 05 August 2020 06:44 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FFBA3A133F; Tue, 4 Aug 2020 23:44:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xS0LCbKVXaaP; Tue, 4 Aug 2020 23:44:03 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EEAA3A117F; Tue, 4 Aug 2020 23:44:02 -0700 (PDT)
Received: from lhreml737-chm.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 2DD581E68C84DD8E9ADE; Wed, 5 Aug 2020 07:44:00 +0100 (IST)
Received: from msceml706-chm.china.huawei.com (10.219.141.145) by lhreml737-chm.china.huawei.com (10.201.108.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Wed, 5 Aug 2020 07:43:55 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml706-chm.china.huawei.com (10.219.141.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Wed, 5 Aug 2020 09:43:54 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.1913.007; Wed, 5 Aug 2020 09:43:54 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, "Ted Lemon" <mellon@fugue.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>, Gert Doering <gert@space.net>
Thread-Topic: [v6ops] SLAAC security concerns
Thread-Index: AdZqh2IDVN0JAX5fTSutty/fgHiG3P//7l0AgAAIigCAAAdgAP//J7PQ
Date: Wed, 5 Aug 2020 06:43:54 +0000
Message-ID: <fa73c4e3aca6406995daa12ffa30e260@huawei.com>
References: <f52c4463862f44b5ba2a9d41db86d231@huawei.com> <20200804194448.GA2485@Space.Net>, <6370DE53-9EC6-4141-97C6-3B223939012A@fugue.com> <E26455BF-5BA3-4382-AF1D-04698E8BC53A@cisco.com>
In-Reply-To: <E26455BF-5BA3-4382-AF1D-04698E8BC53A@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.204.128]
Content-Type: multipart/alternative; boundary="_000_fa73c4e3aca6406995daa12ffa30e260huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/wXERSviu_-tgQRU-AFkr9NnWbws>
Subject: Re: [v6ops] SLAAC security concerns
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2020 06:44:05 -0000

Hi Pascal,
I was in business for long time. I am not much scared of bad vendor implementation of multicast or not implemented multicast at all.

Your concern that not every technology is good for multicast is right: WiFi (most popular type of connection our times) is not friendly to multicast whatever vendor would do about it.
Your point is very valid, but I do not want revolution in SLAAC. I want evolution – minimal number of changes to patch only biggest holes. Revolution would not be accepted by the market.
I agree that final picture is not ideal.

PS: If people would like revolution – you have the good proposal what to do. Let we see how much would be acceptance after additional 10 years.
Eduard
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Pascal Thubert (pthubert)
Sent: 4 августа 2020 г. 23:42
To: Ted Lemon <mellon@fugue.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>ca>; v6ops list <v6ops@ietf.org>rg>; 6man <ipv6@ietf.org>rg>; Gert Doering <gert@space.net>
Subject: Re: [v6ops] SLAAC security concerns

Talking about multicast might be misleading. Has anyone deployed L2 multicast? IEEE people told me they designed one and that after some hiccups it was made to work but not much implemented and deployed.

Even then this is pushing the scalability problem one layer down not solving it, like almost as many groups as there are addresses so what’s the point?

Else for all I know we are mostly broadcasting any DAD and lookup over the whole L2, causing storms and wasting the wireless bandwidth. This is also a major pain point for the deployment of large multi site fabrics.
Disclaimer: I have not seen IGMP snooping successfully turned on for link scope multicast; unclear if and how that can help or if as hinted in this thread it should be turned off. I’d be interested in return from experience there :)

Keep safe,

Pascal


Le 4 août 2020 à 22:17, Ted Lemon <mellon@fugue.com<mailto:mellon@fugue.com>> a écrit :
 On Aug 4, 2020, at 3:44 PM, Gert Doering <gert@space.net<mailto:gert@space.net>> wrote:
There is too many broken switch vendors out there that show again and
again that "implementing multicast is hard", breaking IPv6 ND in the
process.

Why don’t you return that switch for a refund?

(I’ve never run into a switch that had trouble with IPv6 multicast, but admittedly I only have four different switches in my house, so that’s not a very big sample.)

_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops