IETF Logo Mail Archive

Re: [v6ops] privacy point re. unsolicited NA / router neighbor cache

Mark Smith <markzzzsmith@gmail.com> Tue, 23 July 2019 00:34 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D06181200BA for <v6ops@ietfa.amsl.com>; Mon, 22 Jul 2019 17:34:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.497
X-Spam-Level:
X-Spam-Status: No, score=-0.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U_rgGijosieh for <v6ops@ietfa.amsl.com>; Mon, 22 Jul 2019 17:34:18 -0700 (PDT)
Received: from mail-ot1-x344.google.com (mail-ot1-x344.google.com [IPv6:2607:f8b0:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A116C120045 for <v6ops@ietf.org>; Mon, 22 Jul 2019 17:34:18 -0700 (PDT)
Received: by mail-ot1-x344.google.com with SMTP id 60so2697366otr.7 for <v6ops@ietf.org>; Mon, 22 Jul 2019 17:34:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=e486O7rj1rKdG/18iipGxVRFsPyMDCIVKdJhIjv6Rjk=; b=K99VTa1pPbY/nQrWEQ41qYA+RvjBCMvJonSMIkOcBRZXbJ4M2w6K5NPMdRR1+lFBNX 9WJ15G0wjBRI7haEiTyTpjO6ahxU84Pm/a4sgRhxMI+LaE1i53CJjnEVTiPRUHZpKQqm +0UZl8ZuWpBc9cQFDUbO/sRin7xs5tRJkBlt57aNK70VhNadgbJB4IwFsQSPEO2WmIb+ 4Zn7am9dhITcx+bj2q6r24+1kmaKKrxcszDpvdRVgGC5pnu9ridu8cPukqRarWB5NTIT eTd+nKYrrgnHkE1efprsv8zZkAfCnJlgWzf3Zo4gAnxdoL1Dst777c2UZnQO+NX/Q6b5 j06A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=e486O7rj1rKdG/18iipGxVRFsPyMDCIVKdJhIjv6Rjk=; b=IwTLt8vYfSxHFjTC5lCXZBMAaie1bCNDg5QQ3CQnWPJvEY9zyC5LPinln16+5Gd/Mi jiEuKHKEtpIFtPzhOSzkxrJ/+5pPMHEHOPJFxF+c14n+OGvfECoGaklqbe4TTpeWWi5U LU7ufXlbl8LX/WcQcQ/MtBTqjX6CIJQh9pxYPdszHCPDJPi4hAOSNVJWbiadMf5RjF/I biGtdxJo/Jyw1QQ72hIs6pKyjiGWfcdR/PfFtnA3VCKzorQu9sCMKnzKLKBnaZ6N8h8L 4byZwa9q0NP6UMZc1N2ffvkq/hLy0cgCVwc5g5XNcfhT0mvwvngRJ0k1kf7jLcSsIlI5 qB7w==
X-Gm-Message-State: APjAAAU7LYK2yL2uRE9l4l/25LL+u4nWP9x2lQq/5Uqwp7wLUF7KaqlR hnMFl2q2GDb5hds6bBoupvbU7XDdnsxY3G39grfsDA==
X-Google-Smtp-Source: APXvYqwWwSBIrBbnLjTCZgsO079EFtelKVC2usfwXQOeFUdIDkDX0lrBMlnsnFMuY6ZcDuTBSr7+/dDwmmGNq7AF+Qc=
X-Received: by 2002:a9d:65da:: with SMTP id z26mr43714903oth.257.1563842056893; Mon, 22 Jul 2019 17:34:16 -0700 (PDT)
MIME-Version: 1.0
References: <20190722213727.GI34551@eidolon.nox.tf> <CAO42Z2zn-V9HrKGDC_api7BE4Sy6jmcrfKR7nbnSrHA5NpxYjQ@mail.gmail.com> <20190723000049.GJ34551@eidolon.nox.tf>
In-Reply-To: <20190723000049.GJ34551@eidolon.nox.tf>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Tue, 23 Jul 2019 10:34:05 +1000
Message-ID: <CAO42Z2yfedga9rWabShhVK6qwD28bdezi=PpO5p8zYWPwOobhg@mail.gmail.com>
To: David Lamparter <equinox@diac24.net>
Cc: v6ops list <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000493a0a058e4e5a2d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/xP476vlMNhGKdGesGGMFmSMZmcQ>
Subject: Re: [v6ops] privacy point re. unsolicited NA / router neighbor cache
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 00:34:21 -0000

On Tue., 23 Jul. 2019, 10:00 David Lamparter, <equinox@diac24.net> wrote:

> On Tue, Jul 23, 2019 at 09:13:19AM +1000, Mark Smith wrote:
> > On Tue., 23 Jul. 2019, 07:37 David Lamparter, <equinox@diac24.net>
> wrote:
> > > I'm generating a privacy address.  I do DAD for it, and I send it to,
> > > say, ff02::1:ffc6:3a4b.  On shitty networks, this will be a broadcast,
> > > so everyone knows the address I'm using and can associate the MAC.  But
> > > on non-shitty networks, it doesn't go anywhere because no one is
> > > interested in that particular group.
> [...]
> > > The third option is for the router to pick up all DAD groups.  It
> > > certainly won't report /ALL/ DAD groups in MLD, so this would break if
> > > you have MLD-snooping switches... unless you configure multicast
> routing
> > > properly with "all multicast on router ports".
> > >
> > > Is there another choice? How about ff02::16 (All MLDv2-capable
> routers)?
> > >
> >
> > Why not have routers on the link learn of a node's link-local address via
> > source addresses of the node's RSes and MLDv2 joins, and then have the
> > routers query the node via unicast for all its other addresses.
>
> Neither of these contains the global address(es) that a host generated,
> so you would need...
>
> > There's already two ways the unicast query could be supported to collect
> > the node's other addresses, via ICMPv6 Node Information queries (RFC
> 4620)
> > , or Inverse ND (RFC 3122).
>
> ... either of these options, which I strongly hope no one implements
> because then I can just chuck all my privacy considerations straight out
> the window...
>

If that's enough of a concern to you, them you must isolate your hosts to
their own individual links, virtual or physical, so the only other devices
on the link is one or more trusted routers.

You can't attach a set of untrustworthy hosts to a mutual trust,
multi-access link and then trust those hosts to always behave. The explicit
point of those types of links is to be able to send anything to anyone.



> (Coincidentally, I'm pretty sure most hosts won't respond to either of
> these two.)
>

We invent the future here.

However, I have some small distant evidence that Mac OS X already does,
because it sends MLDv2 joins for the NI multicast group. (I don't have
access to OS X to further look, and it wasn't something I was looking into
at the time.)

There's already a BSD/Linux NI implementation available. The out of the box
version of 'ping' that comes with Fedora 30 can send NI queries.

So we're not talking about 'from scratch' implementation, or complete
replacement of ND.

There would need to be a transition mechanism and period for hosts that
don't support these queries. That's no different to any other solution that
requires changes to either or both host and router behaviour.



>
>
> I'm tentatively in the DAD snooping camp, but this is a tricky problem.
> My decision tree for DAD is this:
>

DAD doesn't occur with anycast addresses, do it isn't a complete solution.

I'm pretty sure Ericsson have IPR for that idea, because it came up with
the discussion of this draft.

Not that IPR is a reason not to use the idea, however I think it is better
to avoid it, combined with not supporting onlink anycast addresses.

Triggering ND Address Resolution on Receiving DAD-NS

https://tools.ietf.org/id/draft-halpern-6man-nd-pre-resolve-addr-00.txt





> 1. do you have a network with multicast snooping / limited multicast
>    propagation?
>
> => No: your router sees all DAD anyway, but also your privacy is already
>    f*cked from the DADs you sent.  Either way we're not making it worse
>    by picking the DADs up on the router.  End tree.
>
> => Yes: it seems someone configured multicast.  (You don't get this
>    without config, it's a bit of a PITA honestly.)  Proceed to 2.
>
> 2. is whoever configured multicast competent?
>
> => No: you're screwed already because broken multicast is broken DAD.
>    So if not all DAD makes it to the router, some or all clients will
>    experience connectivity delays.  ff02::1 or ff02::2 could /lessen/
>    these issues, but they come with their own bag of troubles and your
>    broken multicast setup might be messing with them anyway.
>
> => Yes: the competent person needs to understand that unicast routers
>    need to receive all multicast traffic in order to catch and snoop
>    DAD.  Set the "multicast router present" bits on the appropriate
>    ports on your L2 devices and you're golden.  Also, this is the only
>    scenario where some measure of address privacy can be provided, since
>    this is the only scenario in which DAD wouldn't turn into a
>    broadcast, and it remains so even with the router picking up all DAD.
>
>
> -David
>

v2.23.0 | Report a Bug | By Email