Hi Ran, On Wed, 22 Jun 2011 08:10:27 -0400 RJ Atkinson <rja.li...@gmail.com> wrote:
> > On 22 Jun 2011, at 07:34 , Mark Smith wrote: > > It may be getting to the point where it'd probably be easier > > to address these issues by taking away hosts' ability to multicast > > to other hosts on the same segment i.e. switch to an NBMA/hub-and-spoke > > mode of LAN operation, allowing the designated routers to also > > act as traffic sanitisers for on-link inter-host traffic. > > That is possible; doing so would create a new and different set > of operational issues and implementation issues. It isn't > immediately obvious to me that the alternative set of issues would be > simpler/cheaper/easier than the issues Fernando's proposal raises. > Part of what influenced my suggestion is that mechanisms to implement these sorts of controls already exist in some layer 2 devices - the private vlan feature and placing devices into specific VLANs based on 802.1x authentication. So for environments where rouge RAs are a likelihood, some of these mechanisms, possibly with some necessary changes or additions to IPv6 (e.g. DUD proxy) might be more a more effective and more general "traffic sanitation" solution for all ND based threats, including rogue RAs, spoofed ND NAs etc. > Another more fundamental question is how much operational risk the > folks who deploy edge networks believe they have, and how much > operational risk those folks are comfortable with. Some or many such > operational folks might find all of these concepts to have excessive > capital and operational expense for the perceived risk reduction. > They might conclude that the "cure" is worse than the "disease". > I completely agree, the security context definitely needs to be considered. A drawback of making a change as fundamental as, for example, prohibiting fragmentation in ND messages, is that it implies that it is necessary in any and all contexts. That may not actually be true. In the contexts where rouge RAs are a likelihood (e.g. public wifi, "IPoE" SP networks, etc.) rather than a rare accident , then some of the other layer 2 traffic control mechanisms I mentioned are probably going to be deployed. I wonder if their likely presence reduces the need to make such fundamental changes to IPv6 as disabling fragmentation in ND. With the relatively large number of subnets available in IPv6, up to a point it is practical to have a single host-router pair in a subnet. Once you do that, the only possible victims of these threats are the host itself or the router it depends on for off-link reachability, and those router consequences will or can be limited to the router's host facing interface. These types of on-link threats have now been mitigated or eliminated by individually quarantining each host and using their own self-interest to control their behaviour. Best regards, Mark. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------