RE: draft-chakrabarti-nordmark-6man-efficient-nd review

[Samita Chakrabarti]

Hi ,

Thanks for your detailed comments. Apology for the late reply .
It'd be nice to know your name - so we could address you directly.

Please see the responses  in-line.
-----Original Message-----
From: ayourtch [mailto:ayour...@cisco.com] 
Sent: Monday, August 05, 2013 3:52 AM
To: Samita Chakrabarti; nordm...@cisco.com; pthub...@cisco.com; 
m...@lilacglade.org
Cc: ipv6@ietf.org
Subject: draft-chakrabarti-nordmark-6man-efficient-nd review

Hi,

I've read through the document, and the problem that it touches is indeed
*very* acute - I've experienced it every time in the large-scale wireless 
deployments.

The below is a braindump written as I was reading the doc - I deliberately left 
some of the pieces that might have been explained later in the document, so if 
you want you might preempt these by adding explicit forward references.

----------
Overall, after reading the doc:

1) I think address registration introduces a new attack vector (registration 
flood). More thoughts on this inline.

2) I think there are a few more "multicast chatter" cases that are missed - 
inline.

3) Given that the FHS is a "must" in IPv6 network, if we assume its presence, I 
think the protocol may be simplified, and be made more router-centric, I think 
there may be a possible optimization which would not involve changing the end 
hosts - as I'd guess it'll take a while for the end hosts to adapt.

Now, I'm using the text from -02 from the below URL, will copypaste anchors 
from it and comments interspersing.

http://datatracker.ietf.org/doc/draft-chakrabarti-nordmark-6man-efficient-nd/?include_text=1


"
    joining the network the host does not wait for the Router
    Advertisements as the NEAR routers do not perform periodic multicast
    RA as per RFC 4861.  Instead, the EAH sends a multicast RS to find
    out a NEAR router in the network.  The RS message is the same as in
    RFC 4861.
"


The RS sending mechanism will be resilient, I assume, such that the node does 
get RA even in a high-loss environments, right  ? Maybe useful to include a 
paragraph or two on the unreliability of this mechanism. I think Suresh said he 
had something on this, probably worth referencing.

===> Sure. The target of this document is both high-loss networks and regular 
IPv6 networks. In both cases less number of multicast signaling is desirable.
I think it make sense to add a few lines on configurable number of times the RS 
can be sent in a high-loss link. I'll check with Suresh on his proposal.
Suresh, would you like to make the comment on the list again?


"
The TID field is used together with age of a registration for
    arbitration between two routers (default or backbone) to ensure
    freshness and ownership of the registration of a given target
    address.  "

freshness - yes.. ownership - not sure.. seems like I might spoof this value 
easily.. ?


===>  Current IPv6 ND can be spoofed as well and it is no different than that. 
One can run L2-level security or run SEND.

"   Router Advertisement(RA):   Periodic RAs SHOULD be avoided.  Only
                            solicited RAs are RECOMMENDED.  An RA MUST"

This is sometime years in the future when there's no legacy IPv6 nodes ?

Especially in context of mobile byod-type networks (e.g. ciscolive net), I 
think the router might need to support both. OTOH, the *interval* of the 
multicast RAs can be cranked up. This is what I am doing now, and it does 
help...

Okay, I see sometime later:

"The efficiency-aware default router MUST not send periodic RA unless
    it is configured to support both legacy IPv6 and efficiency-aware
    hosts.  If the Router is configured for efficiency-aware hosts
    support, it MUST send Router Advertisements with E-bit flag ON and
    MUST NOT set 'L' bit in the advertisements."

Fair enough. But then if the router configured for interop, do we still send 
RAs "relatively frequently" or do we say also to decrease their default 
frequency ? Maybe a micro-optimization, not sure. I need to measure this 
somehow with existing gear.

===> The document talks about both NEAR and legacy routers.  The goal is to 
transition to a network where all routers are NEAR and hosts are 
Efficient-hosts. But for interoperability and backward compatibility a router 
can be configured in MIXED mode where it can serve both. RA frequency can be 
configured based on the type of network and applications.

"containing Router's link-layer address (this
                            is optional in [ND].  An RA MUST carry Prefix
                            information option with L bit being unset, so
                            that hosts do not multicast any NS messages"

for the routable addresses, yes this solves the problem. But what I noticed 
today is this use case:
Bonjour advertising the services using all sorts of addresses, including 
link-local addresses. So, then the devices will do ND on link-local addresses, 
etc. - so this will solve the problem only partially, I think.

====> Not sure if I understand the problem here. Can you please explain the 
sequence of ND messages in Bonjour and point to the partial problem you're 
envisoning?

" Unlike RFC4861 which suggests
                            multicast Router Advertisements, this
                            specification optimizes the exchange by
                            always unicasting RAs in response to RS."

Yay! :-) (with my wireless hat on:)

One thing (maybe) to mention is to say that in the final architecture this may 
be configurable depending on the media type ? a broadcast medium with low 
capacity could still make use of mcast RAs.

===> Makes sense. Will discuss it with my co-authors about the suggestion.

"
  The efficiency-aware host MUST NOT send or accept re-direct messages.
    It does not join solicited node multicast address.
"

Again, yay! Does this mean we can get rid of MLD queries as well ?

===>  I guess it can be spared for the solicited node MCAST addr.  We need to 
double check if  NEAR uses solicited mcast for any reason.

"
    one with ARO and another without ARO then the NS message with ARO
    gets the precedence and the NS without ARO is ignored.  This behavior
    protects the router from Denial Of Service attacks.  Similarly, if
"

What about two AROs that are different ?

===> I suppose the text can be clarified here.  We are talking about the 
situation if the router receives  two NS messages from the same host ( one 
regular and the other containing ARO option), then it the router should prefer 
the NS message with the ARO option.


"
Lifetime expires.  If an ARO arrives for an NCE that is in
    UNCREACHABLE state, that NCE should be marked as STALE.
"

Can we then use this STALE state as an excuse to clean up the table if it gets 
full(er) on the router, similar to what we do today with binding table with FHS 
? I feel we should discuss - "what happens when the resources on the router are 
exhausted or close to exhaustion - how does it recover gracefully from this 
condition, if at all".


===> Let's have the discussion off-line along with the co-authors and see how 
we can address this comment to make the router more efficient.


"However, it will create legacy NCE for NS messages for other routers
    in the network.  This mode is able to prevent ND flooding on the
    link."

I don't understand. Is this for more than one router running in a kind of 
redundant mode ? I'd need to understand the exact topology in question, but I 
think I have a comment for this part :-)

===> Good catch. It is trying to say that a NEAR creates legacy NCE for the 
other routers in the subnet since the  routers are not registering with each 
other.
           This part needs clarification.


"
An efficiency-aware Router(NEAR) SHOULD be able to have configuration
    knob to configure itself in Mixed-Mode where it will support both
    efficiency-aware hosts and legacy hosts.
"

Would this be an excuse for some vendors to not implement the mixed mode ? I 
have a vague feeling that this should be "MUST" to help enable transition, but 
probably "SHOULD" is for the routers made specifically for the energy-efficient 
environments ? Is this something that justified by enough of a ballast of 
having to support the legacy mode ? My hunch is that probably there is not a 
whole lot, but maybe I am wrong...


==> You are right -- 'SHOULD' is to help transition.  There are some 
implementations who might not have to deal with legacy IPv6 nodes and  they may 
decide not to implement mixed mode.  

"
The new default
    router then first send an NS to its peers with a link scope multicast
    message to IPv6 address ff02::2 with the ARO option.
"

So, I think the movement scenario presents another attack vector, if I 
understand it right - unless there is a signaling mechanism for asserting the 
host's identity... I don't have a good solution now, just think this is a 
problem. Maybe something like a binding table will take care of it - if it's 
centralized at a L2 device that sees everything. I think it is a solved problem 
there...

==> Agree. It could be an attack vector in an open network. But it no new 
threat.  Do the routers today use any authentication mechanism when they 
exchange multicast messages today?

"
value of TID wins.  Note that the registration ownership and local
    movement detection behavior in NEAR router MUST be optionally
    configured.  The NEAR routers MAY implement this feature.

"

So does this mean that by default we'll "protect" the existing entry ?

===>This makes sure the newest valid registration wins when there are multiple 
default routers in the subnet and the host policy is to always connect to the 
router that provides itself with best performance or closest proximity.


"

The efficiency-aware behavior documented in this specification avoids
    the ND DOS attacks by:

    o  Having the hosts register with the default router
    o  Having the hosts send their packets via the default router
    o  Not resolving addresses for the Routing Solicitor by mandating
       SLLA option along with RS
    o  Checking for duplicates in NCE before the registration
    o  Checking against the MAC-address and EUI-64 id is possible now for
       NCE matches
"

The way I see it, it does prevent the attack which destination guard prevents, 
and that's it. On the other hand, it introduces a new attack where a malicious 
host on local network can send a lot of registrations and exhaust resources of 
the router.

===> Note that the registration actually creates the temporary NCE with a short 
lifetime -- thus for unknown destinations when the attack happens, the NCE are 
cleared automatically after a very short while. Thus the DOS attack cannot 
build up. For valid entries the temporary entries are replaced by registered 
entries. A node cannot randomly send registration NS as they will fail with 
EUID checks -- of course the processing time of the CPU will be spent or the 
implementation may put a limit to process  failed registrations from a given 
host.


I think this is where a mechanism from the network to signal "you're trying too 
much" could be useful. OTOH if implemented straightforwardly, this may become a 
way for the network to try to control the hosts... I don't know the answer yet. 
Maybe I am ratholing, sorry :-)


==> Your concerns are reasonable. Agree with you that the implementations can 
provide different solutions as a value-add.

"

router.  At this point, the default routers use Neighbor
    Advertisements(NA) to arbitrate the latest ownership of the
    registration of host.  The ownership of registration is useful for
"

I think I had some questions about this earlier - maybe would benefit from a 
reflow, and having the same "movement stuff" in the same place ?

===> If you can clarify your comment with section numbers, it'd be quite useful 
for us to address this comment.

"
  if EAH node implements DNA host capability as well, then it SHOULD
    give preference to the NEAR routers in its candidate list of routers.
"

I think this is an over-spec. There is already "router preference" field, which 
can be happily used to enable more than one use case, including the ability to 
switch back and forth from legacy routers.


===>  I see. Can you please suggest a text here ?

"
multicast messages in the IPv6 ND procedure, it does not affect
    normal IPv6 multicast packets and ability of nodes to join and leave
    the multicast group or forwarding multicast traffic or responding to
    multicast queries.
"

ahha - so MLD queries are still sent by the querier routers ?

I think that might be quite an impact as well (e.g. on WLC by default MLD 
querier time is 90 seconds).


===>  It is trying to say the enhanced mode routers should work with the 
existing  protocols.
            Again, an implementation may choose to provide configuration knobs 
to customize.

"
These optimizations are not known to introduce any new threats
    against Neighbor Discovery beyond what is already documented for IPv6
    [RFC 3756].
"

As I noted above, I think this mechanism does introduce a new attack vector... 
I am not sure if it does also introduce the attack vector of stealing the 
address, seems like it might.

====>  I don't think it provides a new kind of attack. Any ND packet 
information can be spoofed if it is run in the clear.
              How does it introduce stealing the IP address?



Hope it helps.

===> Thanks for your comments again. It is helpful indeed.

Regards,
-Samita
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------