RE: Neighbor Discovery from non-neighbors

To: "Hemant Singh (shemant)" <shemant at cisco.com>, "MILES DAVID" <David.Miles at alcatel-lucent.com.au>, <Jinmei_Tatuya at isc.org>
Subject: RE: Neighbor Discovery from non-neighbors
From: "Hemant Singh (shemant)" <shemant at cisco.com>
Date: Sun, 5 Oct 2008 20:17:51 -0400
Authentication-results: rtp-dkim-1; header.From=shemant at cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Cc: ipv6 at ietf.org, pekkas at netcore.fi
Delivered-to: ietfarch-ipv6-archive at core3.amsl.com
Delivered-to: ipv6 at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=12520; t=1223252351; x=1224116351; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=shemant at cisco.com; z=From:=20=22Hemant=20Singh=20(shemant)=22=20<shemant at cisco. com> |Subject:=20RE=3A=20Neighbor=20Discovery=20from=20non-neigh bors |Sender:=20 |To:=20=22Hemant=20Singh=20(shemant)=22=20<shemant at cisco.co m>,=0A=20=20=20=20=20=20=20=20=22MILES=20DAVID=22=20<David.M iles at alcatel-lucent.com.au>,=0A=20=20=20=20=20=20=20=20<Jinm ei_Tatuya at isc.org>; bh=6RxdZuzX9KysnVdI6opg5Lmh9kZR/xRhjEoKooX8X7E=; b=Lkyk5SvnLcw8XhsrqBGNDplvnRYACLAlSe2DkCpdExMo0+C9zUymjUNVyR r5nsge4DzqeqK8KJKIDCGMjG/kSzHWYrk8kYHNXhMD4TzzHvoPX15yE3QjjY xnmc2cLZ9C;
In-reply-to: <B00EDD615E3C5344B0FFCBA910CF7E1D04E423B6 at xmb-rtp-20e.amer.cisco.com>
List-archive: <https://www.ietf.org/mailman/private/ipv6>
List-help: <mailto:ipv6-request@ietf.org?subject=help>
List-id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-post: <mailto:ipv6@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
References: <986DCE2E44129444B6435ABE8C9E424D0124104F at SGSINSMBS02.ad4.ad.alcatel.com> <B00EDD615E3C5344B0FFCBA910CF7E1D04E423B6 at xmb-rtp-20e.amer.cisco.com>
Sender: ipv6-bounces at ietf.org
Thread-index: Ackl1cOimMcW51wgTDmrll7AEP9CfwBDgaPAABHnMYwABu//oAAAb9SQ
Thread-topic: Neighbor Discovery from non-neighbors

Title: Re: Neighbor Discovery from non-neighbors

David,

Humbles apologies that I addressed you as Miles.

Hemant

From: ipv6-bounces at ietf.org [mailto:ipv6-bounces at ietf.org] On Behalf Of Hemant Singh (shemant)
Sent: Sunday, October 05, 2008 8:16 PM
To: MILES DAVID; Jinmei_Tatuya at isc.org
Cc: ipv6 at ietf.org; pekkas at netcore.fi
Subject: RE: Neighbor Discovery from non-neighbors

Miles,

I'll see what we can do towards putting together another version of the draft with Thomas' suggested text and Jinmei's feedback in next few days or earlier. As you can see Jinmei doesn't have any objection to the new text from Thomas but he wants some extra text as in changing our draft to reflect an important change going into it - of course, we can accommodate Jinmei on that; we didn't do that yet because we weren't sure if the new text would be accepted or not. Jinmei also said that section 7.2.3 of RFC4861 needs some change to be in line with the on-link definition bullets revisit. Thomas has already suggested text for such a change (in our private email thread) to this section that goes like "create a ND-cache entry only if the source address of the NS is on-link per other indications".

Hemant

From: MILES DAVID [mailto:David.Miles at alcatel-lucent.com.au]
Sent: Sunday, October 05, 2008 4:46 PM
To: Hemant Singh (shemant); Jinmei_Tatuya at isc.org
Cc: pekkas at netcore.fi; ipv6 at ietf.org
Subject: Re: Neighbor Discovery from non-neighbors

Hemant,

I think it is important for us to move forward with the proposed clarification ASAP. Is it possible to get the proposed text for the IP Subnet Model draft relating to ND in a new revision of the draft and posted?

As you have said: there is a bug and it needs to be fixed and we have been asked to assit by adding some clarifying statements. Please direct any grievances my way, and off-list, with respect to this being a security vulnerability as I accept responsibility for that direction.

To keep us on topic, can we get review of the proposed text from members of this working group?

-David

----- Original Message -----
From: Hemant Singh (shemant) <shemant at cisco.com>
To: Jinmei_Tatuya at isc.org <Jinmei_Tatuya at isc.org>
Cc: Pekka Savola <pekkas at netcore.fi>; ipv6 at ietf.org <ipv6 at ietf.org>; MILES DAVID
Sent: Sun Oct 05 20:37:34 2008
Subject: RE: Neighbor Discovery from non-neighbors

>You seem to forget the fact that the FreeBSD security advisory
generally talks about that particular implementation. Anything written
there is true, if you read it in the context of the FreeBSD
implementation (as >an extreme example, a PC router that runs an
unmodified FreeBSD kernel). I believe people normally interpret this
document in the correct context and won't be confused.

>You also seem to be trapped in a specific router implementation model
where neighbor cache entries and forwarding tables are clearly separated
and the latter doesn't affect the former. As far as I understand it,
>such a model is not a protocol-level requirement, but just an
implementation choice. And, in fact, the FreeBSD kernel (or BSD
implementations in general) tightly couples the ARP/ND tables with the
forwarding >table, so if a bogus entry is inserted in the former, it
will affect forwarding behavior. As mentioned in the first paragraph, a
PC router using a vanilla FreeBSD kernel behaves that way. I won't
surprised even other >commercial routers that use a customized BSD
kernel have the same problem.

>---
>JINMEI, Tatuya
>Internet Systems Consortium, Inc.

BSD has a bug that it needs to fix. Further, it's debatable that
separation of ND-cache and data forwarding table for a node are not a
protocol-level requirement. RFC4861 clearly describes a Conceptual
Sending Algorithm in section 5.2 - both a host and host portion of an
IPv6 router follow this section. Internally, a node may implement its
s/w architecture and code any way the implementation wants to. But
conceptually, the data forwarding from this section has to be applied.
The section clearly says the following:

[When sending a packet to a destination, a node uses a combination of
   the Destination Cache, the Prefix List, and the Default Router List
   to determine the IP address of the appropriate next hop, an operation
   known as "next-hop determination".]

Where does one see ND-cache being used in a data forwarding decision or
what is called as next-hop determination?

Further, in the discussion of the David Miles issue, none of us from
IETF in myself, Erik, Thomas, and Wes agreed there is a security issue
with the problem David Miles reported.

Hemant

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

References:
- Re: Neighbor Discovery from non-neighbors
  - From: MILES DAVID
- RE: Neighbor Discovery from non-neighbors
  - From: Hemant Singh (shemant)

Prev by Date: RE: Neighbor Discovery from non-neighbors
Next by Date: Re: [dhcwg] Request for Advices on the draft "draft-cha-ipv6-ra-mo-00.txt"
Previous by thread: RE: Neighbor Discovery from non-neighbors
Next by thread: RE: Neighbor Discovery from non-neighbors
Index(es):
- Date
- Thread

RE: Neighbor Discovery from non-neighbors

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.