RE: Fwd: Broadband Forum liaison to IETF on IPv6 security

["Hemant Singh (shemant)" <shemant at cisco.com>]

This is the same thought I emailed about that the access concentrator in the NBMA link performing ND Proxy - Wes and I are saying the same thing - he put is very nicely in concise form.  The access concentrator is also the first hop IPv6 router to the broadband enabled home and note that a router interface joins only the all-nodes mcast address and the interface solicited-node mcast address.  Such an interface mcast join will not let the router see all NS(DAD)s on the link.  That is why when a router in the BMA or NBMA link starts sniffing all mcast traffic, then the router sees all the NS(DAD)s on its link and this sniffing for all mcast traffic happens to be the first requirement of a ND Proxy!

As for your question below, the CPE Router in the home has got to have been delegated a prefix and each home gets a different prefix, so how can the UGA from the home device from one home ever encounter a dup at the access concentrator?  If anything dups can exist within the same home, but the CPE Router already takes care of those dups in the home LAN link.

Hemant

-----Original Message-----
From: owner-v6ops at ops.ietf.org [mailto:owner-v6ops at ops.ietf.org] On Behalf Of Dunn, Jeffrey H.
Sent: Friday, November 06, 2009 6:26 PM
To: Wes Beebee (wbeebee); Antonio Querubin
Cc: Thomas Narten; Fred Baker (fred); 6man-ads at tools.ietf.org; SAVI Mailing List; william.allen.simpson at gmail.com; Hesham Soliman; IETF at core3.amsl.com; Erik Nordmark; savi-ads at tools.ietf.org; IPv6 Operations; Susan Thomson (sethomso); v6ops-ads at tools.ietf.org; Robin Mersh; Mailing List; Susan at core3.amsl.com; JINMEI Tatuya / 神明達哉; Dunn, Jeffrey H.
Subject: RE: Fwd: Broadband Forum liaison to IETF on IPv6 security

Wes,

That is an interesting idea. One question occurs to me that you can probably answer. What happens if a host behind the CPE router does SLAAC, configures a UGA? Since it has already done DAD, the host assumes it has an unused address. When the host finally tries to use the UGA to access the Internet and the access router sends an NA or NS(DAD), what should the host do? It has already validated the UGA using DAD. My interpretation is that it should reply to the NS(DAD) with an NA (based on RFC 4862). I am not sure about a duplicate NA, since DAD is supposed to prevent this. 

Best Regards, 
  
Jeffrey Dunn 
Info Systems Eng., Lead 
MITRE Corporation.
(301) 448-6965 (mobile)


-----Original Message-----
From: Wes Beebee (wbeebee) [mailto:wbeebee at cisco.com] 
Sent: Friday, November 06, 2009 4:48 PM
To: Dunn, Jeffrey H.; Antonio Querubin
Cc: Thomas Narten; Fred Baker (fred); 6man-ads at tools.ietf.org; SAVI Mailing List; william.allen.simpson at gmail.com; Hesham Soliman; IETF at core3.amsl.com; Erik Nordmark; savi-ads at tools.ietf.org; IPv6 Operations; Susan Thomson (sethomso); v6ops-ads at tools.ietf.org; Robin Mersh; Mailing List; Susan at core3.amsl.com; JINMEI Tatuya / 神明達哉
Subject: RE: Fwd: Broadband Forum liaison to IETF on IPv6 security

The key is that the access router (which is the only router that knows this is an NBMA link and not a BMA link) can selectively decide to send ND messages (either NA's or NS(DAD) messages) when the access router detects that there is a duplicate on the link.  This is the minimum requirement to support DAD on an NBMA link.  This would need to specified in an NBMA-specific document and probably doesn't need to be mentioned in a document like RFC 4861.

- Wes 

-----Original Message-----
From: owner-v6ops at ops.ietf.org [mailto:owner-v6ops at ops.ietf.org] On Behalf Of Dunn, Jeffrey H.
Sent: Friday, November 06, 2009 2:18 PM
To: Antonio Querubin
Cc: Thomas Narten; Fred Baker (fred); 6man-ads at tools.ietf.org; SAVI Mailing List; william.allen.simpson at gmail.com; Hesham Soliman; IETF at core3.amsl.com; Erik Nordmark; savi-ads at tools.ietf.org; IPv6 Operations; Susan Thomson (sethomso); v6ops-ads at tools.ietf.org; Robin Mersh; Mailing List; Susan at core3.amsl.com; JINMEI Tatuya / 神明達哉; Dunn, Jeffrey H.
Subject: RE: Fwd: Broadband Forum liaison to IETF on IPv6 security

Antonio,

Regardless of whether the ISP bridges the NBMA links or not, the CPE router will not propagate the ND or NS messages onto these links. The Ethernet and Wi-Fi BMA LAN segments are separate logical links from each other and the ISP link(s). How will the CPE router be "convinced" to bridge these link-local scoped messages off link?

Best Regards, 
  
Jeffrey Dunn
Info Systems Eng., Lead
MITRE Corporation.
(301) 448-6965 (mobile)


-----Original Message-----
From: Antonio Querubin [mailto:tony at lava.net]
Sent: Friday, November 06, 2009 1:35 PM
To: Dunn, Jeffrey H.
Cc: Thomas Narten; Fred Baker; 6man-ads at tools.ietf.org; SAVI Mailing List; william.allen.simpson at gmail.com; Hesham Soliman; IETF at core3.amsl.com; Erik Nordmark; savi-ads at tools.ietf.org; IPv6 Operations; Thomson; v6ops-ads at tools.ietf.org; Robin Mersh; Mailing List; Susan at core3.amsl.com; JINMEI Tatuya / 神明達哉
Subject: RE: Fwd: Broadband Forum liaison to IETF on IPv6 security

On Fri, 6 Nov 2009, Dunn, Jeffrey H. wrote:

> The problem is IMHO the following: How to assign an IPv6 UGA to CPE 
> hosts attached to a BMA LAN (usually Ethernet or Wi-Fi) that is in 
> turn connected via a CPE router through an NBMA link (cable modem or 
> DSL) to an ISP router that provides Internet access. Currently, there 
> are two

And what happens when there are multiple CPE routers

a)  connected via a BMA LAN to the DSL or cable modem

and/or

b)  'connected' via separate NBMA links but are on the same WAN subnet (assigned by the ISP)

I think in the latter, if the ISP decides to silo the individual NBMA links then they need to adjust for that in how they do the sub-delegation which is I think what the issue is.  But if the ISP actually bridges the separate NBMA links, then there's no silo issue and the CPE can pretend they're in 'a'.

Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  tony at lava.net