I think i have missed this one... see below... Guang Yao escribió: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~Guang, 1.4: > ~Yes, I agree it's not perfect. However, we can compare the failure > possibility of DAD snooping > ~and FCFS(false positive only): > ~1. FCFS fails if (1.1) normal DAD is being attacked; > ~ (1.2) DAD NA is missing; > ~ (1.3)Collision you mentioned > ~2. DAD snooping fails when (2.1) DAD NA is missing > ~ (2.2) Collision you mentioned > ~ > ~I think it is quite clear (1.2),(1.3) ,(2.1),(2.2) happen with very little > possibility, but (1.1) > ~can happen with great possibility. > ~And (1.2),(1.3) ,(2.1),(2.2) is the failure of DAD mechanism, not the fault > of SAVI. (1.1) is > ~the fault of SAVI. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > I simply don't agree with he way you compare the approaches For me, it makes sense to create the FCFS SAVI state based on the first packet that refers tot he soruce address, whether this packet is ND, dhcp or a data packet. So, the only disucssion we are having here is that i think we should use both data packets and control packets and you argue that you want to use only DAD packets. So, what we need to compare is FCFS SAVI using both control and data packets versus doing FCFS SAVI based only in DAD packets. In that case, it is clear that there are more failure modes that fail in the case of using only control packets, since it is a subset of the other that uses both control and data packets. Now, this is not enough to also use data packets, since we need to quantify if it is worth the additional complexity. the problems that is see with using only DAD packets are: - first, i don't think this flies for IPv4, since i would assume that DAD for v4 is not widely implemented. So for IPv4 we must use soemthing else. (in this case, i wonder if it is worth the complexity of using DAD, but this depends on how widely IPv4 DAD has been adopted) - second, even for IPv6, what would you do if you are only doing DAD and you receive a data apcket with a soruce address that is not in the SAVI data base? you would drop it? This means that if the DAD msg was corrupted, or lost or whatever, you are blocking a legitimate user, and as you say, false positives are very bad. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~Guang, 1.4: > ~SAVI device is always the device directly connected with the host(first hop > switch or router). > why? > ~So it is not hard to guarantee the first point. > what is the first point? > ~And I don't think we have to guarantee ND message is delivered to all > nodes. It is enforced > ~by standard and it only fails with little possibility. > agree, but if it fails, you have a false positive, which as you said is very bad. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > I mean, the problem with DAD robustness is that the topology can change > after the DAD procedure was done. So, suppose you have two lans that are > working and that at some point in time they are merged into one lan. In > that case, the nodes on each lan have already executed the DAD procedure > and they are not even aware of the merging, so they will not repeat the > DAD procedure. (this can happne when there is a failure and a network > gets partitioned and then repaired for example) > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~Guang, 1.4: > ~A great example. But > ~(1) If the nodes are not aware of merging, they must not leave their switch > right, but what i have in mind is that there are two switches connected to each other and each switch is performing the SAVI function. So, what breaks is the link between the two switches. So, the DAD msg is propagated but only to the node in the same switch. When the two switches are linked togheter again, the SAVI function of the other switch has not seen the DAD mesages in the other switch that were sent during they were separated > (or else it is the same > ~as a node is attached to the LAN for the first time.) and the switch must > be used in the new LAN. If > ~the binding is performed on the switch, there is no trouble. If the binding > is performed on the router, > ~also no trouble. wait, you said before that SAVI is performed in the first hop? So are you assuming that the savi is performed in the first hop or not? I don't think it is a reasomnable assumption to make, but you seem to contradict yourself here. > The binding information is always not removed and it can > be used again, without requirement > ~of another DAD. > ~(2) It is really an infrequent situation. > well, all the mechanimss for the creation of adjacencies in OSPF are intended to address problems like this when a network gets partitioned and these are pretty complex... i don't think they would do all that work if they thought the probablitly of such even was negligible > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > So DAD is inherently non robust cause the procedure is successful when > there is NO reply, but you cannot know if there is no reply cause there > is no address collision or because the packet was lost. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~Guang, 1.4: > ~(1) The SAVI device knows what the situation is clearly, because it has > recorded all addresses but DAD messages can get lost or have errors, right? My point is what happens in that situation? SAVI just starts droping the packets and blocks the host out of the network cause the DAD msg was lost? As you said, false positives are very bad. > . > ~(2) And my point is: We choose DAD snooping for host relies on DAD > exclusively, rather than > ~DAD is robust. > I can't parse this sentence > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > >> But I think relying on data traffic has the >> same problem, right? >> >> >> > not really, cause there are many data packets. > So, if one data packet gets lost, there will be more to come, so sooner > or later one of them will make it (or we have bigger problems) > > The problem with DAD is that we send only one packet and if it is lost > we are out of luck. > BEsides, we could send several packets, but this would imply longer > delay, whcih is also bad. > Data pakcet otoh, there are plenty of them, so the problem is handled better > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~Guang, 1.4: > ~Well, I wonder will DAD message be dropped at the first link? I remember > link layer protocol > ~has acknowledgement and retransmission policy. > messages can get errors, lost in the hardware interface and so on... Are you assuming that links don't have errors in packets? > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > as i said several times, i thin it may be ok to use ND messages to > populate the SAVI DB, but i don't think we should rely solely on ND. I > think we need to use data packets as well, in case DAD packets are > missing for soem reason > BTW, i also think we should use dhcp messages if we can > > I think we need to understnad what do we gain by adding this complexity > (clearly relying solely on dat packets is simpler, but relying on > signaling packets as well may prevent som attacks, but we need to > understadn that better imho) > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~Guang, 1.4: > ~OK, I will make clear WHAT we lose if we use data packet solely. > I am not arguing we should only rely on data packets, My point is that we should create the FCFS state based on the first apcket referring that address, whether data or control packet We may want to disregard some control packets if they are not widely used, in particular i have some doubts w.r.t. IPv4 DAD as i am not sure how widely deployed this is. > >> 1.2 If there is a collision in local binding, and a DAD NA is >> replied from the address owner, it must >> ensure the NA will be delivered to the tentative node. >> >> > sure, this is basic DAD behaviour, nothing new here, right? > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~Guang, 1.4: > ~Yes. If every NA is delivered to the tentative node, the SAVI device > doesn't have to do anything here. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > >> 1.3 If the address owner doesn't reply, it may either: 1, delete >> former binding and set up new binding; >> or 2 Send a NA to the tentative node instead of the address >> owner. >> >> > sure, this is done already in the FCFS draft, > > > >> 1.4 Any NA with spoofed Target Address must be dropped. >> 2 Data traffic is either dropped or forwarded according to binding, >> > without > >> triggering new binding entry. >> >> >> > here, i disagree > as i said, i think we should also use data traffic as well > > >> I think the security and completeness of DAD is necessary even using data >> traffic to bind address. >> >> > how do you plan to achieve that? > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~Guang, 1.4: > ~The security problem of DAD is easy to handle since the SAVI device has > recorded all the addresses > ~a node owns. No, you are assuming packet don't get lost and netowrks don't get partitioned This is simply not true Regards, marcelo
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.