Re: [savi] Question for draft-levy-abegnoli-savi-plbt-01

[Dong Zhang <zhangdong_rh at huaweisymantec.com>]

Hi Eric,

 

Please check inline.

 

2009-08-06

---

Dong Zhang

---

发件人： Eric Levy-Abegnoli

发送时间： 2009-08-05  21:14:50

收件人： Greg Daley

抄送： Dong Zhang; SAVI Mailing List

主题： Re: [savi] Question for draft-levy-abegnoli-savi-plbt-01

Hi Greg,

Greg Daley a écrit :

Hi Dong, 

  

Can the mix of ND and SeND in a same link be a common case? I mean 
if this happens, how to handle the NA/NS between SeND node and non-
SeND node?  
    

SEND/non-SEND interoperation is dealt with extensively in RFC3971.

It does make sense to have a mix of nodes on the LAN, and this allows
incremental security deployment.

  

The following preflevel values have been identified (from lowest to
highest):
o  LLA_MAC_MATCH: LLA (found in NDP option) and MAC (found at layer2)
  are identical;
o  TRUNK_PORT: the entry was learnt from a trunk port (connected to
  another switch)
o  ACCESS_PORT: the entry was leant from an access port (connected to
  a host)
o  TRUSTED_ACCESS: The entry was learnt from a trusted port
o  TRUSTED_TRUNK: The entry was learnt from a trusted trunk
o  DHCP_ASSIGNED: the entry is assigned by DHCP
o  CGA_AUTHENTICATED: The entry is CGA authenticated, per [RFC3972]
o  CERT_AUTHENTICATED: the entry is authenticated with a certificate
o  STATIC: this is a statically configured entry per [RFC3971].
      

Then what about ACCESS_PORT+DHCP_ASSIGNED and
    

TRUNK_PORT+CGA_AUTHENTICATED,  which is bigger?
  

I think there will be some different cases and combinations  of the
    

preflevel 
  

values. Is it necessary and possible to list every case,  giving
    

particular 
  

illustration? Then it will be much more clear. Perhaps I  might miss
    

something.


Since the bindings identify the level of authority attained about the 
address mapping, only the highest of these should be considered.

The presence of CGA_AUTHENTICATED means the higher level of
certification
which has been attained by the binding.   This would supercede a
previous
(or contemporary) binding of TRUNK_PORT.  Therefore the binding state
would
be CGA_AUTHENTICATED.

Similarly, with ACCESS_PORT+DHCP_ASSIGNED, the DHCP assignment is a
control process which can be authenticated and is specified by a server.
This has more authority than the ACCESS_PORT binding.  Therefore this
binding's state is DHCP_ASSIGNED.

Comparison of these bindings therefore becomes simpler: DHCP_ASSIGNED vs
CGA_AUTHENTICATED

Perhaps some clarifying words could be put into the draft?

  

I guess so. If this was not crystal clear in the current writing, it means I need to clarify.  You got it allright though,
so it must not have been too bad :)
Maybe I'll add an example with some values ...
Thanks
eric

[Dong] But It seems there is something different  between Greg's understanding and your explanation. So agree to add

some clarification as my last mail said.

 

[Dong] In addition, I'm worried about a possible security problem.

*************

The draft says:

   Therefore, a data packet should not be used to complete the
   binding entry, but only as a hint that it should seek for completion.
   Upon receiving a data packet carrying a source address not seen
   before, the switch should issue a DAD packet on the link (all ports
   of the vlan), including the one from which the data packet was
   received.  The address owner is expected to respond with an NA,
   carrying CGA credentials if any.  Upon receiving this response, the
   switch can complete the binding entry and start forwarding traffic
   from the source.

   ...

   For instance, upon receiving a data packet, the
   switch will issue a DAD NS and wait for an NA.  Before receiving the
   NA, the entry is IMCOMPLETE.  Then it moves to REACHABLE.  Then to
   STALE unless the binding is confirmed by more NDP traffic.
************
Thinking about an attacker sends data packets with different forged source addresses incessantly. Then these data packets lead

the savi switch to send DAD and wait for NA response. In this case, a DoS attack arise. The security consideration should be added.

And the entry bindings with IMCOMPLETE state cost the memory while waiting for the response. Maybe a state machine is need for

the state transition. The behavior of savi switch might be something like this:

Trigger                                                                Action

Receive a data packet                                           Create a IMCOMPLETE entry, send DAD NS

If receive a NA within x(the exact seconds, e.g. 3s )   IMCOMPLETE moves to REACHABLE

If receive no NA within x                                         Eleminate the IMCOMPLETE entry

...                                                                       ...

Thank you.

Dong

Please note that an address binding can be both CGA Authenticated and
DHCPv6 assigned, since
a node can propose its address in DHCPv6 based on known address
prefixes.  In this case,
the fact that the device can perform SEND CGA Auth on the address lends
more authority to the
binding (giving CGA_AUTHENTICATED) state.


Sincerely,

Greg Daley
Security Consultant
NetStar Australia Pty Ltd

E-mail: gdaley at netstarnetworks.com
Mobile: +61 401 772 770
Direct: +61 3 8532 4042
Fax:    +61 3 8532 4032