[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04

To: Wojciech Dec <wdec@cisco.com>
Subject: Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
From: Philip Homburg <pch-v6ops@u-1.phicoh.com>
Date: Tue, 27 Apr 2010 16:13:29 +0200
Cc: v6ops@ops.ietf.org
In-reply-to: Your message of "Mon, 26 Apr 2010 16:49:51 +0200 ." <C7FB74AF.33A2%wdec@cisco.com>

In your letter dated Mon, 26 Apr 2010 16:49:51 +0200 you wrote:
>LLs are absolutely needed. DHCPv6 uses them as does ND. Furthermore, in the
>CPE draft we support the so called "unnumbered" model, whereby the WAN
>interface has NO global IPv6 address.

What's the point of requiring a RS if there is not going to be prefix anyhow?

If a router is configured for PD, it may just as well leave out the RS
all together.

>> If you already have a link identifier for the RS, why not use it as well for
>> the DPCP-PD? 
>
>I'm referring to creating an IP-L2-binding using an IP address obtained from
>an RS, which is used to authorize a customer.

Is there anything special in those RS message (some kind of encryption, HMAC)
that really authorizes the customer, or do you just accept any random 
MAC address and link-local address, allowing any customer to create a 
denial of service attack on another customer?

>> But I still have no clear picture how a customer can spoof things using his
>> link local address.
>>
>The issue is one of overwriting ND cache entries in the BNG, by having one
>customer spoof another's LL address.

How does that help? A customer gets the wrong DHCP reply?

It would be nice if you could describe a specific attack that is allowed by
not binding to the LL addresses early on, and cannot be prevented easily.

>I take it that other than clarifications, you see no issue with the
>proposal.

It is fine with me if you update RFC-4861 for all links and all cases. 
I don't think it is a good idea to create all kinds of different versions of
the neighbor discovery protocols depending not on the link type, but how the
link is used.

If you do ND over ethernet, there should be one set of rules for doing that.
And not one set of rules for ordinary ethernet and another if you happen
to connect to an ISP.

(IMHO the same thing applies to using RA messages as a poor man's routing 
protocol. If that is what is needed, then add some flags or options to
RA, don't just change the meaning of an RA depending on how the link is used).

Follow-Ups:
- Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
  - From: Wojciech Dec <wdec@cisco.com>
- Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

References:
- Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
  - From: Wojciech Dec <wdec@cisco.com>

Prev by Date: AD review of draft-krishnan-v6ops-teredo-update
Next by Date: Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
Previous by thread: Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
Next by thread: Re: RS sending in draft-ietf-v6ops-ipv6-cpe-router-04
Index(es):
- Date
- Thread