ietf
[Top] [All Lists]

RE: Fwd: Broadband Forum liaison to IETF on IPv6 security

2009-11-09 14:43:55
This is the same thought I emailed about that the access concentrator in the 
NBMA link performing ND Proxy - Wes and I are saying the same thing - he put is 
very nicely in concise form.  The access concentrator is also the first hop 
IPv6 router to the broadband enabled home and note that a router interface 
joins only the all-nodes mcast address and the interface solicited-node mcast 
address.  Such an interface mcast join will not let the router see all NS(DAD)s 
on the link.  That is why when a router in the BMA or NBMA link starts sniffing 
all mcast traffic, then the router sees all the NS(DAD)s on its link and this 
sniffing for all mcast traffic happens to be the first requirement of a ND 
Proxy!

As for your question below, the CPE Router in the home has got to have been 
delegated a prefix and each home gets a different prefix, so how can the UGA 
from the home device from one home ever encounter a dup at the access 
concentrator?  If anything dups can exist within the same home, but the CPE 
Router already takes care of those dups in the home LAN link.

Hemant

-----Original Message-----
From: owner-v6ops(_at_)ops(_dot_)ietf(_dot_)org 
[mailto:owner-v6ops(_at_)ops(_dot_)ietf(_dot_)org] On Behalf Of Dunn, Jeffrey H.
Sent: Friday, November 06, 2009 6:26 PM
To: Wes Beebee (wbeebee); Antonio Querubin
Cc: Thomas Narten; Fred Baker (fred); 6man-ads(_at_)tools(_dot_)ietf(_dot_)org; 
SAVI Mailing List; william(_dot_)allen(_dot_)simpson(_at_)gmail(_dot_)com; 
Hesham Soliman; IETF(_at_)core3(_dot_)amsl(_dot_)com; Erik Nordmark; 
savi-ads(_at_)tools(_dot_)ietf(_dot_)org; IPv6 Operations; Susan Thomson 
(sethomso); v6ops-ads(_at_)tools(_dot_)ietf(_dot_)org; Robin Mersh; Mailing 
List; Susan(_at_)core3(_dot_)amsl(_dot_)com; JINMEI Tatuya / 神明達哉; Dunn, 
Jeffrey H.
Subject: RE: Fwd: Broadband Forum liaison to IETF on IPv6 security

Wes,

That is an interesting idea. One question occurs to me that you can probably 
answer. What happens if a host behind the CPE router does SLAAC, configures a 
UGA? Since it has already done DAD, the host assumes it has an unused address. 
When the host finally tries to use the UGA to access the Internet and the 
access router sends an NA or NS(DAD), what should the host do? It has already 
validated the UGA using DAD. My interpretation is that it should reply to the 
NS(DAD) with an NA (based on RFC 4862). I am not sure about a duplicate NA, 
since DAD is supposed to prevent this. 

Best Regards, 
  
Jeffrey Dunn 
Info Systems Eng., Lead 
MITRE Corporation.
(301) 448-6965 (mobile)


-----Original Message-----
From: Wes Beebee (wbeebee) [mailto:wbeebee(_at_)cisco(_dot_)com] 
Sent: Friday, November 06, 2009 4:48 PM
To: Dunn, Jeffrey H.; Antonio Querubin
Cc: Thomas Narten; Fred Baker (fred); 6man-ads(_at_)tools(_dot_)ietf(_dot_)org; 
SAVI Mailing List; william(_dot_)allen(_dot_)simpson(_at_)gmail(_dot_)com; 
Hesham Soliman; IETF(_at_)core3(_dot_)amsl(_dot_)com; Erik Nordmark; 
savi-ads(_at_)tools(_dot_)ietf(_dot_)org; IPv6 Operations; Susan Thomson 
(sethomso); v6ops-ads(_at_)tools(_dot_)ietf(_dot_)org; Robin Mersh; Mailing 
List; Susan(_at_)core3(_dot_)amsl(_dot_)com; JINMEI Tatuya / 神明達哉
Subject: RE: Fwd: Broadband Forum liaison to IETF on IPv6 security

The key is that the access router (which is the only router that knows this is 
an NBMA link and not a BMA link) can selectively decide to send ND messages 
(either NA's or NS(DAD) messages) when the access router detects that there is 
a duplicate on the link.  This is the minimum requirement to support DAD on an 
NBMA link.  This would need to specified in an NBMA-specific document and 
probably doesn't need to be mentioned in a document like RFC 4861.

- Wes 

-----Original Message-----
From: owner-v6ops(_at_)ops(_dot_)ietf(_dot_)org 
[mailto:owner-v6ops(_at_)ops(_dot_)ietf(_dot_)org] On Behalf Of Dunn, Jeffrey H.
Sent: Friday, November 06, 2009 2:18 PM
To: Antonio Querubin
Cc: Thomas Narten; Fred Baker (fred); 6man-ads(_at_)tools(_dot_)ietf(_dot_)org; 
SAVI Mailing List; william(_dot_)allen(_dot_)simpson(_at_)gmail(_dot_)com; 
Hesham Soliman; IETF(_at_)core3(_dot_)amsl(_dot_)com; Erik Nordmark; 
savi-ads(_at_)tools(_dot_)ietf(_dot_)org; IPv6 Operations; Susan Thomson 
(sethomso); v6ops-ads(_at_)tools(_dot_)ietf(_dot_)org; Robin Mersh; Mailing 
List; Susan(_at_)core3(_dot_)amsl(_dot_)com; JINMEI Tatuya / 神明達哉; Dunn, 
Jeffrey H.
Subject: RE: Fwd: Broadband Forum liaison to IETF on IPv6 security

Antonio,

Regardless of whether the ISP bridges the NBMA links or not, the CPE router 
will not propagate the ND or NS messages onto these links. The Ethernet and 
Wi-Fi BMA LAN segments are separate logical links from each other and the ISP 
link(s). How will the CPE router be "convinced" to bridge these link-local 
scoped messages off link?

Best Regards, 
  
Jeffrey Dunn
Info Systems Eng., Lead
MITRE Corporation.
(301) 448-6965 (mobile)


-----Original Message-----
From: Antonio Querubin [mailto:tony(_at_)lava(_dot_)net]
Sent: Friday, November 06, 2009 1:35 PM
To: Dunn, Jeffrey H.
Cc: Thomas Narten; Fred Baker; 6man-ads(_at_)tools(_dot_)ietf(_dot_)org; SAVI 
Mailing List; william(_dot_)allen(_dot_)simpson(_at_)gmail(_dot_)com; Hesham 
Soliman; IETF(_at_)core3(_dot_)amsl(_dot_)com; Erik Nordmark; 
savi-ads(_at_)tools(_dot_)ietf(_dot_)org; IPv6 Operations; Thomson; 
v6ops-ads(_at_)tools(_dot_)ietf(_dot_)org; Robin Mersh; Mailing List; 
Susan(_at_)core3(_dot_)amsl(_dot_)com; JINMEI Tatuya / 神明達哉
Subject: RE: Fwd: Broadband Forum liaison to IETF on IPv6 security

On Fri, 6 Nov 2009, Dunn, Jeffrey H. wrote:

The problem is IMHO the following: How to assign an IPv6 UGA to CPE 
hosts attached to a BMA LAN (usually Ethernet or Wi-Fi) that is in 
turn connected via a CPE router through an NBMA link (cable modem or 
DSL) to an ISP router that provides Internet access. Currently, there 
are two

And what happens when there are multiple CPE routers

a)  connected via a BMA LAN to the DSL or cable modem

and/or

b)  'connected' via separate NBMA links but are on the same WAN subnet 
(assigned by the ISP)

I think in the latter, if the ISP decides to silo the individual NBMA links 
then they need to adjust for that in how they do the sub-delegation which is I 
think what the issue is.  But if the ISP actually bridges the separate NBMA 
links, then there's no silo issue and the CPE can pretend they're in 'a'.

Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  tony(_at_)lava(_dot_)net
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf