[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comments on draft-ietf-v6ops-ra-guard-00.txt



Hi,

Some typos and comments/questions inline below.

Internet-Drafts@ietf.org writes:

> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the IPv6 Operations Working Group of the IETF.
>
>
> 	Title           : IPv6 RA-Guard
> 	Author(s)       : G. Van de Velde, et al.
> 	Filename        : draft-ietf-v6ops-ra-guard-00.txt
> 	Pages           : 9
> 	Date            : 2008-06-30
>
> When using IPv6 within a single L2 network segment it is neccesary to
                                                           ^^^^^^^^^
                                                           necessary

> ensure that all routers advertising their services within it are
> valid.  In cases where it is not convinient or possible to use SeND
                                   ^^^^^^^^^^
                                   convenient

> [RFC3971] a rogue Router Advertisement (RA) [RFC4861] could be sent
> by accident due to misconfiguraton or ill intended.  Simple solutions
> for protecting against rogue RAs are beneficial in complementing SeND
> in securing the L2 domain for ceratin types of devices or in certain
                                ^^^^^^^
                                certain

> transitional situations.
> This document proposes a solution to reduce the threat of rogue RAs
> by enabling layer 2 devices to forward only RAs received over
> designated ports.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-v6ops-ra-guard-00.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
>
>
>
>
> v6ops Working Group                                      G. Van de Velde
> Internet-Draft                                          E. Levy-Abegnoli
> Expires: January 2, 2009                                    C. Popoviciu
>                                                            Cisco Systems
>                                                               J. Mohacsi
>                                                           NIIF/Hungarnet
>                                                             July 1, 2008
>
>
>                              IPv6 RA-Guard
>                    <draft-ietf-v6ops-ra-guard-00.txt>
>
> Status of this Memo
>
>    By submitting this Internet-Draft, each author represents that any
>    applicable patent or other IPR claims of which he or she is aware
>    have been or will be disclosed, and any of which he or she becomes
>    aware will be disclosed, in accordance with Section 6 of BCP 79.
>
>    Internet-Drafts are working documents of the Internet Engineering
>    Task Force (IETF), its areas, and its working groups.  Note that
>    other groups may also distribute working documents as Internet-
>    Drafts.
>
>    Internet-Drafts are draft documents valid for a maximum of six months
>    and may be updated, replaced, or obsoleted by other documents at any
>    time.  It is inappropriate to use Internet-Drafts as reference
>    material or to cite them other than as "work in progress."
>
>    The list of current Internet-Drafts can be accessed at
>    http://www.ietf.org/ietf/1id-abstracts.txt.
>
>    The list of Internet-Draft Shadow Directories can be accessed at
>    http://www.ietf.org/shadow.html.
>
>    This Internet-Draft will expire on January 2, 2009.
>
> Abstract
>
>    When using IPv6 within a single L2 network segment it is neccesary
                                                              ^^^^^^^^^
                                                              necessary

>    ensure that all routers advertising their services within it are
>    valid.  In cases where it is not convinient or possible to use SeND
                                      ^^^^^^^^^^
                                      convenient

>    [RFC3971] a rogue Router Advertisement (RA) [RFC4861] could be sent
>    by accident due to misconfiguraton or ill intended.  Simple solutions
>    for protecting against rogue RAs are beneficial in complementing SeND
>    in securing the L2 domain for ceratin types of devices or in certain
>    transitional situations.

[snip]

> 1.  Introduction
>
>    When operating IPv6 in a shared L2 network segment without complete
>    SeND support by all devices connected or without the availability of
>    the infrastructure neccesary to support SeND, there is always the
                        ^^^^^^^^^
                        necessary

>    risk of facing operational problems due to rogue Router
>    Advertisements generated malliciously or unintentionaly by
                              ^^^^^^^^^^^^    ^^^^^^^^^^^^^^
                              maliciously              nally ?

>    unauthorized or improperly configured routers connecting to the
>    segment.
>
>    There are several examples of work done on this topic which resulted
>    in several related studies [reference1] [reference2]
>    [reference3].This document describes a solution framework to the
>    rogue-RA problem where network segments are designed around a single
>    or a set of L2-switching devices capable of identifying invalid RAs
>    and blocking them.  The solutions developed within this framework can
>    span the spectrum from basic (where the port of the L2 device is
>    statically instructed to forward or not to forward RAs received from
>    the connected device) to advanced (where a criteria is used by the L2
>    device to dynamically validate or invalidate a received RA, this
>    criteria can even be based on SeND mechanisms).
>
>
> 2.  RA-guard as a deployment complement to SEND
>
>    RA-guard does not intend to provide a substitute for SeND based
>    solutions.  It actually intends to provide complementary solutions in
>    those environments where SeND might not be suitable or fully
>    supported by all devices involved.  It may take time untill SeND is
                                                          ^^^^^^
                                                          until

>    ubiquitous in IPv6 networks and some of its large scale deployment
>    aspects are sorted out such as provisioning hosts with trust anchors.
>    It is also reasonable to expect that some devices might not consider
>    implementing SeND at all such as IPv6 enabled sensors.  The RA-guard
>    "SeND-validating" RA on behalf of hosts would potentially simplify
>    some of these challenges.
>
>    RA-guard can be seen as a superset of SEND with regard to router
>    authorization.  Its purpose is to filter Router Advertizements based
>    on a set of criterias, from a simplistic "RA dis-allowed on a given
                                                  ^^^^^^^^^^^
                                                  disallowed

>    interface" to "RA allowed from pre-defined sources" and up to full
>    SEND fledge "RA allowed from authorized sources only".
>
>    In addition to this granularity on the criteria for filtering out
>    Router Advertizements, RA-guard introduces the concept of router
            ^^^^^^^^^^^^^^ 
            Advertisements

>    authorization proxy.  Instead of each node on the link analysing RAs
>    and making an individual decision, a legitimate node-in-the-middle
>    performs the analysis on behalf of all other nodes on the link.  The
>    analysis itself is not different from what each node would do: if
>
>
>
> Van de Velde, et al.     Expires January 2, 2009                [Page 3]
>
> Internet-Draft                IPv6 RA-Guard                    July 2008
>
>
>    SeND is enabled, the RA is checked against X.509 certificates.  If
>    any other criteria is in use, such as known L3 (addresses) or L2
>    (link-layer address, port number) legitimate sources of RAs, the
>    node-in-the middle can use this criteria and filter out any RA that
>    does not comply.  If this node-in-the-middle is a L2 device, it will
>    not change the content of the validated RA, and avoid any of the nd-
>    proxy pitfalls.
>
>    RA-guard intends to provide simple solutions to the rogue-RA problem
>    in contexts where simplicity is required while leveraging SeND in
>    context with a mix of SeND capable devices (L2 switches and routers)
>    and devices that do not consistently use SeND.  Futhermore, RA-guard
>    is useful to simplify SeND deployments, as only the L2 switch and the
>    routers are required to carry certificates -their own and the trust
>    anchor certificates-.

For what purpose would the switches need their own certificate if they
should act transparently (maybe it's simply the sentence) ?

> 3.  RA-Guard state-machine
>
>    RA-Guard runs on devices that provide connectivity between hosts and
>    other hosts or networking devices.  An example of such RA-Guard
>    capable device would be an OSI Layer-2 switch.  The capability can be
>    enabled globally at device level or at interface level.
>
>    When RA-Guard is SEND-based, the timing of the learning phase, as
>    well as the overall behavior of the device doing RA-guard is as-
>    defined in [RFC3971].

     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     What does it mean, *precisely* ?

>    When RA-guard is using more static criterias, the state-machine of
>    the RA-Guard capability consists of three different states:
>       State 1: OFF
>       State 2: LEARNING
>       State 3: ACTIVE
>
>    The transition between these states can be triggered by manual
>    configuration or by meeting a pre-defined criteria.
>
> 3.1.  RA-Guard state: OFF
>
>    A device or interface in RA-Guard "OFF" state, operates as if the RA-
>    Guard capability is not available.
>
> 3.2.  RA-Guard state: LEARNING
>
>    A device or interface in the RA-Guard "Learning" state is actively
>    acquiring information about the devices connected to its interfaces.
>    The learning process takes place over a pre-defined period of time by
>    capturing router advertisments or it can be event triggered.  The
                      ^^^^^^^^^^^^^^
                      advertisements

>
>
>
> Van de Velde, et al.     Expires January 2, 2009                [Page 4]
>
> Internet-Draft                IPv6 RA-Guard                    July 2008
>
>
>    information gathered is compared against pre-defined criteria which
>    qualify the validity of the RAs.
>
>    In this state, the RA-Guard enabled device or interface is either
>    blocking all RAs until their validity is verified or, alternatively
>    it can temporarily forward the RAs until the decision is being made.
>
> 3.3.  RA-Guard state: ACTIVE
>
>    A device or interface running RA-Guard and in Active state will block
>    ingress RA-messages deemed invalid and will forward those deemed
>    valid based on a pre-defined criteria defined.
                                           ^^^^^^^
                                           to be removed


> 4.  RA-Guard interface states
>
>    The interfaces of devices with the RA-guard capability enabled can be
>    in three possible states related to RA handling: Learning, Blocking
>    and Forwarding.
>
> 4.1.  RA-Blocking interface
>
>    An interface in the RA Blocking state blocks all ingress RA messages
>    when RA-Guard capability is activated on a device.
>
> 4.2.  RA-Forwarding interface
>
>    An interface in the RA Forwarding state forwards all ingress RA
>    messages deemed valid when RA-Guard capability is activated on a
>    device.
>
> 4.3.  RA-Learning interface
>
>    An interface in a RA Learning state snoops all received RAs and
>    compares them against the criteria identifying valid RAs.  While in
>    this state, the RAs can be blocked or forwarded until a decission
                                                             ^^^^^^^^^
                                                             decision

>    is taken regarding their validity.
>
> 4.4.  RA-Guard interface state transition
>
>    In the simplest cases, an RA-Guard enabled interface can be manually
>    set in an RA-Blocking or RA-Forwarding state.  By default, the
>    interfaces of a legitimate node-in-the-middle could be set in RA-
>    Blocking mode and enabled for forwarding by the network
>    administrator.  In the more general case, the interface acquires RA
>    information during the RA Learning state and by using a pre-defined
>    validity criteria (see section 2) decides whether the analyzed RAs
>    should be forwarded or blocked.  Based on this decission, the
                                                    ^^^^^^^^^
                                                    decision

>    interface transitions into the RA Blocking or the RA Forwarding
>    state.
>
>    Upon detecting new RAs, a port can transition back into an RA-Guard
>    Learning state.
                                    ^^^
                            ambiguous, too vague

> 5.  RA-Guard Use Considerations
> 
>    The RA-Guard mechanism is effective only when all mesages between
                                                       ^^^^^^^
                                                       messages

>    IPv6 devices in the target environment traverse the controlled L2
>    networking devices.  When on a shared media such as an Ethernet hub,
>    devices can communicate directly without going through an RA-Guard
>    capable L2 networking device.  In this scenario, the RA- Guard
>    feature cannot protect against rogue-RAs.
> 
>    RA-Guard mecahnism does not protect against tunneled IPv6 traffic.

[snip]

> 7.  Security Considerations
>
>    There are no extra Security consideration for this document.

     really ? ;-)

[snip]

a+

Attachment: pgpkw85QJ2qqC.pgp
Description: PGP signature