Operational Neighbor Discovery Problems
draft-ietf-v6ops-v6nd-problems-05
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-03-06
|
05 | Joel Jaeggli | New version available: draft-ietf-v6ops-v6nd-problems-05.txt |
2012-03-05
|
04 | Cindy Morgan | State changed to RFC Ed Queue from Approved-announcement sent |
2012-03-05
|
04 | (System) | IANA Action state changed to RFC-Ed-Ack |
2012-03-05
|
04 | Cindy Morgan | State changed to Approved-announcement sent from Approved-announcement to be sent |
2012-03-05
|
04 | Cindy Morgan | IESG has approved the document |
2012-03-05
|
04 | Cindy Morgan | Closed "Approve" ballot |
2012-03-05
|
04 | Cindy Morgan | Ballot approval text was generated |
2012-03-05
|
04 | Cindy Morgan | Ballot writeup was changed |
2012-03-03
|
04 | Ron Bonica | State changed to Approved-announcement to be sent from Approved-announcement to be sent::Point Raised - writeup needed |
2012-03-01
|
04 | Cindy Morgan | State changed to Approved-announcement to be sent::Point Raised - writeup needed from Waiting for AD Go-Ahead |
2012-03-01
|
04 | Ralph Droms | [Ballot Position Update] New position, No Objection, has been recorded for Ralph E. Droms |
2012-03-01
|
04 | Gonzalo Camarillo | [Ballot Position Update] New position, No Objection, has been recorded for Gonzalo Camarillo |
2012-03-01
|
04 | Jari Arkko | [Ballot comment] Thanks for writing this document. |
2012-03-01
|
04 | Jari Arkko | [Ballot Position Update] New position, Yes, has been recorded for Jari Arkko |
2012-02-29
|
04 | Wesley Eddy | [Ballot Position Update] New position, No Objection, has been recorded for Wesley Eddy |
2012-02-29
|
04 | Stephen Farrell | [Ballot Position Update] New position, No Objection, has been recorded for Stephen Farrell |
2012-02-29
|
04 | Robert Sparks | [Ballot Position Update] New position, No Objection, has been recorded for Robert Sparks |
2012-02-29
|
04 | Stewart Bryant | [Ballot comment] I have no objection to the publication of this document. It discusses a problem that is very close to the problem that we … [Ballot comment] I have no objection to the publication of this document. It discusses a problem that is very close to the problem that we have chartered the ARMD to address and I am wondering whether there needs to be a reference to that work. |
2012-02-29
|
04 | Stewart Bryant | [Ballot Position Update] New position, No Objection, has been recorded for Stewart Bryant |
2012-02-28
|
04 | Peter Saint-Andre | [Ballot comment] This document sure feels like a standards-track Applicability Statement to me. Did the WG consider requesting a status of Proposed Standard? Please consider … [Ballot comment] This document sure feels like a standards-track Applicability Statement to me. Did the WG consider requesting a status of Proposed Standard? Please consider citing RFC 4732 at the first use of the term Denial of Service. |
2012-02-28
|
04 | Peter Saint-Andre | [Ballot Position Update] New position, No Objection, has been recorded for Peter Saint-Andre |
2012-02-28
|
04 | Adrian Farrel | [Ballot comment] I have no objeciton to the publication of this document, but I noticed a few small points I hope you will look at … [Ballot comment] I have no objeciton to the publication of this document, but I noticed a few small points I hope you will look at before publication. --- While appreciating the desire to use RFCs to force vendors to provide specific function to the operators, I don't think that the use of RFC 2119 language in this Informational document adds very much (the language is intended to add clarity to protocol specifiations, and is sometimes used to make requirements documents clearer). In fact, I cold only find two uses of such language (both are "SHOULD") in this document so I suggest you change them to normal lower case, and drop the boilerplate from Section 1. --- Section 4 During testing it was concluded that 4 simultaneous nmap sessions from a low-end computer was sufficient to make a router's neighbor discovery process unusable and therefore forwarding became unavailable to the destination subnets. Without casting aspertions on the authors, is it possible to provide some qualification of this statement? For example, a reference to the test description and results, or a simple note as to by whom the testing was carried out. Similarly... The failure to maintain proper NDP behavior whilst under attack has been observed across multiple platforms and implementations, including the largest modern router platforms available (at the inception of work on this document). ... would benefit from a reference. --- Section 6 s/stipulated/suggested/ or s/stipulated/stated/ --- Section 7 might benefit from more detail on the management interfaces that operators would like to see provided by vendors both for the control of the optional mechanisms discussed in this document and for the notification about and analysis of attacks. --- It might have been nice to add a note about the interaction with mobility (such as of VMs in a data center). |
2012-02-28
|
04 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel |
2012-02-27
|
04 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded for Russ Housley |
2012-02-23
|
04 | Sam Weiler | Request for Last Call review by SECDIR Completed. Reviewer: Brian Weis. |
2012-02-20
|
04 | (System) | State changed to Waiting for AD Go-Ahead from In Last Call. |
2012-02-17
|
04 | Amanda Baber | We understand that this document doesn't require any IANA actions. |
2012-02-09
|
04 | Jean Mahoney | Request for Last Call review by GENART is assigned to Joel Halpern |
2012-02-09
|
04 | Jean Mahoney | Request for Last Call review by GENART is assigned to Joel Halpern |
2012-02-08
|
04 | Sam Weiler | Request for Last Call review by SECDIR is assigned to Brian Weis |
2012-02-08
|
04 | Sam Weiler | Request for Last Call review by SECDIR is assigned to Brian Weis |
2012-02-06
|
04 | Amy Vezza | Last call sent |
2012-02-06
|
04 | Amy Vezza | State changed to In Last Call from Last Call Requested. The following Last Call Announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: … State changed to In Last Call from Last Call Requested. The following Last Call Announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Subject: Last Call: (Operational Neighbor Discovery Problems) to Informational RFC The IESG has received a request from the IPv6 Operations WG (v6ops) to consider the following document: - 'Operational Neighbor Discovery Problems' as an Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2012-02-20. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract In IPv4, subnets are generally small, made just large enough to cover the actual number of machines on the subnet. In contrast, the default IPv6 subnet size is a /64, a number so large it covers trillions of addresses, the overwhelming number of which will be unassigned. Consequently, simplistic implementations of Neighbor Discovery (ND) can be vulnerable to deliberate or accidental denial of service, whereby they attempt to perform address resolution for large numbers of unassigned addresses. Such denial of attacks can be launched intentionally (by an attacker), or result from legitimate operational tools or accident conditions. As a result of these vulnerabilities, new devices may not be able to "join" a network, it may be impossible to establish new IPv6 flows, and existing IPv6 transported flows may be interrupted. This document describes the potential for DOS in detail and suggests possible implementation improvements as well as operational mitigation techniques that can in some cases be used to protect against or at least alleviate the impact of such attacks. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-v6ops-v6nd-problems/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-v6ops-v6nd-problems/ No IPR declarations have been submitted directly on this I-D. |
2012-02-04
|
04 | Ron Bonica | Placed on agenda for telechat - 2012-03-01 |
2012-02-04
|
04 | Ron Bonica | Ballot has been issued |
2012-02-04
|
04 | Ron Bonica | [Ballot Position Update] New position, Yes, has been recorded for Ronald Bonica |
2012-02-04
|
04 | Ron Bonica | Ballot has been issued |
2012-02-04
|
04 | Ron Bonica | Created "Approve" ballot |
2012-02-04
|
04 | Ron Bonica | Last Call was requested |
2012-02-04
|
04 | (System) | Ballot writeup text was added |
2012-02-04
|
04 | (System) | Last call text was added |
2012-02-04
|
04 | Ron Bonica | State changed to Last Call Requested from Publication Requested. |
2012-02-04
|
04 | Ron Bonica | Last Call text changed |
2012-02-03
|
04 | (System) | New version available: draft-ietf-v6ops-v6nd-problems-04.txt |
2012-01-26
|
04 | Ron Bonica | Ballot writeup text changed |
2012-01-25
|
03 | (System) | New version available: draft-ietf-v6ops-v6nd-problems-03.txt |
2012-01-25
|
04 | Cindy Morgan | (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he … (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he or she believe this version is ready for forwarding to the IESG for publication? The document shepherd is Fred Baker. Yes, I believe that it is ready for IESG consideration. A related (solution) draft is under discussion in 6man: http://datatracker.ietf.org/doc/draft-gashinsky-6man-v6nd-enhance http://tools.ietf.org/html/draft-gashinsky-6man-v6nd-enhance "Neighbor Discovery Enhancements for DOS mititgation", Warren Kumari, 8-Jan-12 (1.b) Has the document had adequate review both from key WG members and from key non-WG members? Does the Document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? Yes. I was discussed in v6ops at IETF 81 and 82. The original draft discussed the problem and a proposed solution; this draft is simply the problem statement (1.c) Does the Document Shepherd have concerns that the document needs more review from a particular or broader perspective, e.g., security, operational complexity, someone familiar with AAA, internationalization or XML? No. The solution may call for wider review, but not the problem statement. (1.d) Does the Document Shepherd have any specific concerns or issues with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. Has an IPR disclosure related to this document been filed? If so, please include a reference to the disclosure and summarize the WG discussion and conclusion on this issue. No. (1.e) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? Yes. We had numerous review comments, mostly of the form (to quote Randy Bush) "I like". (1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is entered into the ID Tracker.) No. (1.g) Has the Document Shepherd personally verified that the document satisfies all ID nits? (See the Internet-Drafts Checklist and http://tools.ietf.org/tools/idnits/). Boilerplate checks are not enough; this check needs to be thorough. Has the document met all formal review criteria it needs to, such as the MIB Doctor, media type and URI type reviews? yes. (1.h) Has the document split its references into normative and informative? yes. Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the strategy for their completion? Are there normative references that are downward references, as described in [RFC3967]? If so, list these downward references to support the Area Director in the Last Call procedure for them [RFC3967]. the normative references are all RFCs. (1.i) Has the Document Shepherd verified that the document IANA consideration section exists and is consistent with the body of the document? yes. (1.j) Has the Document Shepherd verified that sections of the document that are written in a formal language, such as XML code, BNF rules, MIB definitions, etc., validate correctly in an automated checker? there are none. (1.k) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up? Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary In IPv4, subnets are generally small, made just large enough to cover the actual number of machines on the subnet. In contrast, the default IPv6 subnet size is a /64, a number so large it covers trillions of addresses, the overwhelming number of which will be unassigned. Consequently, simplistic implementations of Neighbor Discovery can be vulnerable to deliberate or accidental denial of service, whereby they attempt to perform address resolution for large numbers of unassigned addresses. Such denial of attacks can be launched intentionally (by an attacker), or result from legitimate operational tools or accident conditions. As a result of these vulnerabilities, new devices may not be able to "join" a network, it may be impossible to establish new IPv6 flows, and existing IPv6 transported flows may be interrupted. This document describes the potential for DOS in detail and suggests possible implementation improvements as well as operational mitigation techniques that can in some cases be used to protect against or at least alleviate the impact of such attacks. Working Group Summary The topic was discussed in v6ops, with essentially smooth consensus supporting the document. Document Quality This is a problem statement. As such, one doesn't expect an implementation... |
2012-01-25
|
04 | Cindy Morgan | Draft added in state Publication Requested |
2012-01-25
|
04 | Cindy Morgan | [Note]: 'Fred Baker (fred@cisco.com) is the document shepherd.' added |
2012-01-08
|
02 | (System) | New version available: draft-ietf-v6ops-v6nd-problems-02.txt |
2011-12-05
|
01 | (System) | New version available: draft-ietf-v6ops-v6nd-problems-01.txt |
2011-11-19
|
04 | Fred Baker | IETF state changed to In WG Last Call from WG Document |
2011-11-19
|
04 | Fred Baker | Accepted by working group in IETF 82, essentially a problem statement for 6man work |
2011-11-19
|
04 | Fred Baker | Annotation tag Doc Shepherd Follow-Up Underway set. |
2011-10-24
|
00 | (System) | New version available: draft-ietf-v6ops-v6nd-problems-00.txt |