Re: NIST IPv6 document

[Jack Bates <jbates () brightok net>]

On 1/6/2011 9:27 AM, Mikael Abrahamsson wrote:
> On Thu, 6 Jan 2011, Lamar Owen wrote:
>
> > Ok, perhaps I'm dense, but why is the router going to try to find a
> > host that it already doesn't know based on an unsolicited outside
> > packet? Why is the router trusting the outside's idea of what
> > addresses are active, and why isn't the router dropping packets on the
> > floor destined to hosts on one of its interfaces' local subnets that
> > it doesn't already know about?
>
> Because the standard says it should do that.

The standard was broken with arp, and continues to be broken with NDP. 
Routers should not handle things the same as normal hosts.

> > If the packet is a response to a request from the host, then the
> > router should have seen the outgoing packet (or, in the case of
> > HSRP-teamed routers, all the routers in the standby group should be
> > keeping track of all hosts, etc) and it should already be in the
> > neighbor table.
>
> Are you trying to abolish the end to end principle of the Internet by
> implementing stateful firewalls in all routers?

Not stateful firewalls. He's referring to neighbor learning based on 
incoming traffic to the router from the trusted side. ie, I received a 
packet from the server, so I will add his MAC to my neighbor table. 
There are many methods for learning MAC addresses, though. DHCP/MAC 
security with static ARP and other viable options have properly killed 
this problem in v4 by routers not looking for unknown neighbors.

> > Like I said, perhaps I'm dense and ignorant and just simply
> > misunderstanding the issue, but I still find it hard to believe that a
> > router would blindly trust an outside address to know about an inside
> > address that is not already in the router's neighbor table.
>
> That's how it's always worked, both for v4 and v6.

It's how it works, but not how it should work. In the last years, v4 has 
seen some nice implementations that specifically are designed 
(especially for eyeball networks who have vast pools of space) to keep 
routers from sending unsolicited arp requests and maintaining only a 
valid pool of mappings.

That is how the protocols should have been designed in the first place. 
Host to Host communications are one thing. Router to host communications 
should be designed with the idea that the host needs to tell the router 
who it is, not the router asking. This keeps packets from unknown hosts 
from causing these table issues. There are also (some of the above 
designed to do) security measures dealing with local abuse and 
hijacking, but that is separate issue. This is about resource 
exhaustion, and policing/ACL isn't the proper fix. Having hosts (in a 
secure or insecure manner) notify the router of their mapping is the 
appropriate fix. Protocol wise, insecure is fine, wrapped with an extra 
layer of security (as security can have multiple implementations).




Jack