Apologies for the very late reply: change weekends.

Daniel Migault <mailto:[email protected]>
20 March 2015 20:55
Hi Ray,

Please see my comments in text.

    I think the description of the requirements and overall chain of
    events is excellent. Thanks for that.

    However I'm not particularly convinced by the security and
    authentication mechanisms, as the proposed text just seems to punt
    these to another transport protocol.

Thank you for raising this point, but this is not the case. I need to make the text clearer. When a renumbering occurs, the Hidden Master changes its IP address, and has to provide the new IP address to the slave. This can be done with DNS extensions or other layers. I will update the section 9.1.2 to clarify this.
Cool. Thanks.


    I also don't see the recovery mechanism/ how to distinguish
    between a break before make event, and a make before break where
    the ISP's DNS servers may not be reachable at the moment of
    renumbering, or that a Homenet is simply not reachable for some
    time, and comes up "unnumbered" with no old IP, or that the
    Homenet never comes back at all. It seems to me that you could
    also end up hosting lots of cruft in the ISP servers, and there's
    a need for some garbage collection.

I am not sure I correctly get the use case:
a) It seems to me you consider also the case where the slave is being renumbered. I did not considered this point and assume these servers will hardly renumbered.
To be honest this should be a corner case.

But it would be nice if the slave was also discovered via a DNS records rather, than a literal, or cached IPv6 address.
b) It also seems to me you consider a Homenet work that is removed or not in used, and you wonder what happen to the zone? My understanding is that it is similar a service you subscribed and you do not use. Do you mean that we should state that after some time, the slave may remove its zone?

Correct. It would be cruft removal.
Can you please elaborate on the use cases you think we should comment? Is sounds to me these considerations may not be related to renumbering, but instead to general operations.
They are indeed more general cases of changes.

    I also expect we need some more limitations on when/why a slave
    would poll an unknown hidden master, otherwise it seems to me that
    we have a nice DoS vector/ amplification attack. A number of
    attack machines could spoof notification messages pointing to
    various ISP slave systems, all pointing to a common target victim
    "new" hidden master.


This is mentioned in the NOTIFY RFC1996 in the security consideration. A forged NOTIFY results makes the slave trigger a SOA query. These are small paquets, thus the amplification factor is very small. RFC1996 qualify it as a begnin DoS attack. But I agree I will comment on that. Actually I though of writing a specific section on it. That will be done in the next version anyway.

If we are not specifying the mechanism more precisely, then there should be some warning that the slave should only try once to reach the new hidden master for every incoming notify request. Ant retries should be triggered from the hidden master sending a new NOTIFY request, not the slave retrying independently. Otherwise you really are creating an amplification attack.


    It feels to me like
    1) we need a more reliable update mechanism between the hidden
    master and the slaves (to cover longer-term unreachability events,
    or a Homenet hidden master going off air permanently)
    2) we need a more effective authentication mechanism for
    triggering updates, that is source IP address agnostic.

This is the case, as authentication is based only cryptographic keys. The IP address is only used for reach-ability and is never used otherwise.


-- Regards,
    RayH




--
Daniel Migault
Ericsson


--
Daniel Migault
Ericsson
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to