Dear all : I'd like to share experience and get feedback on some common problems related to host address detection, and how to solve those. Starting with what we often refer to as silent nodes, and the corollary DDoS attacks on addresses that are not effectively present in a very large subnet. Please bear with me here:
My piece in the eVPN story has been for a number of years (that's 10+) learning which IP addresses are present in the network and preventing theft and impersonation. Think SAVI (https://datatracker.ietf.org/doc/html/rfc7039) but also broadcast avoidance, e.g., over wireless and L3 distributed fabrics. The tables we build to achieve this proved useful when eVPN came in, to feed the routes type 2 in BGP. But there are a series of problems that snooping ND and DHCP never really solved, e.g., sorting out fast mobility vs. duplication vs anycast, remote DDOS against address lookup, or the case of silent nodes. As many know well, a silent node is a node that presented no activity for one of its addresses that we could snoop, so we have no state for that address in the fabric, the classical case being that dormant printer near the wall. From there, it's either a broadcast or an unreachable address, neither of which is particularly pleasant. Such problems appeared relatively secondary in an IPv4 world with DHCP only, but are becoming more pressing with IPv6 and privacy, which imply autoconf and address rotation for multiple address per end point. We looked at that problem from all angles, found some proprietary games, but nothing can be as satisfying as the capability by the node to announce its addresses to the router, with enough meta to protect ownership and sort out movements, and the capability to request services from the router for that address, e.g., routing back in a multihomed environment. If every node does that, the routers have a full images of all the (MAC, IPv4, IPv6) addresses connected to the network, with neither remanent state for deprecated addresses or dead pixels for silent nodes. Sadly, snooping protocols will not give you that. One can come close in a DHCP-only environment, but if a node rotates addresses aggressively, say, for privacy, one can still see a lot of remanent state in his network. DevOps want more and more freedom to do their stuff in the servers and the calicos of the world, which requires more autoconf and less NetOps in the way. Net-net: the need for a stateful address autoconf model as opposed to the classical IPv6 SLAAC. So we created RFC 8505 for the address registration, and RFC 8928 that protects the registration against theft and impersonation using an autoconfigured keypair. What was missing to complete the story was the mapping to eVPN. So there we go: https://www.ietf.org/archive/id/draft-thubert-bess-secure-evpn-mac-signaling-00.txt What do you think? Pascal
_______________________________________________ BESS mailing list BESS@ietf.org https://www.ietf.org/mailman/listinfo/bess
