From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
To: starlink@lists.bufferbloat.net
Subject: Re: [Starlink] Measuring the Satellite Links of a LEO Network
Date: Tue, 13 Feb 2024 18:43:10 +0100 [thread overview]
Message-ID: <f1ac805e-31ff-466d-af3d-d0ed1352f2e5@gmail.com> (raw)
In-Reply-To: <df06e221-7f77-4fda-885e-d5e903cb99ae@gmail.com>
or maybe the VRRP people dont want that address to be opaque at all, I
dont know.
Le 13/02/2024 à 18:39, Alexandre Petrescu via Starlink a écrit :
>
> Le 13/02/2024 à 18:12, J Pan a écrit :
>> yes, the mac for fe80::200:5eff:fe00:101 is 00:00:5e:00:01:01 (a
>> virtual mac used by the virtual router redundancy protocol commonly
>> used by service providers in point-of-presence?)
>
> Do you mean that VRRP requires the use of that MAC address?
>
> In that case, the VRRP spec (RFC) should be clear that the IPv6
> address _must not_ use that MAC address to form a link-local address,
> and rather use opaque IIDs.
>
> I mean, where the the VRRP RFC5798 tells
>
> OLD:
>
>> IPv6 routers running VRRP MUST create their Interface Identifiers in
>> the normal manner (e.g., "Transmission of IPv6 Packets over Ethernet
>> Networks" [RFC2464 <https://www.rfc-editor.org/rfc/rfc2464>]).
>
> it should tell
>
> NEW:
>
>> IPv6 routers running VRRP MUST create their Interface Identifiers in
>> the normal manner, that is RFC7217 "A Method for Generating
>> Semantically Opaque Interface Identifiers
>> with IPv6 Stateless Address Autoconfiguration (SLAAC)" (it
>> includes link-local address formation).
>
> Hopefully starlink agrees with it and implements it before we blink :-)
>
> Alex
>
>> --
>> J Pan, UVic CSc, ECS566, 250-472-5796 (NO VM), Pan@UVic.CA,
>> Web.UVic.CA/~pan
>>
>> On Mon, Feb 12, 2024 at 6:14 AM Alexandre Petrescu via Starlink
>> <starlink@lists.bufferbloat.net> wrote:
>>> this is an issue for 6MAN WG at IETF, but this is the text with the
>>> issue in the paper:
>>>
>>>> From the user device or customer router at 192.168.1.1,
>>>> we can reach its GS gateway at 100.64.0.1 (or equivalently
>>>> fe80::200:5eff:fe00:101 for IPv6)
>>> That IPv6 link-local address has an 'ff:fe' in it; the prefix is 'fe80'
>>> and the rest is an 'Interface ID', in RFC parlance.
>>>
>>> That IID should be more random in its appearance. It is called an
>>> 'opaque' IID, and specified in RFC 7217 "Stable and Opaque IIDs with
>>> SLAAC" of year 2014.
>>>
>>> That IPv6 address corresponds to earlier forms of these IIDs
>>> (RFC2464 of
>>> year 1998); they had that IID to be derived from a 48bit MAC address
>>> and
>>> inserted an 'ff:fe' string in it to become 64bit.
>>>
>>> Most embedded linux platforms (v2.x kernels?) still use that ff:fe.
>>> Migrating these kernels is sometimes very difficult. One might not
>>> want
>>> to migrate an kernel to a bloated and slower v3 or higher just for that
>>> little 'ff:fe'. Maybe one wants to migrate just its IPv6 stack, but
>>> it's not easy.
>>>
>>> The reason of making this IID more opaque is to resist scanning
>>> attacks. A scanning attack is when a user might have somehow an
>>> illegitimate starlink terminal and tries to connect to the legitimate
>>> starlink network. Part of that trying is to know the IP address of the
>>> next hop. With IPv6 it comes down to testing all these addresses. If
>>> they have a constant 'ff:fe' in them, it is easier to find them by
>>> brute
>>> force than if they were opaque. It is also true that if in IPv4 that
>>> next hop is always the same then the easiest attack is to simply use
>>> IPv4 instead of IPv6. But this 'opaqueness' of the IID in the IPv6 ll
>>> address might still be needed when IPv4 is get rid of.
>>>
>>> This could be discussed at IETF, could be suggested to starlink to
>>> upgrade, etc.
>>>
>>> Alex
>>>
>>> Le 12/02/2024 à 07:59, J Pan via Starlink a écrit :
>>>> http://pan.uvic.ca/webb/viewtopic.php?p=124670#p124670 to appear at
>>>> ieee icc 2024. feedback welcome, especially during the camera-ready
>>>> stage this week. thanks! -j
>>>> --
>>>> J Pan, UVic CSc, ECS566, 250-472-5796 (NO VM), Pan@UVic.CA,
>>>> Web.UVic.CA/~pan
>>>> _______________________________________________
>>>> Starlink mailing list
>>>> Starlink@lists.bufferbloat.net
>>>> https://lists.bufferbloat.net/listinfo/starlink
>>> _______________________________________________
>>> Starlink mailing list
>>> Starlink@lists.bufferbloat.net
>>> https://lists.bufferbloat.net/listinfo/starlink
> _______________________________________________
> Starlink mailing list
> Starlink@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/starlink
next prev parent reply other threads:[~2024-02-13 17:43 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-12 6:59 J Pan
2024-02-12 14:13 ` Alexandre Petrescu
2024-02-13 17:12 ` J Pan
2024-02-13 17:39 ` Alexandre Petrescu
2024-02-13 17:43 ` Alexandre Petrescu [this message]
2024-02-13 17:44 ` Alexandre Petrescu
2024-02-13 18:11 ` Alexandre Petrescu
2024-03-03 10:23 ` Gert Doering
2024-03-04 8:39 ` Alexandre Petrescu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/starlink.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f1ac805e-31ff-466d-af3d-d0ed1352f2e5@gmail.com \
--to=alexandre.petrescu@gmail.com \
--cc=starlink@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox