Re: [dhcwg] RFC3315 DECLINE definition

Simon Hobson <> Mon, 13 February 2017 14:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BD244129698 for <>; Mon, 13 Feb 2017 06:57:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AOtMfhxjhaXU for <>; Mon, 13 Feb 2017 06:57:24 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 664071295B2 for <>; Mon, 13 Feb 2017 06:57:24 -0800 (PST)
X-Quarantine-ID: <9OcAHIiNVQx9>
X-Virus-Scanned: Debian amavisd-new at
X-Amavis-Alert: BAD HEADER SECTION, Header line longer than 998 characters: References: <91[...]
Received: from [] ( []) by (Postfix) with ESMTPSA id 8CE701BC91 for <>; Mon, 13 Feb 2017 14:57:18 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Simon Hobson <>
In-Reply-To: <>
Date: Mon, 13 Feb 2017 14:57:17 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <9142206A0C5BF24CB22755C8EC422E457A> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <CAL10_Bpb2eXAmnAnGpAeURMuqxBE=G+zYN+n> <>
To: dhcwg <>
X-Mailer: Apple Mail (2.1510)
Archived-At: <>
Subject: Re: [dhcwg] RFC3315 DECLINE definition
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Feb 2017 14:57:27 -0000

"Mudric, Dusan (Dusan)" <> wrote:

> - A network operator can set client IPv6 addresses on DHCPv6 server.

That is the primary function of the DHCP server ! I don't see that as a problem.

> An address can be invalid or make a client unreachable.

There are a lot of other ways to bo**ox up a network !
Such configurations may be deliberate. Until recently I did in fact run a network with unroutable (as in valid IP, but no router for that subnet) addresses because there was a policy decision that this particular network would be isolated - it was a backend network to carry traffic independently of the traffic on the public facing front end network.

> - A network operator can change an address prefix on a router. A client address can become unreachable

This is simply failing to co-ordinate network changes. Before removing/changing the prefix, the DHCP admin should have removed the pool IFF it is desired that the addresses be usable for external connectivity. As previously mentioned, this may be deliberate on the part of the Admin.

> - A default router offering a prefix to a client can become unreachable.

"Sh*t happens". Not only that, but what happens if the server hands out a load of IPv6 addresses which are all valid AT THE TIME OF ALLOCATION ? Even if your proposal were implemented, these addresses would be accepted and configured because they would be valid AT THE TIME OF ALLOCATION. The DHCP server and client cannot do anything about it if, say, 5 seconds into a 60 day lease, a router stops advertising a prefix appropriate to that address.

It would be for the OS to detect that situation, and simply stop using that address for outbound connections. IMO it would be inappropriate for all the clients to somehow tell the server that all these addresses are bad - only to have 20,000 clients all contact the server again a few minutes later when the router comes back up and the prefix becomes valid again. That would be designing in network instability.

> A client address can become unreachable on a local link 


> - A client does not release unused addresses

So ? There's 2^64 addresses in a minimal IPv6 prefix. How many billion addresses do you intend using for each client ? Even if your 20,000 clients all took and held onto 1000 addresses each, that's still a tiny tiny fraction of the available addresses.

> - A client validates the addresses and the address prefixes and notifies DHCPv6 server about the problems

You will need to define the algorithm for validating addresses. So far you've only come up with "isn't on any prefix advertised by a router" (as above, not a valid test) and "in a deprecated prefix" (as mentioned in an earlier message, not a valid test).

You will also need to define a mechanism whereby all clients can have the algorithm updated as policies change - eg prefixes get deprecated (as previously discussed), new prefixes come into use (eg I assume you would expect currently unused prefixes to be rejected, but they could come into use at any time when it's considered that they are needed).
You will also need to define a mechanism for the local admins to over-ride the stock algorithm - eg where the admins have made a policy decision to run isolated networks. This introduces a catch-22 situation where new devices might not be configurable (they won't attach to the network) until they have been configured (policy edited to allow them to connect).

This is critical to your proposal - until you can come up with an easily defined, and robust, algorithm then your proposal CANNOT work. Worse, it may cause far more problems than it is supposed to solve.

> - A client returns unused addresses
> - DHCPv6 server:
>  -- logs error messages (invalid & unreachable addresses with device IDs)
>  -- does not assign the invalid addresses
>  -- periodically checks for the reachability of unreachable addresses and, when they become reachable, assigns them again

Define "valid" and "reachable" here ?
The implication from this and your earlier emails is that you define "reachable" as "has an IP which is routable to/from 'the internet'". See my comment above about running isolated networks, that backend isolated network runs a DHCP service - so the addresses on it are "reachable" in terms of "the DHCP server can reach them", but they aren't globally routable (they are actually RFC1918 IPv4 addresses, but the argument stands).
With a previous hat on, I had 2 Class C public IPv4 allocations which weren't globally routable.

There is also the issue that the server (in the general case) CANNOT determine the reachability/routability of any prefix. There are plenty of network topologies where the server may lose connectivity to "something" while clients don't, or vice-versa, while connectivity between server and client network is still working. Similarly, there are topologies while server-client comms could be lost, while both still have connectivity to "something". This is the reason that, out of the box, DHCP4 servers in failover do NOT automatically go into partner-down state when they lose connectivity between them.

> - An operator
> -- checks if there are unreachable devices and the reason codes

An alternative: The site/organisation admins take care to co-ordinate changes, and test changes in configuration. They should employ monitoring to detect issues, and respond appropriately to helpdesk tickets.
Configuration management (and especially automation) will detect many of the issues you've raised.