IETF Logo Mail Archive

Re: RFC4941bis: consequences of many addresses for the network

Gyan Mishra <hayabusagsm@gmail.com> Sat, 25 January 2020 20:06 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCE3E12004C for <ipv6@ietfa.amsl.com>; Sat, 25 Jan 2020 12:06:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.997
X-Spam-Level:
X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kZj-Kx8UsbkZ for <ipv6@ietfa.amsl.com>; Sat, 25 Jan 2020 12:06:11 -0800 (PST)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7A9812007C for <ipv6@ietf.org>; Sat, 25 Jan 2020 12:06:10 -0800 (PST)
Received: by mail-il1-x131.google.com with SMTP id t17so4367186ilm.13 for <ipv6@ietf.org>; Sat, 25 Jan 2020 12:06:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EEFvdr66w/7RJINMZ0ouoLk5kH7iWFjDJ8bgYojYApg=; b=hf47oqp/MKDuhsjShgY8dTRIElrv4i6VvmJgqMblCxb0blqxTWL0Re1Tr67YcJbMlP tnwrcAaao5aw01CgO3gSSnF0eualXnUHTXOKR/2yvLgnLEhvRajMhggVI+QetByQKN2K jlXDN5IyqRyHU5n7Dy7cUDAf3dVDlZ1L0Lmh8kw/xAM4RVa+45T+E8jrMcWlgISmTJ2s 7Sx9C6aB/xTBwB1UApnB+bJ+Ei5yJp8op6m4fYPrYQOIQOW4WskY2mVZdaSBO4raQjh5 dH5/k7C09hpY5G+s4sFzqSOSHOEmNqMvAegCCcDHty2u1eAM9m95aKIlD46tmG+H7VzD 34lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EEFvdr66w/7RJINMZ0ouoLk5kH7iWFjDJ8bgYojYApg=; b=eIRwhlUwvPx0R8i2UvyKiNApYjt/0v+NskIdjkGF7i4cWi6bnkoAQkmaRy+hT9g182 KhblzfhV7WHeubBH9OudvNUDBrOc8j/r6niwVPRTnJ3tSC2oZXZH5eh/Q2xueQSw4hs7 aqS50mjhUHjvO7/ALk0/DI3CaPe+0nIUXI8OJo6ZCvsF8O//sciwFRzt1pLD1euGjdA6 gmBVjUOv2Gex8lmpPgEKcxQCgAa79uKP3xNdzDfTY3G2RqF6g6/OfKJ8oZ0zp4zE9Rfy 1FrbQf1SHEAYlHtzCzW1jSuq2dM75t7bqlFWY9hGJZLhj9iNPq/BxFYg4aef0pHp+7t3 p/dA==
X-Gm-Message-State: APjAAAUblr9WXhkIrdLfjHQKNclewU+/AxBvOxE2O924p/nHWdrie/eu 6DTu3wUk9MMBs1XVLRdAsi/z0i6xEA4mK/7/n2gTAd6Q
X-Google-Smtp-Source: APXvYqxEc/2Y3wy4zHbtNfEA2Vnmdsi7tGdZnFvisNJSleR42V9yRY2qrhFFJPcIrcdguWIyptzHjj6cnHnktS4bU2k=
X-Received: by 2002:a92:1547:: with SMTP id v68mr8333123ilk.58.1579982769932; Sat, 25 Jan 2020 12:06:09 -0800 (PST)
MIME-Version: 1.0
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <e936078e-01f9-0254-a8d0-4095455154ac@si6networks.com> <D85412DF-4B03-4790-9E39-968D50ECF86B@employees.org> <m1iuwJV-0000MAC@stereo.hq.phicoh.net> <B341FF1B-C559-4D54-B117-A58EB6A3C955@employees.org> <dfe3a236-4e61-d2be-929c-869a81994879@si6networks.com> <m1iuxwI-0000M3C@stereo.hq.phicoh.net> <CABNhwV1XcATmrosW_kRTJgrXyTSNqPe=uR4VDt=_eXtt5=H3CQ@mail.gmail.com> <431eefce-594f-b7bd-4d49-a7a7ddbcd684@si6networks.com> <CABNhwV1wA+ntT1SHzzF19VotpXED=MOD2HTbQq2hL_nhaOR3qw@mail.gmail.com> <7c65c99f-1418-eb07-b984-8ad7ff6b7a62@gmail.com> <CABNhwV0jyS+bgKzHeQe9x-3FZvsr_-BiKVm=-G_LGizC7nR=dw@mail.gmail.com> <CABNhwV0w5tO-4_ixNUWjbAb81vmQvGF_iYmghmqRSuEmVR8Qtw@mail.gmail.com> <4ec87367-07b0-d17d-5db1-044da482183a@gmail.com>
In-Reply-To: <4ec87367-07b0-d17d-5db1-044da482183a@gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Sat, 25 Jan 2020 15:05:29 -0500
Message-ID: <CABNhwV3-zsda4zEf-PxXb_-O2Q6c8y3a_64P4KiLEgrqdaeKCw@mail.gmail.com>
Subject: Re: RFC4941bis: consequences of many addresses for the network
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Fernando Gont <fgont@si6networks.com>, ipv6@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c0cf80059cfc6740"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/4yGSefTFIRND4-ZuIL0ND9NCl90>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jan 2020 20:06:13 -0000

On Fri, Jan 24, 2020 at 8:30 PM Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> On 25-Jan-20 12:06, Gyan Mishra wrote:
> >
> > Microsoft link - forgot
> >
> > On Fri, Jan 24, 2020 at 6:05 PM Gyan Mishra <hayabusagsm@gmail.com
> <mailto:hayabusagsm@gmail.com>> wrote:
> >
> >
> >
> >     On Fri, Jan 24, 2020 at 5:11 PM Brian E Carpenter <
> brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
> >
> >         >  I agree RFC 7217 stable address is most preferred however
> Microsoft and Apple don’t support yet.
> >
> >
> >       Gyan>On my IPv6 roadmap list with Microsoft.  So far no ETA.
> >
> >
> >         I have no idea for Apple, but afaik MS switched to pseudorandom
> stable IIDs per interface a long time ago, before Windows 7 possibly. I
> haven't seen a modified EUI-64 address on my laptop for a very long time.
> This is not the same thing as RFC7217 from a privacy point of view, but for
> network operations and neighbour cache size it seems like the same thing.
> >
> >
> >        Gyan> I think it’s EUI-64 and not modified.
>
> No. Here's what my Windows 10 says right now (WAN prefix etc obscured
> manually). There are no EUI-64 or modified EUI-64 interface identifiers.
>
> Microsoft Windows [Version 10.0.17763.737]
> (c) 2018 Microsoft Corporation. All rights reserved.
>
> C:\WINDOWS\system32>ipconfig /all
>
> Windows IP Configuration
>
>    Host Name . . . . . . . . . . . . : DESKTOP-xxxx
>    Primary Dns Suffix  . . . . . . . :
>    Node Type . . . . . . . . . . . . : Hybrid
>    IP Routing Enabled. . . . . . . . : No
>    WINS Proxy Enabled. . . . . . . . : No
>    DNS Suffix Search List. . . . . . : fritz.box
>
> Ethernet adapter Ethernet 4:
>
>    Connection-specific DNS Suffix  . : fritz.box
>    Description . . . . . . . . . . . : ASIX AX88772B USB2.0 to Fast
> Ethernet Adapter #2
>    Physical Address. . . . . . . . . : E8-03-9A-3C-67-7A
>    DHCP Enabled. . . . . . . . . . . : Yes
>    Autoconfiguration Enabled . . . . : Yes
>    IPv6 Address. . . . . . . . . . . :
> 2406:e002:xxxx:xxxx:80b2:5c79:2266:e431(Preferred)
>    IPv6 Address. . . . . . . . . . . :
> fd63:45eb:dc14:0:80b2:5c79:2266:e431(Preferred)
>    Temporary IPv6 Address. . . . . . :
> 2406:e002:xxxx:xxxx:89fa:eda3:4d87:293b(Preferred)
>    Temporary IPv6 Address. . . . . . :
> fd63:45eb:dc14:0:89fa:eda3:4d87:293b(Preferred)
>    Link-local IPv6 Address . . . . . :
> fe80::80b2:5c79:2266:e431%7(Preferred)
>    IPv4 Address. . . . . . . . . . . : 192.168.178.30(Preferred)
>    Subnet Mask . . . . . . . . . . . : 255.255.255.0
>    Lease Obtained. . . . . . . . . . : Saturday, 25 January, 2020 14:14:02
>    Lease Expires . . . . . . . . . . : Tuesday, 4 February, 2020 14:14:02
>    Default Gateway . . . . . . . . . : fe80::be05:43ff:fe8e:ce39%7
>                                        192.168.178.1
>    DHCP Server . . . . . . . . . . . : 192.168.178.1
>    DHCPv6 IAID . . . . . . . . . . . : 604000438
>    DHCPv6 Client DUID. . . . . . . . :
> 00-01-00-01-24-04-A7-BC-9C-DA-3E-8F-05-7F
>    DNS Servers . . . . . . . . . . . : fd63:45eb:dc14:0:be05:43ff:fe8e:ce39
>                                        192.168.178.1
>                                        fd63:45eb:dc14:0:be05:43ff:fe8e:ce39
>    NetBIOS over Tcpip. . . . . . . . : Enabled
>
> Wireless LAN adapter Wi-Fi:
>
>    Connection-specific DNS Suffix  . : fritz.box
>    Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7265
>    Physical Address. . . . . . . . . : 1A-BC-EF-15-F2-27
>    DHCP Enabled. . . . . . . . . . . : Yes
>    Autoconfiguration Enabled . . . . : Yes
>    IPv6 Address. . . . . . . . . . . :
> 2406:e002:xxxx:xxxx:db7:d041:a2d:ce65(Preferred)
>    IPv6 Address. . . . . . . . . . . :
> fd63:45eb:dc14:0:db7:d041:a2d:ce65(Preferred)
>    Temporary IPv6 Address. . . . . . :
> 2406:e002:xxxx:xxxx:6029:b755:ced7:343e(Preferred)
>    Temporary IPv6 Address. . . . . . :
> fd63:45eb:dc14:0:6029:b755:ced7:343e(Preferred)
>    Link-local IPv6 Address . . . . . :
> fe80::db7:d041:a2d:ce65%23(Preferred)
>    IPv4 Address. . . . . . . . . . . : 192.168.178.25(Preferred)
>    Subnet Mask . . . . . . . . . . . : 255.255.255.0
>    Lease Obtained. . . . . . . . . . : Saturday, 25 January, 2020 14:13:40
>    Lease Expires . . . . . . . . . . : Tuesday, 4 February, 2020 14:13:38
>    Default Gateway . . . . . . . . . : fe80::be05:43ff:fe8e:ce39%23
>                                        192.168.178.1
>    DHCP Server . . . . . . . . . . . : 192.168.178.1
>    DHCPv6 IAID . . . . . . . . . . . : 194828862
>    DHCPv6 Client DUID. . . . . . . . :
> 00-01-00-01-24-04-A7-BC-9C-DA-3E-8F-05-7F
>    DNS Servers . . . . . . . . . . . : fd63:45eb:dc14:0:be05:43ff:fe8e:ce39
>                                        192.168.178.1
>                                        fd63:45eb:dc14:0:be05:43ff:fe8e:ce39
>    NetBIOS over Tcpip. . . . . . . . : Enabled
>
> >
> >     I found this link from Microsoft but it does not state if modified
> is supported or not.
> >
> >
> >
> http://download.microsoft.com/download/F/D/F/FDF4CF55-5FDE-4CFF-8539-3662BB5EB7A0/TD13Basel2-43.pptx
>
> IPv6 has always used "modified EUI-64". What that 2013 presentation does
> state is very clear:
>
> "Beginning with Windows Vista and Windows Server 2008, a randomized method
> is utilized to determine the Interface ID instead of EUI-64" (slide 26).
>
> In the next line it gives you the magic to revert to modified EUI-64:
>
> "netsh int ipv6 set global randomizeidentifiers=enabled|disabled"
>
> Regards
>     Brian
>

   Gyan> I did some research on this v6ops related topic as far as
operational impact of RFC 4941 privacy extension.

So Microsoft as stated in the 2013 presentation has implemented RFC 4941
starting with Vista with the MD5 randomize generated IID that is stored and
persistent across reboot and only changes if the prefix changes with
mobility and a new 128 bit address stable address is generated.

The Privacy temporary address is generated from the Ethernet interface
random IID and the first time generated after initial boot the temporary
address is the same as the interface IID.  The temporary valid and
preferred lifetimes are set based on a formula and is less then the LAN
interface random IID.

So what was envisioned by the author of RFC 4941 was to use the “stable”
LAN  Random IID “Public” address for incoming connections which would be
published via DDNS and outgoing connections for user privacy use the
“privacy” temporary address.  The analogy used in the draft is the stable
LAN address in the PSTN world is like publishing your phone number in the
white pages, and your private temporary address is analogous to called ID
block for anonymity.

The operational complexity behind this approach of using multiple addresses
is during regeneration is when the temporary address becomes depreciated it
may still be used for existing outgoing connections while the new preferred
address now active is being used for new outgoing connections.  At the same
time all incoming connections are using the dns public published “stable”
lan interface random IID.

Imagine if you have multiple prefixes sent in PIO options to the host - 4x
times the number of SLAAC prefixes received.  Way complex troubleshooting
for operations.  Imagine a help desk rep asking a user “what’s your IPv6
address”

What Microsoft did not follow in their implementation is RFC 4941
deployment considerations is that the temporary address should be disabled
by default due to operational impact.

Quoted from RFC 4941

The use of temporary addresses may cause unexpected difficulties with
   some applications.  As described below, some servers refuse to accept
   communications from clients for which they cannot map the IP address
   into a DNS name.  In addition, some applications may not behave
   robustly if temporary addresses are used and an address expires
   before the application has terminated, or if it opens multiple
   sessions, but expects them to all use the same addresses.
   Consequently, the use of temporary addresses SHOULD be disabled by
   default in order to minimize potential disruptions.


Disable RFC 4941 LAN interface “stable” Random IID = This should never be
done as you revert back to OUI Mac based IID

netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent


Disable temporary address:  Microsoft should have made this default.

netsh interface ipv6 set privacy state=disabled store=persistent


I will forward comment on  v6ops and OPSEC WGs and kick of a draft related
to this critical topic.


> >
> >         Anyway, I hope we're all agreed that this topic, however
> interesting is not worth more than a small comment in RFC4941bis. Isn't it
> actually a v6ops topic ("Operational impact of numerous addresses per
> host")?
> >
> >
> >       Gyan> Agreed
> >
> >
> >
> >         Regards
> >            Brian
> >
> >     --
> >
> >     Gyan  Mishra
> >
> >     Network Engineering & Technology
> >
> >     Verizon
> >
> >     Silver Spring, MD 20904
> >
> >     Phone: 301 502-1347
> >
> >     Email: gyan.s.mishra@verizon.com <mailto:gyan.s.mishra@verizon.com>
> >
> >
> >
> > --
> >
> > Gyan  Mishra
> >
> > Network Engineering & Technology
> >
> > Verizon
> >
> > Silver Spring, MD 20904
> >
> > Phone: 301 502-1347
> >
> > Email: gyan.s.mishra@verizon.com <mailto:gyan.s.mishra@verizon.com>
> >
> >
> >
>
> --

Gyan  Mishra

Network Engineering & Technology

Verizon

Silver Spring, MD 20904

Phone: 301 502-1347

Email: gyan.s.mishra@verizon.com

v2.23.0 | Report a Bug | By Email