IETF Logo Mail Archive

Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios

Richard Patterson <richard@helix.net.nz> Mon, 25 February 2019 10:33 UTC

Return-Path: <richard@helix.net.nz>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3FF8130EC1 for <ipv6@ietfa.amsl.com>; Mon, 25 Feb 2019 02:33:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=helix-net-nz.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CPuVcdvA3d9T for <ipv6@ietfa.amsl.com>; Mon, 25 Feb 2019 02:33:09 -0800 (PST)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 435AA130E84 for <6man@ietf.org>; Mon, 25 Feb 2019 02:33:08 -0800 (PST)
Received: by mail-yb1-xb34.google.com with SMTP id c3so1208839ybo.11 for <6man@ietf.org>; Mon, 25 Feb 2019 02:33:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=helix-net-nz.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=m+0nhSQ35CrTfoDF687FvYXc+XpfwSIXuysOp9LG4H4=; b=oqlSldaSYucxWJR2j7sqkKLD9SQxChR9Xja1Mde3WE/+6jA7f9RRudTWEbkZVaxCNY 4PlgzDHzqI8SwP1dni8hSFze64FXgbFmpKVWWoczw5g8DNIHTvxLC+WmopZN/w80bHw8 uIgu2/flyVHG54ylJSB7WEbTbyNiQSWr53BELKunQLEkC/wxjHLogguD9lV4NC4BE5OO DZ+tAOUnmeNjk2xDmF8FUpYG4P16HdEpH1R7r0DLE2JpLBQsx09Zki+GOKmC+pJ2qY5W oXL82e/x5BCUEx8rsCghveSpmz8NBYCsayNfjWkMLZ9FPMaKdxoGbYILyi44gD+9bw3V lKEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=m+0nhSQ35CrTfoDF687FvYXc+XpfwSIXuysOp9LG4H4=; b=XIFa1BiB9PwKiuPiBfrt74A+gqHfeVQ6ftUZJzYTfLY6i04WsoStC2T9IHDpMlqFOK 4nm7BWDUzWtEXYTDcG1IFXRie/rmFk2LRCTq9phxbBH95N98/IzIyw/EdAsCxhxfUtga RqZftCOIbXEFlGdZXac8KR6xe/CFAzsodq+WtspsNNdFLWuVd5W1goZ3g4bFdltMWGd9 6h5ERLlqM1ybMKvhSDSqXzfI+N3oW3aAUM46Sa42UDHGm+RshnTWf1jFtnN+6llXh3vj A1KnrGZTcFVafIMaNgP10VKx8jXBZQsj/iJogr45lyYDd5k//HgAQlSma/+KC1vy2sBu usFA==
X-Gm-Message-State: AHQUAua57dkhPnrIAHYY0azSnaURJBw16iN1PZfdZtyMR82tgpRJHQsm XRw5SUV7vkQuGhM2QJBtQeerhQ==
X-Google-Smtp-Source: AHgI3IZJXo3tnuqw0HceFxT0GQkcQudbvwafNLZXVOO1TxSO8rmyLCuraQMLZl2xqfVeWLZhKa319A==
X-Received: by 2002:a25:9110:: with SMTP id v16mr13107108ybl.490.1551090787850; Mon, 25 Feb 2019 02:33:07 -0800 (PST)
Received: from mail-yw1-f43.google.com (mail-yw1-f43.google.com. [209.85.161.43]) by smtp.gmail.com with ESMTPSA id z201sm3402868ywd.23.2019.02.25.02.33.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Feb 2019 02:33:06 -0800 (PST)
Received: by mail-yw1-f43.google.com with SMTP id o184so3446945ywo.5; Mon, 25 Feb 2019 02:33:06 -0800 (PST)
X-Received: by 2002:a81:360e:: with SMTP id d14mr13220168ywa.489.1551090786602; Mon, 25 Feb 2019 02:33:06 -0800 (PST)
MIME-Version: 1.0
References: <6D78F4B2-A30D-4562-AC21-E4D3DE019D90@consulintel.es> <B6E2EC33-EEAF-40D0-AFCC-BDAFA9134ACD@consulintel.es> <20190220113603.GK71606@Space.Net> <28fbc2c305c640c9afb3704050f6e8d7@boeing.com> <20190220213107.GS71606@Space.Net> <019c552eb1624d348641d6930829fd1f@boeing.com> <CAKD1Yr0HBG+rhyFWg9zh0t3mW486Mjx9umjn+CRqAZg4z9r0dg@mail.gmail.com> <20190221073530.GT71606@Space.Net> <CAO42Z2wmB2W52b4MZ2h9sW5E9cQKm-HRjyf--q8C26jezS7LXQ@mail.gmail.com> <a73818d31db7422b99a524bc431b00ed@boeing.com> <CAO42Z2z9-48Gbb_Exf+oWUqDO=axSLpZBtqeDcxkAoFq5OziGw@mail.gmail.com> <CALx6S3624hnGauG1HaSWPMvQw0t2Q5R3gb8W4R8w3kuK7dcrWQ@mail.gmail.com> <1F07F2BB-2F37-4D12-9731-7892DF4E3D88@consulintel.es> <0a582916-af14-bd82-a4cd-002a36f8830b@huitema.net> <67515a73-26a5-3ed0-da88-1a4ce64550d3@foobar.org> <360afa02-cf23-375c-4876-780d3c2aa5ac@gont.com.ar>
In-Reply-To: <360afa02-cf23-375c-4876-780d3c2aa5ac@gont.com.ar>
From: Richard Patterson <richard@helix.net.nz>
Date: Mon, 25 Feb 2019 10:32:54 +0000
X-Gmail-Original-Message-ID: <CAHL_VyD34V=TRcsCp0DOO9HJNHyy5xkiMQ_cZoBa7zTE4fe5OA@mail.gmail.com>
Message-ID: <CAHL_VyD34V=TRcsCp0DOO9HJNHyy5xkiMQ_cZoBa7zTE4fe5OA@mail.gmail.com>
Subject: Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios
To: Fernando Gont <fernando@gont.com.ar>
Cc: IPv6 Operations <v6ops@ietf.org>, "6man@ietf.org" <6man@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/FJN2z3khdc34ecmLqFXNdLeUpOI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 10:33:12 -0000

On Sat, 23 Feb 2019 at 05:22, Fernando Gont <fernando@gont.com.ar> wrote:

> * As per RFC4862, it turns out that you cannot remove a stale prefix vy
> sending an RA wiht a "Prefix Lifetime" of 0. SO, with current standards,
> not even the CPEs can (even if they wanted to) do something to fix the
> problem.


The Valid Lifetime cannot be zeroed or shortened below 2 hours, but
the Preferred Lifetime can.  So we can't invalidate the prefix, but we
can deprecate it so it's not used for new outbound sessions.   This is
what we've implemented in our CPEs, after an unavoidable change in
prefix, and it seems to have mitigated (or reduced the impact of) the
issue.

RFC4862 §5.5.3

e)  If the advertised prefix is equal to the prefix of an address
      configured by stateless autoconfiguration in the list, the
      preferred lifetime of the address is reset to the Preferred
      Lifetime in the received advertisement.

....

      Note that the preferred lifetime of the corresponding address is
      always reset to the Preferred Lifetime in the received Prefix
      Information option, regardless of whether the valid lifetime is
      also reset or ignored.  The difference comes from the fact that
      the possible attack for the preferred lifetime is relatively
      minor.  Additionally, it is even undesirable to ignore the
      preferred lifetime when a valid administrator wants to deprecate a
      particular address by sending a short preferred lifetime (and the
      valid lifetime is ignored by accident).

v2.23.0 | Report a Bug | By Email