Re: Iotdir telechat review of draft-ietf-6man-rfc4941bis-11

Fernando Gont <> Wed, 21 October 2020 23:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1D3423A0BB2; Wed, 21 Oct 2020 16:40:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.146
X-Spam-Status: No, score=-2.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jTFpOL1G44zA; Wed, 21 Oct 2020 16:40:52 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0EDA93A0BAA; Wed, 21 Oct 2020 16:40:44 -0700 (PDT)
Received: from [IPv6:2800:810:464:b9c:452e:36a3:27fd:8f9b] (unknown [IPv6:2800:810:464:b9c:452e:36a3:27fd:8f9b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 76B57283B70; Wed, 21 Oct 2020 23:40:41 +0000 (UTC)
From: Fernando Gont <>
Subject: Re: Iotdir telechat review of draft-ietf-6man-rfc4941bis-11
To: Dave Thaler <>
Cc: "" <>, "" <>
References: <> <> <> <> <>
Message-ID: <>
Date: Wed, 21 Oct 2020 20:35:41 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Oct 2020 23:40:55 -0000

On 21/10/20 18:59, Dave Thaler wrote:
> Fernando Gont <>  wrote:
>>>>> Section 4:
>>>>> With the change to use a separate IID per prefix, I believe the 2nd
>>>>> paragraph should be augmented to point out that simply upgrading an
>>>>> RFC 4941-compliant node to an implementation of this draft can
>>>>> exacerbate the problem mentioned in this paragraph.
>>>> For all practical scenarios, this will actually be the other way around:
>>>> Since this document reduces the Valid Lifetime, then, for the case where
>>>> the local network employs say, one GUA prefix and one ULA prefix, nodes
>>>> would end up using 4 concurrent temporary addresses, as opposed to the
>>>> 14 temporary addresses they might end up employing with RFC4941.
>>> That depends on whether a non-default Valid Lifetime is configured.
>>> My meta-point is that this paragraph would benefit from a discussion about
>>> the upgrade effects, like we're now discussing here.
>> Fair enough. Would it be okay to address this in the Security
>> Considerations Section, as opposed to Section 4?
> My opinion is that this point is different from security considerations
> (which is a separate point), it's more "upgrade considerations" since the
> point here is that simply upgrading might cause a battery drain if you
> have things configured in a particular way.  No attacker is involved.
> Security considerations are for things that are about attacks or mitigations.

Oops! Looks like I misunderstood you. -- I thought you were portraying 
this issue as a security issue (rather than an upgrade issue). So let me 
proposed the following text instead:

---- cut here ----
RFC4941 employed a randomized temporary Interface Identifier for 
generating temporary addresses, such that a set of temporary addresses 
configured at a given time (for multiple SLAAC prefixes) would employ 
the same Interface Identifier.  Sharing the same IID among multiple 
address allowed host to join only one solicited-node multicast group 
pero temporary address set.

This revision requires that temporary addresses configured for different 
SLAAC prefixes employ interface identifiers that are statistically 
different from each other. This means that when a network employs 
multiple prefixes, each temporary address of the set will result in a 
different solicited-node multicast address, and thus the number of 
multicast groups that a host should join becomes a function of the 
number of SLAAC prefixes employed for generating temporary addresses).

Thus, a network that employs multiple prefixes may require hosts to join 
more multicast groups than in the RFC4941 case. If the number of 
multicast groups is large enough, a node may need to resort to setting 
the network interface card to promiscuous mode. This would cause the 
node to process more packets than strictly necessary, and might have a 
negative impact on battery-life, and on system performance in general.

We note that since this document reduces the default TEMP_VALID_LIFETIME 
from 7 days (in [RFC4941]) to 2 days, the number of concurrent temporary 
addresses per SLAAC prefix will be smaller than for RFC4941 
implementations, and thus the number of multicast groups for a network 
that employs, say, between 1 and threee prefixes will be similar than 
for RFC4941 implementations.

Implementations concerned with the maximum number of multicast groups 
that would be required to join as a result of configured addresses, or 
the overall number of configured addresses, should consider enforcing 
implementation-specific limits on e.g. the maximum number of configured 
addresses, the maximum number of SLAAC prefixes that are employed for 
auto-configuration, and/or the maximum ratio for 
the number of concurrent temporary addresses per SLAAC prefix). Many of 
these configuration limits are readily available in SLAAC and RFC4941 
implementations. We note that these configurable limits are meant to 
prevent pathological behaviors (as opposed to simply limiting the usage 
of IPv6 addresses), since IPv6 implementations are expected to leverage 
the usage of multiple addresses [RFC7934].
---- cut here ----


BTW, should this be incorporated into Section 4, or elsewhere?


Fernando Gont
SI6 Networks
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492