IETF Logo Mail Archive

Re: Disabling temporary addresses by default?

Gyan Mishra <hayabusagsm@gmail.com> Tue, 28 January 2020 20:58 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B4141200CD for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 12:58:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7qkNYW1pN1o for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 12:58:06 -0800 (PST)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 959451200B2 for <ipv6@ietf.org>; Tue, 28 Jan 2020 12:58:06 -0800 (PST)
Received: by mail-il1-x12d.google.com with SMTP id t17so11953733ilm.13 for <ipv6@ietf.org>; Tue, 28 Jan 2020 12:58:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tswIJUcoiF+v4KVLLgwHVcMF4Rkrtb8fp3FunU7M0IM=; b=t7NJ+YBCQwNpbC3vLcykGLZm0NMoLUM9K4HvqjVbKaFyShtxxy9MZ7dCT13KGj1ypF N8PVso0Mt7kQgg3qJYjD12rCTaWl1GK2KY9NGyMPdRpDYhVq1SPWmxuTDA/x5H+Qb07N pFZfL4ZC5fBO+pcZ010TXsQamKcqFfG5EVVSLz/tMoHbjmjklAefWkhoLDCshlEpNeaZ fljyveDuFDHghUgOivXt8taO6I2/ZGAfxP1L8saUWHXc501TQVNvHXmqbTZlmzXQ50xO 3HCTRvvdf8z3ojdGRrUwQPuuwIbbG4mINuzLrWwUEs2yMzdaXBovk9si9W6XnAEbHOkd fz/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tswIJUcoiF+v4KVLLgwHVcMF4Rkrtb8fp3FunU7M0IM=; b=Yk0PL/9mvuWchXtu0QiAWrtKAVip8Nuc6STr/I/+TzVOpRkHkdNWptzdvcJwdhg62o 0xzlp1qTdkJXtmGlY5zSdTDTTSZ6a2EDVnwXM41wMMK6U+5MEtmeawi97vIZ7dVEVbGM jGxTSbG38FcOoedTcZe3BjVk5HM7T7uG4bMP7i5F1oT3cmYc2UtaCP0r+cjlWF9GEI9o uK4oHygygDk28ZNhS/ooBaCMmorxhIIDMTWzONr13cSWEpCWWmZGXv6YznTB9pbVvfF0 m68M3MOvV+0gBlXvXeT7xzBP1rPz2qf9RPaSeJPPLqs2YnDEaSeq6qkXaQWci7fyBHbF nqlw==
X-Gm-Message-State: APjAAAVRnwfosES5iy+7WSgDVDhyppV6ACTVn6elNIMAIxRCK+zY1ZuR CglxVaze0ElnXlpwlyk+wdiM/phr1fBpUiwepWE=
X-Google-Smtp-Source: APXvYqweMTeBKIa/GF0c1uKKqvnSMqS+dNZrSurpPTFQpBLM9eGNanD4LQY5VdntSvtgi4MVvLG2TlaBgv7GzlfRv+A=
X-Received: by 2002:a92:1547:: with SMTP id v68mr20609983ilk.58.1580245085734; Tue, 28 Jan 2020 12:58:05 -0800 (PST)
MIME-Version: 1.0
References: <CAKD1Yr11_SSUkCBuQ3-h+eRg0LPZQdhe+h7f0YZy9TiyRWj6mw@mail.gmail.com> <751D59E0-F60B-4FE1-840F-3FEAB82F618F@huitema.net> <c058863d-9e29-3ddb-a020-0ebadef26ad4@si6networks.com> <CABNhwV0KsKN7LQY2D-BJkCtvB40oZCT65EmOCr0oE56c9g7-aQ@mail.gmail.com> <CAO42Z2zzmBGwrEthNP=S0yF+uiUP=88OKRhtXN8L+mtbdGO8rw@mail.gmail.com>
In-Reply-To: <CAO42Z2zzmBGwrEthNP=S0yF+uiUP=88OKRhtXN8L+mtbdGO8rw@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Tue, 28 Jan 2020 15:57:54 -0500
Message-ID: <CABNhwV2QpykkgEajBBLFq+U8or8ESaoN+8LTYqfHMiWK83bG0Q@mail.gmail.com>
Subject: Re: Disabling temporary addresses by default?
To: Mark Smith <markzzzsmith@gmail.com>
Cc: 6man WG <ipv6@ietf.org>, Christian Huitema <huitema@huitema.net>, Fernando Gont <fgont@si6networks.com>, Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fe4c35059d397a65"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/K81l6PhgnQoUjuHH6FvYeF6ZR5I>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 20:58:10 -0000

On Tue, Jan 28, 2020 at 1:24 PM Mark Smith <markzzzsmith@gmail.com> wrote:

>
>
> On Wed, 29 Jan 2020, 06:47 Gyan Mishra, <hayabusagsm@gmail.com> wrote:
>
>>
>>
>> On Tue, Jan 28, 2020 at 12:11 PM Fernando Gont <fgont@si6networks.com>
>> wrote:
>>
>>> On 28/1/20 13:27, Christian Huitema wrote:
>>> >
>>> > On Jan 28, 2020, at 6:59 AM, Lorenzo Colitti <lorenzo=
>>> 40google.com@dmarc.ietf.org> wrote:
>>> >>
>>> >> Instead of disabling, why not change the default of the number of
>>> addresses maintained? For example, instead of maintaining 1 permanent + 1
>>> valid + 7 deprecated, why not just default to maintaining 1 permanent + 1
>>> valid + 1 deprecated. That means that applications would have to
>>> re-establish their connections once a day instead of once every 7 days. But
>>> if they use privacy addresses, they already need to re-establish
>>> connections after 7 days. And they can always use not to use privacy
>>> addresses via the appropriate socket option.
>>> >
>>> > That seems plausible, but how about going one step further and for
>>> clients just have one temporary and one deprecated address, without any
>>> stable address? If the client is not running any server, that makes address
>>> management much simpler.
>>>
>>> rfc4041 bis already allows for that.
>>>
>>> The only thing is that if the Preferred Lifetime is 1 day, and Valid
>>> Lifetime is 2*Preferred Lifetime, and you only do temporary addresses,
>>> then your sessions (e.g. SSH) cannot span past one day, *unless* we
>>> recommend that invalid addresses are still okay for established
>>> connections..
>>
>>
>>
>>    The main reason this topic comes has up is due to possible impact of
>> usage of the temporary address when it gets deprecated with long lived
>> session.
>>
>
> Devices and their end-users that desire address privacy are unlikely to
> have long lived connections.
>
> Can you provide an example of a common long lived connection that would
> occur with a laptop or smartphone? I can't think of one.
>
> Even back in the early 1990s, when fixed location desktops were the main
> personal computing device, long lived client connections were rare. If you
> wanted a reliable long lived connection for something, you didn't use your
> desktop, you used the hosts/servers that were in computer rooms protected
> by UPS.
>
> Gyan> For the home or Starbucks user it would be rare to have long lived
> connections.  Maybe a weekend or all week gaming marathon.
>

   Joking aside, enterprise space is the camp that would have long lived
connections primarily for 24x7 client/server mission critical revenue
generating applications, Point of sale applications, 24x7 Call Centers to
name a few.  I am sure there are many other enterprise scenarios.  Cloud
servers  using Cloud Foundary or Openstack Neutron or any logical
virtualization network layer for server to server communications using
SLAAC.

>
>
>
>
> That’s the crux of why this topic is critical and has severe operational
>> impact. When the address changes for long lived connections from the
>> deprecated temporary address to the new preferred address, the session
>> would terminate and have to re-establish, which is impacts the user.  Maybe
>> a change to the behavior as how this works is that the long lived flow
>> remains active on the deprecated temporary address indefinitely until the
>> flow is terminated via graceful TCP close.  This would allow us to maintain
>> privacy extension temporary address enabled by default change to benefit
>> privacy advocates and also eliminate impact for enterprise users where
>> availability and stability is utmost importance.  The second issue is
>> maintaining of a multiple addresses on the end host from an operations
>> perspective if that can be limited.  One idea to accomplish this is that if
>> the privacy temporary address is enabled by default, that is if we are able
>> to resolve the operational impact of long lived sessions when the temporary
>> address changes - how can we minimize the number of active addresses per RA
>> slaac address.  Allow the interface stable random address to be active only
>> if the temporary privacy address is disabled - non default scenario.   Once
>> the temporary address is enabled default scenario- and preferred, it is now
>> used for both incoming and outgoing connections and the interface “stable”
>> random address is now disabled.  This will help from an operations
>> perspective that all flows in/out now all use the same privacy address.  We
>> can limit the number of temporary addresses to 2 which would only occur
>> during transition to the new preferred address.  In a normal state when the
>> address has not hit the lifetime expire timer, only a single GUI address
>> exists on the host plus the link local.
>>
>>>
>>>
>>> --
>>> Fernando Gont
>>> SI6 Networks
>>> e-mail: fgont@si6networks.com
>>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>>
>>>
>>>
>>>
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6@ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>>>
>> --
>>
>> Gyan  Mishra
>>
>> Network Engineering & Technology
>>
>> Verizon
>>
>> Silver Spring, MD 20904
>>
>> Phone: 301 502-1347
>>
>> Email: gyan.s.mishra@verizon.com
>>
>>
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>>
> --

Gyan  Mishra

Network Engineering & Technology

Verizon

Silver Spring, MD 20904

Phone: 301 502-1347

Email: gyan.s.mishra@verizon.com

v2.23.0 | Report a Bug | By Email