IETF Logo Mail Archive

RE: DAD question

"STARK, BARBARA H" <bs7652@att.com> Mon, 13 August 2012 14:30 UTC

Return-Path: <bs7652@att.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 359A821F8759 for <ipv6@ietfa.amsl.com>; Mon, 13 Aug 2012 07:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.539
X-Spam-Level:
X-Spam-Status: No, score=-106.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TV5D-K+r+qN1 for <ipv6@ietfa.amsl.com>; Mon, 13 Aug 2012 07:30:14 -0700 (PDT)
Received: from nbfkord-smmo05.seg.att.com (nbfkord-smmo05.seg.att.com [209.65.160.92]) by ietfa.amsl.com (Postfix) with ESMTP id 4004421F8751 for <ipv6@ietf.org>; Mon, 13 Aug 2012 07:30:13 -0700 (PDT)
Received: from unknown [144.160.20.146] (EHLO nbfkord-smmo05.seg.att.com) by nbfkord-smmo05.seg.att.com(mxl_mta-6.11.0-10) with ESMTP id 67f09205.7fd06940.219979.00-598.578200.nbfkord-smmo05.seg.att.com (envelope-from <bs7652@att.com>); Mon, 13 Aug 2012 14:30:14 +0000 (UTC)
X-MXL-Hash: 50290f76320c2b21-ec3757b570dce9858e7c1d18df897d897b45ea3f
Received: from unknown [144.160.20.146] (EHLO mlpd194.enaf.sfdc.sbc.com) by nbfkord-smmo05.seg.att.com(mxl_mta-6.11.0-10) over TLS secured channel with ESMTP id 17f09205.0.219951.00-469.578076.nbfkord-smmo05.seg.att.com (envelope-from <bs7652@att.com>); Mon, 13 Aug 2012 14:30:09 +0000 (UTC)
X-MXL-Hash: 50290f710128f918-fbcd540ff62be9d726957954b57fefed81568759
Received: from enaf.sfdc.sbc.com (localhost.localdomain [127.0.0.1]) by mlpd194.enaf.sfdc.sbc.com (8.14.5/8.14.5) with ESMTP id q7DEU7C3016015; Mon, 13 Aug 2012 10:30:09 -0400
Received: from sflint04.pst.cso.att.com (sflint04.pst.cso.att.com [144.154.234.231]) by mlpd194.enaf.sfdc.sbc.com (8.14.5/8.14.5) with ESMTP id q7DETptX015123 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 13 Aug 2012 10:30:02 -0400
Received: from GAALPA1MSGHUB9E.ITServices.sbc.com (gaalpa1msghub9e.itservices.sbc.com [130.8.36.91]) by sflint04.pst.cso.att.com (RSA Interceptor); Mon, 13 Aug 2012 10:28:30 -0400
Received: from GAALPA1MSGUSR9N.ITServices.sbc.com ([130.8.36.71]) by GAALPA1MSGHUB9E.ITServices.sbc.com ([130.8.36.91]) with mapi id 14.02.0298.004; Mon, 13 Aug 2012 10:28:30 -0400
From: "STARK, BARBARA H" <bs7652@att.com>
To: "Fred Baker (fred)" <fred@cisco.com>, "ipv6@ietf.org 6man" <ipv6@ietf.org>
Subject: RE: DAD question
Thread-Topic: DAD question
Thread-Index: AQHNd0XlCeAhXXPBcEK2v5tAiE4SZZdXtNpA
Date: Mon, 13 Aug 2012 14:28:28 +0000
Message-ID: <2D09D61DDFA73D4C884805CC7865E61115E277@GAALPA1MSGUSR9N.ITServices.sbc.com>
References: <36AA0AF8-95FD-4751-AE2E-A7A3D07038EB@cisco.com>
In-Reply-To: <36AA0AF8-95FD-4751-AE2E-A7A3D07038EB@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.70.136.7]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2010122901)]
X-MAIL-FROM: <bs7652@att.com>
X-SOURCE-IP: [144.160.20.146]
X-AnalysisOut: [v=1.0 c=1 a=-5zszckSLQMA:10 a=ofMgfj31e3cA:10 a=BLceEmwcHo]
X-AnalysisOut: [wA:10 a=kj9zAlcOel0A:10 a=Qs8R1XBwmid1qBFB/a8mmA==:17 a=yM]
X-AnalysisOut: [hMjlubAAAA:8 a=pObygEVbZNboA842jkcA:9 a=CjuIK1q_8ugA:10 a=]
X-AnalysisOut: [mFTNPgy23_KintRF:21 a=62DXDsYdUm8jPnnD:21]
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2012 14:30:15 -0000

> My question is: what happens if any of them discovers that it has created an
> address that is already in use in the network?
> 
> There would appear to be two options:
> (1) "ah, OK, I guess I didn't really want to talk today"
> (2) Following RFC 4941, guess again until one creates a unique address
> 
> Is it fair to assume that implementations do DAD and follow (2)?

>From the perspective of the CE router...
BBF decided on the following recommendation:
If DAD (on the WAN) fails for link-local or SLAAC, "vendor should implement graceful handling, including trying other addresses".

Router vendors felt this provided reasonable advice without limiting how they accomplished it. Some thought it would be reasonable to try using MAC addresses associated with other interfaces (from a LAN Ethernet or Wi-Fi interface), increment the previously tried value by 1 or x, and other possibilities. Once there was greater experience with real deployments, where it could be seen what worked and was easy, there would probably be convergence on "best practices".  But it was acknowledged that (1) such duplication of MAC addresses exists and is reasonably prevalent (all service providers see this), (2) it is unlikely that we can stop this from happening, (3) allowing such a CE router to become a brick would generate trouble calls and serve no useful purpose, and (4) implementing code that would try a different value was simple and had no perceived downside (as long as all CE routers had code to try other values). 

As has been pointed out, using 1:1 VLAN would prevent this problem. But my perspective is that the CE router doesn't know what access network it will land in, and needs to be resilient when finding itself in a N:1 VLAN environment.

As Ole pointed out, RFC 4941 explicitly mandates generation of a different privacy address when DAD fails.
RFC 3315 recommends use of DAD and telling the DHCPv6 server (Decline) if DAD fails. But this case isn't perceived to be a problem (unless the DHCPv6 server is misconfigured or someone managed to get that IPv6 Attack Toolkit that Dominik mentioned into the access network -- in which case we have bigger problems). A bigger problem for DHCPv6 servers may be the one of duplicate DUIDs, which may cause a DHCPv6 server to refuse to provide a IA_NA. This apparently is sufficiently prevalent that Microsoft had to provide info on how to fix it: http://support.microsoft.com/kb/2711727

Barbara

v2.23.0 | Report a Bug | By Email