IETF Logo Mail Archive

Re: RFC4941bis: consequences of many addresses for the network

Gyan Mishra <hayabusagsm@gmail.com> Sat, 25 January 2020 20:28 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2091012004C for <ipv6@ietfa.amsl.com>; Sat, 25 Jan 2020 12:28:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.997
X-Spam-Level:
X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5syIb82WAu2X for <ipv6@ietfa.amsl.com>; Sat, 25 Jan 2020 12:28:20 -0800 (PST)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5290412001E for <ipv6@ietf.org>; Sat, 25 Jan 2020 12:28:20 -0800 (PST)
Received: by mail-il1-x134.google.com with SMTP id f10so4414645ils.8 for <ipv6@ietf.org>; Sat, 25 Jan 2020 12:28:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j4YhqL+WAq0B7B8QAmNY3PT+UJWNFynuZF/iPjQ5lfc=; b=Ggt57OHSIkYSUzqQUGoRpH24RMEE2ESq+D/agQhvBFn/awu1I9jaAj8+PX3vakEXZ+ HY2R7exbBgtWfaF12u0ttQ1Kg7Sv2EfQJU5ozPDjn9Kx3kwVxP9rjdvMGSnx+qxfqihu vtfW1BP6M8VQSTREKzGGFiVnJ4jmBSQjN9bpl4Js2g/v6q41HHX/fIKvxCy5+p/st45H gMsDTjr8nLrY3FH06MgPSB8o1rTs/NT83F+1YwrUYIDeIgP4yb8wOcaOCAjO0plYV6Sm zHqmAPUmd94Ut5InZqha8rzfg9wfsfdZTfUxZle4S4vSUq76DXcb6aYMuSdvJ8C2rFms Zdsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j4YhqL+WAq0B7B8QAmNY3PT+UJWNFynuZF/iPjQ5lfc=; b=RoJpzJ2eb1JvPSSCplQj15Pm9IHvWNJ1kMXKKcqxOKtYBLFxNbb0dh0qbH73ybynJR J8OHLbxFCG+zXr/7/BtozaRSUW9OvXLlcPfWMUwcwgtNRtnb58JcKCgaNsR3pUy8dPk1 YCybl0l9BjFqYEaHb8g2+JrlH3XWfv6SExhSGWeikUboCgWL5Xyt7DU4oCWAZAPizVpk 9pB5QQ8rYJKxHnVHH8Mebj4bdf/zoYTpxJI+5lhpTqHscmILKtLdbY5K6a5Ni9CN2My2 5Vy+i4cLMZArwrBuAVb05pnucBDOomBZCHBMwg7O78vwrRxLW6KzPvdVkt+MNdjE3Wir UZhg==
X-Gm-Message-State: APjAAAXQVTag1cBZdjR3IbBJ8wTQryUft2PRLBGSGRi7sZJaMRJ+RrUG 1086q6PNXEB9eW42Yd/OPjlWFLHQMITUgl9AqYE=
X-Google-Smtp-Source: APXvYqz+/GetE7Ror0RL1cj2WlLQiP5GHhQBVDiKXkxwXlWV0iBX91cdUuZsE7DS6BSc8TiUAspkFA2X+QOlp8DFPno=
X-Received: by 2002:a92:1547:: with SMTP id v68mr8391490ilk.58.1579984099553; Sat, 25 Jan 2020 12:28:19 -0800 (PST)
MIME-Version: 1.0
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <e936078e-01f9-0254-a8d0-4095455154ac@si6networks.com> <D85412DF-4B03-4790-9E39-968D50ECF86B@employees.org> <m1iuwJV-0000MAC@stereo.hq.phicoh.net> <B341FF1B-C559-4D54-B117-A58EB6A3C955@employees.org> <dfe3a236-4e61-d2be-929c-869a81994879@si6networks.com> <m1iuxwI-0000M3C@stereo.hq.phicoh.net> <CABNhwV1XcATmrosW_kRTJgrXyTSNqPe=uR4VDt=_eXtt5=H3CQ@mail.gmail.com> <431eefce-594f-b7bd-4d49-a7a7ddbcd684@si6networks.com> <CABNhwV1wA+ntT1SHzzF19VotpXED=MOD2HTbQq2hL_nhaOR3qw@mail.gmail.com> <7c65c99f-1418-eb07-b984-8ad7ff6b7a62@gmail.com> <CABNhwV0jyS+bgKzHeQe9x-3FZvsr_-BiKVm=-G_LGizC7nR=dw@mail.gmail.com> <CABNhwV0w5tO-4_ixNUWjbAb81vmQvGF_iYmghmqRSuEmVR8Qtw@mail.gmail.com> <4ec87367-07b0-d17d-5db1-044da482183a@gmail.com> <CABNhwV3-zsda4zEf-PxXb_-O2Q6c8y3a_64P4KiLEgrqdaeKCw@mail.gmail.com>
In-Reply-To: <CABNhwV3-zsda4zEf-PxXb_-O2Q6c8y3a_64P4KiLEgrqdaeKCw@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Sat, 25 Jan 2020 15:28:08 -0500
Message-ID: <CABNhwV1_B4_OC7dPaj0a8nPuhO4ZAPGom7+3qRrLyLr3GDjXsA@mail.gmail.com>
Subject: Re: RFC4941bis: consequences of many addresses for the network
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Fernando Gont <fgont@si6networks.com>, ipv6@ietf.org
Content-Type: multipart/alternative; boundary="000000000000013798059cfcb7c4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/TZDMwUFOjZKMis68t4Z9sw1E0P8>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jan 2020 20:28:23 -0000

On Sat, Jan 25, 2020 at 3:05 PM Gyan Mishra <hayabusagsm@gmail.com> wrote:

>
>
> On Fri, Jan 24, 2020 at 8:30 PM Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
>
>> On 25-Jan-20 12:06, Gyan Mishra wrote:
>> >
>> > Microsoft link - forgot
>> >
>> > On Fri, Jan 24, 2020 at 6:05 PM Gyan Mishra <hayabusagsm@gmail.com
>> <mailto:hayabusagsm@gmail.com>> wrote:
>> >
>> >
>> >
>> >     On Fri, Jan 24, 2020 at 5:11 PM Brian E Carpenter <
>> brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>> >
>> >         >  I agree RFC 7217 stable address is most preferred however
>> Microsoft and Apple don’t support yet.
>> >
>> >
>> >       Gyan>On my IPv6 roadmap list with Microsoft.  So far no ETA.
>> >
>> >
>> >         I have no idea for Apple, but afaik MS switched to pseudorandom
>> stable IIDs per interface a long time ago, before Windows 7 possibly. I
>> haven't seen a modified EUI-64 address on my laptop for a very long time.
>> This is not the same thing as RFC7217 from a privacy point of view, but for
>> network operations and neighbour cache size it seems like the same thing.
>> >
>> >
>> >        Gyan> I think it’s EUI-64 and not modified.
>>
>> No. Here's what my Windows 10 says right now (WAN prefix etc obscured
>> manually). There are no EUI-64 or modified EUI-64 interface identifiers.
>>
>> Microsoft Windows [Version 10.0.17763.737]
>> (c) 2018 Microsoft Corporation. All rights reserved.
>>
>> C:\WINDOWS\system32>ipconfig /all
>>
>> Windows IP Configuration
>>
>>    Host Name . . . . . . . . . . . . : DESKTOP-xxxx
>>    Primary Dns Suffix  . . . . . . . :
>>    Node Type . . . . . . . . . . . . : Hybrid
>>    IP Routing Enabled. . . . . . . . : No
>>    WINS Proxy Enabled. . . . . . . . : No
>>    DNS Suffix Search List. . . . . . : fritz.box
>>
>> Ethernet adapter Ethernet 4:
>>
>>    Connection-specific DNS Suffix  . : fritz.box
>>    Description . . . . . . . . . . . : ASIX AX88772B USB2.0 to Fast
>> Ethernet Adapter #2
>>    Physical Address. . . . . . . . . : E8-03-9A-3C-67-7A
>>    DHCP Enabled. . . . . . . . . . . : Yes
>>    Autoconfiguration Enabled . . . . : Yes
>>    IPv6 Address. . . . . . . . . . . :
>> 2406:e002:xxxx:xxxx:80b2:5c79:2266:e431(Preferred)
>>    IPv6 Address. . . . . . . . . . . :
>> fd63:45eb:dc14:0:80b2:5c79:2266:e431(Preferred)
>>    Temporary IPv6 Address. . . . . . :
>> 2406:e002:xxxx:xxxx:89fa:eda3:4d87:293b(Preferred)
>>    Temporary IPv6 Address. . . . . . :
>> fd63:45eb:dc14:0:89fa:eda3:4d87:293b(Preferred)
>>    Link-local IPv6 Address . . . . . :
>> fe80::80b2:5c79:2266:e431%7(Preferred)
>>    IPv4 Address. . . . . . . . . . . : 192.168.178.30(Preferred)
>>    Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>    Lease Obtained. . . . . . . . . . : Saturday, 25 January, 2020 14:14:02
>>    Lease Expires . . . . . . . . . . : Tuesday, 4 February, 2020 14:14:02
>>    Default Gateway . . . . . . . . . : fe80::be05:43ff:fe8e:ce39%7
>>                                        192.168.178.1
>>    DHCP Server . . . . . . . . . . . : 192.168.178.1
>>    DHCPv6 IAID . . . . . . . . . . . : 604000438
>>    DHCPv6 Client DUID. . . . . . . . :
>> 00-01-00-01-24-04-A7-BC-9C-DA-3E-8F-05-7F
>>    DNS Servers . . . . . . . . . . . :
>> fd63:45eb:dc14:0:be05:43ff:fe8e:ce39
>>                                        192.168.178.1
>>
>>  fd63:45eb:dc14:0:be05:43ff:fe8e:ce39
>>    NetBIOS over Tcpip. . . . . . . . : Enabled
>>
>> Wireless LAN adapter Wi-Fi:
>>
>>    Connection-specific DNS Suffix  . : fritz.box
>>    Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7265
>>    Physical Address. . . . . . . . . : 1A-BC-EF-15-F2-27
>>    DHCP Enabled. . . . . . . . . . . : Yes
>>    Autoconfiguration Enabled . . . . : Yes
>>    IPv6 Address. . . . . . . . . . . :
>> 2406:e002:xxxx:xxxx:db7:d041:a2d:ce65(Preferred)
>>    IPv6 Address. . . . . . . . . . . :
>> fd63:45eb:dc14:0:db7:d041:a2d:ce65(Preferred)
>>    Temporary IPv6 Address. . . . . . :
>> 2406:e002:xxxx:xxxx:6029:b755:ced7:343e(Preferred)
>>    Temporary IPv6 Address. . . . . . :
>> fd63:45eb:dc14:0:6029:b755:ced7:343e(Preferred)
>>    Link-local IPv6 Address . . . . . :
>> fe80::db7:d041:a2d:ce65%23(Preferred)
>>    IPv4 Address. . . . . . . . . . . : 192.168.178.25(Preferred)
>>    Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>    Lease Obtained. . . . . . . . . . : Saturday, 25 January, 2020 14:13:40
>>    Lease Expires . . . . . . . . . . : Tuesday, 4 February, 2020 14:13:38
>>    Default Gateway . . . . . . . . . : fe80::be05:43ff:fe8e:ce39%23
>>                                        192.168.178.1
>>    DHCP Server . . . . . . . . . . . : 192.168.178.1
>>    DHCPv6 IAID . . . . . . . . . . . : 194828862
>>    DHCPv6 Client DUID. . . . . . . . :
>> 00-01-00-01-24-04-A7-BC-9C-DA-3E-8F-05-7F
>>    DNS Servers . . . . . . . . . . . :
>> fd63:45eb:dc14:0:be05:43ff:fe8e:ce39
>>                                        192.168.178.1
>>
>>  fd63:45eb:dc14:0:be05:43ff:fe8e:ce39
>>    NetBIOS over Tcpip. . . . . . . . : Enabled
>>
>> >
>> >     I found this link from Microsoft but it does not state if modified
>> is supported or not.
>> >
>> >
>> >
>> http://download.microsoft.com/download/F/D/F/FDF4CF55-5FDE-4CFF-8539-3662BB5EB7A0/TD13Basel2-43.pptx
>>
>> IPv6 has always used "modified EUI-64". What that 2013 presentation does
>> state is very clear:
>>
>> "Beginning with Windows Vista and Windows Server 2008, a randomized
>> method is utilized to determine the Interface ID instead of EUI-64" (slide
>> 26).
>>
>> In the next line it gives you the magic to revert to modified EUI-64:
>>
>> "netsh int ipv6 set global randomizeidentifiers=enabled|disabled"
>>
>> Regards
>>     Brian
>>
>
>    Gyan> I did some research on this v6ops related topic as far as
> operational impact of RFC 4941 privacy extension.
>
> So Microsoft as stated in the 2013 presentation has implemented RFC 4941
> starting with Vista with the MD5 randomize generated IID that is stored and
> persistent across reboot and only changes if the prefix changes with
> mobility and a new 128 bit address stable address is generated.
>
> The Privacy temporary address is generated from the Ethernet interface
> random IID and the first time generated after initial boot the temporary
> address is the same as the interface IID.  The temporary valid and
> preferred lifetimes are set based on a formula and is less then the LAN
> interface random IID.
>
> So what was envisioned by the author of RFC 4941 was to use the “stable”
> LAN  Random IID “Public” address for incoming connections which would be
> published via DDNS and outgoing connections for user privacy use the
> “privacy” temporary address.  The analogy used in the draft is the stable
> LAN address in the PSTN world is like publishing your phone number in the
> white pages, and your private temporary address is analogous to called ID
> block for anonymity.
>
> The operational complexity behind this approach of using multiple
> addresses is during regeneration is when the temporary address becomes
> depreciated it may still be used for existing outgoing connections while
> the new preferred address now active is being used for new outgoing
> connections.  At the same time all incoming connections are using the dns
> public published “stable” lan interface random IID.
>
> Imagine if you have multiple prefixes sent in PIO options to the host - 4x
> times the number of SLAAC prefixes received.  Way complex troubleshooting
> for operations.  Imagine a help desk rep asking a user “what’s your IPv6
> address”
>
> What Microsoft did not follow in their implementation is RFC 4941
> deployment considerations is that the temporary address should be disabled
> by default due to operational impact.
>
> Quoted from RFC 4941
>
> The use of temporary addresses may cause unexpected difficulties with
>    some applications.  As described below, some servers refuse to accept
>    communications from clients for which they cannot map the IP address
>    into a DNS name.  In addition, some applications may not behave
>    robustly if temporary addresses are used and an address expires
>    before the application has terminated, or if it opens multiple
>    sessions, but expects them to all use the same addresses.
>    Consequently, the use of temporary addresses SHOULD be disabled by
>    default in order to minimize potential disruptions.
>
>
> Disable RFC 4941 LAN interface “stable” Random IID = This should never be
> done as you revert back to OUI Mac based IID
>
> netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
>
>
> Disable temporary address:  Microsoft should have made this default.
>
> netsh interface ipv6 set privacy state=disabled store=persistent
>
>
> I will forward comment on  v6ops and OPSEC WGs and kick of a draft related
> to this critical topic.
>
>       Gyan> Fernando - As the author of RFC 7217 I am wondering as to the
reason why Microsoft and Apple have not adopted your draft for “stable”
IPv6 address.

My guess is that since the Random MD5 generated LAN IID is “stable” and OS
vendors have the option of disabling the temporary address - once that is
done you now have a “stable” random IID and best of both worlds ; single
traceable IPv6 address for incoming and outgoing connections for operations
as the IID does not change ; unless the device moves to a different LAN
drop ; with random MD5 hash generated LAN IID you have the user privacy
concerns met.  I did notice that RFC 7217 also does not preclude use of
temporary address.  So that is even more reason to stay course with RFC
4941.

>
>> >
>> >         Anyway, I hope we're all agreed that this topic, however
>> interesting is not worth more than a small comment in RFC4941bis. Isn't it
>> actually a v6ops topic ("Operational impact of numerous addresses per
>> host")?
>> >
>> >
>> >       Gyan> Agreed
>> >
>> >
>> >
>> >         Regards
>> >            Brian
>> >
>> >     --
>> >
>> >     Gyan  Mishra
>> >
>> >     Network Engineering & Technology
>> >
>> >     Verizon
>> >
>> >     Silver Spring, MD 20904
>> >
>> >     Phone: 301 502-1347
>> >
>> >     Email: gyan.s.mishra@verizon.com <mailto:gyan.s.mishra@verizon.com>
>> >
>> >
>> >
>> > --
>> >
>> > Gyan  Mishra
>> >
>> > Network Engineering & Technology
>> >
>> > Verizon
>> >
>> > Silver Spring, MD 20904
>> >
>> > Phone: 301 502-1347
>> >
>> > Email: gyan.s.mishra@verizon.com <mailto:gyan.s.mishra@verizon.com>
>> >
>> >
>> >
>>
>> --
>
> Gyan  Mishra
>
> Network Engineering & Technology
>
> Verizon
>
> Silver Spring, MD 20904
>
> Phone: 301 502-1347
>
> Email: gyan.s.mishra@verizon.com
>
>
>
> --

Gyan  Mishra

Network Engineering & Technology

Verizon

Silver Spring, MD 20904

Phone: 301 502-1347

Email: gyan.s.mishra@verizon.com

v2.23.0 | Report a Bug | By Email