IETF Logo Mail Archive

RFC4941bis: consequences of many addresses for the network

otroan@employees.org Thu, 23 January 2020 08:59 UTC

Return-Path: <otroan@employees.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8085812022E for <ipv6@ietfa.amsl.com>; Thu, 23 Jan 2020 00:59:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GNLhBOmb5udj for <ipv6@ietfa.amsl.com>; Thu, 23 Jan 2020 00:59:21 -0800 (PST)
Received: from clarinet.employees.org (clarinet.employees.org [IPv6:2607:7c80:54:3::74]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 200D412020A for <ipv6@ietf.org>; Thu, 23 Jan 2020 00:59:21 -0800 (PST)
Received: from astfgl.hanazo.no (unknown [IPv6:2a02:2121:2ca:6d01:cc46:3947:bc3f:c93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id 6BF834E11B6C for <ipv6@ietf.org>; Thu, 23 Jan 2020 08:59:20 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id BD4862948F3F for <ipv6@ietf.org>; Thu, 23 Jan 2020 09:59:17 +0100 (CET)
From: otroan@employees.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Subject: RFC4941bis: consequences of many addresses for the network
Message-Id: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org>
Date: Thu, 23 Jan 2020 09:59:17 +0100
To: 6man WG <ipv6@ietf.org>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/V3A7eI81bnktuK-LjQjreKDlK1s>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 08:59:23 -0000

While reviewing RFC4941bis (https://tools.ietf.org/html/draft-ietf-6man-rfc4941bis) I think I found one gap.

A discussion of the consequences of a host having many (active) addresses on the network.

A 4941bis implementation following the defaults, would at the maximum use 8 active addresses.
(Valid lifetime of one week and one new address per day.)

Shorter regeneration intervals or other approaches like a new address per connection could lead to dramatic numbers.

If we use Ethernet as an example, each new address requires state in the network. In the ND cache in first-hop routers, and in SAVI binding tables in bridges. Given ND's security properties these tables must be policed by the network. A host with a very liberal address regeneration policy might be viewed as performing an attack.

There is no signal available in SLAAC apart from DAD to reject an address. If the network runs out of resources (or prohibits the additional address by policy) the address will not be served. The host has to be deal with that situation.

SLAAC is also missing a mechanism to release an address. Which leads me to think that the address regeneration interval must not be shorter than the ND cache scavenger timeout (which in many networks is high to avoid cache churn and high level of address re-resolutions).

I would like to hear from other network-side implementors and operators.
Is there an issue here?

Best regards,
Ole

v2.23.0 | Report a Bug | By Email