IETF Logo Mail Archive

Re: [v6ops] IPv6 link-local traffic questions

Toerless Eckert <tte@cs.fau.de> Thu, 12 March 2020 21:10 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B7813A0973; Thu, 12 Mar 2020 14:10:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.87
X-Spam-Level:
X-Spam-Status: No, score=-0.87 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V8GLY2E2-ET4; Thu, 12 Mar 2020 14:09:59 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 764D03A096E; Thu, 12 Mar 2020 14:09:59 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 6A78454842E; Thu, 12 Mar 2020 22:09:54 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 63E52440040; Thu, 12 Mar 2020 22:09:54 +0100 (CET)
Date: Thu, 12 Mar 2020 22:09:54 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Jen Linkova <furry13@gmail.com>
Cc: 6man <6man@ietf.org>, V6 Ops List <v6ops@ietf.org>, bier@ietf.org
Subject: Re: [v6ops] IPv6 link-local traffic questions
Message-ID: <20200312210954.GA34894@faui48f.informatik.uni-erlangen.de>
References: <20200312000016.GO54522@faui48f.informatik.uni-erlangen.de> <CAFU7BAT-LP5TC9dpYw+5j8T8H_8XMF=tcY-Qsbg5=MOgUYNk+A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAFU7BAT-LP5TC9dpYw+5j8T8H_8XMF=tcY-Qsbg5=MOgUYNk+A@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/X9xhQuq11enjD0wNkUGEtsh6bPQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 21:10:01 -0000

On Thu, Mar 12, 2020 at 11:33:37AM +1100, Jen Linkova wrote:
> I believe it depends what you are trying to achieve. If you want to
> make sure that the traffic never leaves the network - then hop limit =
> 1 helps. But using link-local sources/destinations would help even
> better if the routers comply with RFC4291 Section 2.5.6

Yes, i am assuming 2.5.6 is mandatory given how this is standards track
and how abence of RFC2119 langauge does not render "must" into a non
standard requirement.

> If you want to make sure those packets are not sent by a malicious
> party from outside - hop limit shall be 255.
> For example, see RFC4861 Section 3.1
> Neighbor Discovery.

Ah, nice. I never looked into all those encoding details. Thanks.

Preceeding RFC5082 and hence not referring to it, and neither does
RFC5082 refer to RFC4861, thats why i couldn't easily find it by sea4rching.

> > There is an additional set of consideration re. link-local traffic
> > when trying to use it as a HW accelerated tunneling mechanism across links,
> > a use we both have in ANIMA, and maybe get the same in BIER (probably
> > other WGs too, not sure).
> >
> > In implementations, i have seen quite a range of issues with
> > accelerated forwarding planes across link-local addressed tunnels,
> > and when using non-link-local addresses (loopback addresses),
> > the HW plane forwarding might have issues doing HW forwarding, because
> > usually TTL=1 is only used for control plane traffic. Of course,
> > this is not a good architectural argument, but if given architectural
> > leeway to even choose 42, maybe GTSM/255 is easier to be supported
> > across various HW accelerated forwarding planes than 1.
> >
> > Opinions and experiences welcome!
> 
> If you control the router I'd say 'link-local source/destination,
> HL=255 AND RFC4291 would be the best option.

RFC4291 seems redundant given how its mandatory anyhow, but of course
helpfull to remind readers of new specs.

Given how 4291 is widely deployed it certainly qualifies well as
sufficient proof of the mechanism widely deployed - for control plane.

So, effectively, architcturally, the sending TTL is a choice of the application,
and for control plane apps, we evolved choosing from 1 first and now BCP
is 255.  Coming from multicast, i kinda grew up with the
belief there is a MUST use TTL=1 somewhere for a long time (when using
link-local addresses), but never verified that belief.

Still hesitant of prescribing 255 for hardware accelerated forwarding 
plane use case, but given how link-local tunnels aren't really a thing
it would be hard to find prior evidence of successful wide deployment.
Given how i tinkered with them, i've seen all type of troubles,
including TTL ones.

> I did see a few devices somewhere far away sending me ICMPv6 (packet
> too big) from their link-local addresses but it was not very common
> case.

Agree. same here.

Thanks & Cheers
    Toerless

> 
> -- 
> SY, Jen Linkova aka Furry

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email