Re: simpler prefix delegation
Laurent.Clevy@alcatel.fr Thu, 18 March 2004 14:00 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA11287 for <ipv6-archive@odin.ietf.org>; Thu, 18 Mar 2004 09:00:02 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B3y3a-00084P-GP for ipv6-archive@odin.ietf.org; Thu, 18 Mar 2004 08:59:34 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i2IDxYcB031015 for ipv6-archive@odin.ietf.org; Thu, 18 Mar 2004 08:59:34 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B3y3a-00084A-7o for ipv6-web-archive@optimus.ietf.org; Thu, 18 Mar 2004 08:59:34 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA11229 for <ipv6-web-archive@ietf.org>; Thu, 18 Mar 2004 08:59:31 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B3y3Y-0001Bm-00 for ipv6-web-archive@ietf.org; Thu, 18 Mar 2004 08:59:32 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B3y2b-000145-00 for ipv6-web-archive@ietf.org; Thu, 18 Mar 2004 08:58:34 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1B3y1m-0000wu-00 for ipv6-web-archive@ietf.org; Thu, 18 Mar 2004 08:57:43 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B3y17-0007dE-CR; Thu, 18 Mar 2004 08:57:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B3y0U-0007br-Vq for ipv6@optimus.ietf.org; Thu, 18 Mar 2004 08:56:23 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA11021 for <ipv6@ietf.org>; Thu, 18 Mar 2004 08:56:20 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B3y0T-0000lP-00 for ipv6@ietf.org; Thu, 18 Mar 2004 08:56:21 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B3xzU-0000do-00 for ipv6@ietf.org; Thu, 18 Mar 2004 08:55:21 -0500
Received: from gc-na5.alcatel.fr ([64.208.49.5] helo=smail3.alcatel.fr) by ietf-mx with esmtp (Exim 4.12) id 1B3xya-0000QQ-00 for ipv6@ietf.org; Thu, 18 Mar 2004 08:54:24 -0500
Received: from frmail30.netfr.alcatel.fr (frmail30.netfr.alcatel.fr [155.132.182.163]) by smail3.alcatel.fr (ALCANET/NETFR) with ESMTP id i2IDrKS8000952; Thu, 18 Mar 2004 14:53:21 +0100
Received: from alcatel.fr ([172.25.81.180]) by frmail30.netfr.alcatel.fr (Lotus Domino Release 5.0.9a) with ESMTP id 2004031814531480:4109 ; Thu, 18 Mar 2004 14:53:14 +0100
Message-ID: <4059A9CB.1060106@alcatel.fr>
Date: Thu, 18 Mar 2004 14:53:15 +0100
From: Laurent.Clevy@alcatel.fr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Pekka Savola <pekkas@netcore.fi>
Cc: ipv6@ietf.org, skylane@etri.re.kr, erik.nordmark@sun.com, Olivier Marcé <Olivier.Marce@ms.alcatel.fr>
Subject: Re: simpler prefix delegation
References: <Pine.LNX.4.44.0403181040540.26360-100000@netcore.fi>
In-Reply-To: <Pine.LNX.4.44.0403181040540.26360-100000@netcore.fi>
X-MIMETrack: Itemize by SMTP Server on FRMAIL30/FR/ALCATEL(Release 5.0.9a |January 7, 2002) at 03/18/2004 14:53:15, Serialize by Router on FRMAIL30/FR/ALCATEL(Release 5.0.9a |January 7, 2002) at 03/18/2004 14:53:20
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Alcanet-MTA-scanned-and-authorized: yes
Content-Transfer-Encoding: quoted-printable
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=no version=2.60
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable
Hi, We are working on the subject since last year and have a first prototype that does prefix delegation and global address configuration on a simple IPv6 network. Here follows some thoughts that could help, I hope. Pekka Savola wrote: >Hi, > >This started from me looking at draft-bykim-ipv6-hpd-01.txt, what it >was before that, DHCPv6 + PD, a few proposals at v6ops for integrated >prefix delegation, etc.. -- I couldn't help thinking, "there must be >an easier way to delegate an IPv6 prefix in the simplest setups (e.g., >when v6 connectivity is obtained through a tunnel) -- DHCPv6 is way >too heavy-weight". > >This is where I got. Thoughts appreciated. > >Problems with the spec (draft-bykim-ipv6-hpd-01.txt) >---------------------- > >I think this is a useful continuation of Brian/Jim's Automatic Prefix >Delegation work. All the problems in the world are not necessarily solved >by DHCPv6... so I think developing an extremely simple PD protocol could be >very useful. The applicability area I see for this are the cases where >DHCPv6 is not being used, especially when the ISP wants to offer IPv6 >support very simply, using a tunnel. > >However, this document goes into a bit too complex direction. There are >multiple problems with the approach as-is: > > - Why use PrefixCnt, and not PrefixLen when sending the Delegator Query? >The most important thing is the length of the desired prefix, not the number >of them, after all. The whole PrefixCnt thing seems fishy to me, all in all >-- the same information can be obtained by using an appropriate PrefixLen! > > > How a delegator has to allocate address space is a key point IHMO. A Delegator has to split a unique and large address space into several smaller ones. And this address small can be used in two ways: - link numbering - sub-delegation the right to sub-delegate a given prefix could be allowed by a delegator to a requetor, or not: only for link-numbering. to avoid the usage of all the address space of delegated prefix very quickly. > - Similarly, PrefixDiff doesn't seem to be all that useful. > > > how the prefix length is raising represents how fast the address space is used from the root router to leaf routers. > - CGA security does not work unless you use Signature options from SEND as >well, so that can be scrapped. > > - 2 roundtrips are needed, with 4 different messages to get a prefix: a bit >too many for my taste. > > > Finding a delegator is different from retrieving a prefix. Like finding the authority and the resource. I think is interesting to dissociate the 2 tasks, for example to be able to retrieve prefixes from 2 different delegators. > - The draft makes confusion about "built-in routing". That sort of thing >is integrated with prefix delegation in any case: you can't have it without >-- as static routes are set in any case. This seems unnecessary to mention >here. > > - The scope is not clear; why would one need hierarchical prefix >delegation where one would not use routing? That is, if one gets a /64, it >cannot be delegated (in a meaningful way) forward. If one gets a /48 (e.g., >on a home network), why would one need to delegate it forward -- are there >routers there, requesting smaller prefixes -- I hope not! And in an >Enterprise, you want to set this up manually in any case. So the whole >hierarchical part appears to be really fishy, and should be removed unless >clear justification is found. > > > I see in HPD a simple way to have unique and global subnet values based on a global initial prefix. And when link numbering is well done, resulting propagated routes can be minimized. >So -- I think think the spec has suffered from a serious feature creep, with >little regard to the actual user needs. > >But, I'd still propose to go forward with this (or another document, started >from scratch), in an entirely different format and design tradeoffs, as >described below. > >I could write it, but I would prefer if someone else wanted to work on >this (too many things in progress at the moment.) > >Current model is basically like: >-------------------------------- > > 1. Delegator Query, looking up the delegators and signalling the number of > prefixes solicited (no prefix length?). > 2. Response w/ nmber of prefixes and prefix len difference (how?) > 3. Prefix Request to request prefixes (not telling which) > 4. Response w/ prefix delegated > >Return: prefix returned message -- replied with prefix returned. > >Renewal: renewal message. > >As you see, there are a lot of different messages, with different subcodes: >really difficult to understand.. > > > I think the approach is good, even using another link-local messaging, we thought of course about using ND and SEND to secure the Delegator claimed role. >Proposal >-------- > >Instead, use Neighbor Discovery messages rather than directly putting them >on top of ICMPv6. This gives the benefit of being able to use all the >functions of SEND without any specification, as SEND only protects neighbor >discovery messages (and all of them, if you just plug in the signatures etc!). > >[[ the features in double brackets are ones that could be easily >added, but IMHO I'm not sure whether that is worth the effort. ]] > >Now, the messages could be like: > > > I think a first step could be to find a trusted Delegator, to avoid abuse of a malicious prefix provider node (using SEND and signature ND option). > Prefix Solicitation: sent to "all-prefix-delegators" link-local multicast >address or a unicast address (learned using means outside the scope of this >memo; but link local) > * addresses checked to be link-local, TTL=255. (same for all the >messages.) > * Includes PrefixLen field, indicating the preference for the prefix > length > * Includes a "Test" flag: if given, the routers does not > actually delegate the prefix, only show which prefix they would have > given. (This can be used to pick among the routers, as well as learn > which kind of prefixes/lengths they would be giving. But the point is > that if there are multiple routers which are willing to give you a prefix, > why not get prefix from each unless explicitly desiring otherwise?) > * Includes a "No Refresh" flag: if given, do not refresh the existing > prefixes, but allocate new ones; the old ones continue to be used. If > not given, refresh the old prefixes (if delegated) or allocate new ones > (if no existing delegation). > * [[ no PrefixCnt field, as this seems unnecessary -- just use > PrefixLen or ask again -- but could be plugged > in later if deemed necessary ]] > * [[ no authentication/user identification options; authentication > is assumed to be obtained > on the link layer. However, it is possible to include Authentication > type and length fields (1 octet each) which can be used to piggyback > different kinds of authentication information, later on if needed. > Authentication could also be done with SEND. ]] > * [[ one could have "reverse DNS delegation requested" flag here as well, > with an option which could encode DNS server address(es), but I don't > think that's really important for mainstream use.]] > > > > Prefix Delegation: sent to the unicast link-local address of solicitor > * includes Test flag, to indicate whether delegation was really done > * [[ could also have reverse DNS delegated flag, as described above, but > IMHO doesn't seem to be really important for now.]] > * includes the prefix(es) delegated to the user. > > [[ each prefix could have a > lifetime as well; lifetime of zero means "not specified" -- no > refreshing is needed as long as NUD works. If lifetime not > specified, the lifetime of RAs on downstream interfaces SHOULD NOT be > greater than 7200 seconds. ]] > >[[ Prefix Maintenance: miscellaneous messages > * code 0: return the prefix; used by the solicitor to give back a prefix, > either when ceasing to use it or when refusing the prefix delegation. >]] -- could be used for serious DoS unless authenticated. > >The solicititor SHOULD run NUD on the interface. If NUD fails to the >routers which have delegated prefix(es), MAY send a Prefix >Solicitation message with "No Refresh" not set (to know whether the >delegation exists; if it doesn't, to get a new one). If some other >indication has been received that the interface has went up/down, may >similarly re-initiate the procedure. > >Would this seem to make sense? This also fulfills the prefix delegation >requirements draft's requirements pretty well AFAICS. > > > to go further until link numebering, and to avoid to much prefixes usage on the same link, our experiment showed that a link prefix "negociation" is useful. Hope the propositions above could help. I'm adding a big Thanks to APD and HPD authors for their work on the problem. Regards, Laurent Clévy -- Laurent Clévy Alcatel CIT, R&I Voice: +33 (0)1 69 63 18 34 Route de Nozay Fax : +33 (0)1 69 63 13 59 91460 Marcoussis mailto:Laurent.Clevy@alcatel.fr -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Re: simpler prefix delegation Pekka Savola
- simpler prefix delegation Pekka Savola
- Re: simpler prefix delegation Pekka Savola
- Re: simpler prefix delegation Ralph Droms
- Re: simpler prefix delegation Ole Troan
- Re: simpler prefix delegation Ole Troan
- Re: simpler prefix delegation Laurent.Clevy
- Re: simpler prefix delegation Pekka Savola
- Re: simpler prefix delegation Pekka Savola
- RE: simpler prefix delegation BINET David FTRD/DMI/CAE
- Re: simpler prefix delegation Alain Durand
- Re: simpler prefix delegation Brian E Carpenter
- Re: simpler prefix delegation Christian Strauf
- RE: simpler prefix delegation Byung-Yeob Kim
- Re: simpler prefix delegation Pekka Savola
- Re: simpler prefix delegation Ralph Droms
- Re: simpler prefix delegation Pekka Savola
- Re: simpler prefix delegation Ole Troan
- RE: simpler prefix delegation Christian Huitema
- Re: simpler prefix delegation JINMEI Tatuya / 神明達哉
- Re: simpler prefix delegation Erik Nordmark
- Re: simpler prefix delegation Fred Templin
- Re: simpler prefix delegation Ralph Droms
- Re: simpler prefix delegation Wataru Kawakami -ipv4-
- Re: simpler prefix delegation Ole Troan
- RE: simpler prefix delegation matthew.ford
- Re: simpler prefix delegation Ralph Droms
- Re: simpler prefix delegation Shin Miyakawa