IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt

Sander Steffann <sander@steffann.nl> Fri, 19 October 2018 16:42 UTC

Return-Path: <sander@steffann.nl>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28673130DC3 for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 09:42:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=steffann.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rHBn8Rg2kRuy for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 09:42:12 -0700 (PDT)
Received: from mail.sintact.nl (mail.sintact.nl [83.247.10.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E99B1130DD2 for <ipv6@ietf.org>; Fri, 19 Oct 2018 09:42:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.sintact.nl (Postfix) with ESMTP id F3C664A; Fri, 19 Oct 2018 18:42:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=steffann.nl; h= x-mailer:references:message-id:content-transfer-encoding:date :date:in-reply-to:from:from:subject:subject:mime-version :content-type:content-type:received:received; s=mail; t= 1539967326; bh=RINt897S7xus4NcHvkz/SBrT9DsXOdMs2gQlLVJJFaw=; b=V 10aX2C/f/ISQ1TrmJElykrNt2aTUPxj0fm3frr9jlH1f7A7jEZrlsDwBQthnf7da X9RZhbK3hDl/YQncBnvAmc1Ok1RsCcnu5T8pfYhH1JVuiIO+15iv6TF9tbiLcWYU qgG+15FSa0W7t3vHu1p1+Gh9h0+H6T4tVWPhsvRH8M=
X-Virus-Scanned: Debian amavisd-new at mail.sintact.nl
Received: from mail.sintact.nl ([127.0.0.1]) by localhost (mail.sintact.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id h1JZXEH7Kl28; Fri, 19 Oct 2018 18:42:06 +0200 (CEST)
Received: from [172.20.10.3] (unknown [188.206.74.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.sintact.nl (Postfix) with ESMTPSA id 3947E49; Fri, 19 Oct 2018 18:42:04 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Subject: Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt
X-Clacks-Overhead: GNU Terry Pratchett
From: Sander Steffann <sander@steffann.nl>
In-Reply-To: <alpine.DEB.2.20.1810191604200.26856@uplift.swm.pp.se>
Date: Fri, 19 Oct 2018 18:42:03 +0200
Cc: 6man WG <ipv6@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CABB810B-A895-4D1E-ABD8-DA8CA699F056@steffann.nl>
References: <153973137181.9473.10666616544238076833@ietfa.amsl.com> <092346e1-6350-e54e-e711-9c5ee6dc4e6b@gmail.com> <CAFU7BASO_ByzbanhLKnWV280O_fASd-8W+ujpj3sN6d2-whw2w@mail.gmail.com> <CACWOCC-u7aAPwAOcixYvt2On=-o_8X25GhqdXTfA+tWRC1o2XA@mail.gmail.com> <alpine.DEB.2.20.1810191534430.26856@uplift.swm.pp.se> <422E06B9-8A68-4905-9901-7F4E201ADAB2@employees.org> <alpine.DEB.2.20.1810191557270.26856@uplift.swm.pp.se> <alpine.DEB.2.20.1810191604200.26856@uplift.swm.pp.se>
To: Mikael Abrahamsson <swmike@swm.pp.se>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/XmGEcTcQNLEtPQcOhzNmsIJf0uw>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 16:42:14 -0000

Hi Mikael,

> I want this RA flag to be the input of a decision the host makes to turn off IPv4, but one of potentially several. If you all of a sudden see this, don't turn off IPv4 immediately but perhaps wait 5-10 minutes since you last had working ARP or saw DHCPv4 reply. If you see it on network attach, do try DHCPv4 a few times and see if something answers. Perhaps do higher exponential backoff on your re-tries for DHCPv4 messaging.

This would take away most (maybe all) of my objections to this draft. An "if you don't get IPv4 working then don't worry, it's intentional" flag to change retries and timers wouldn't be a problem and would actually be very helpful.

> Since I don't know much about how hosts treat IPv4 internally and we don't have an v4ops group to discuss it in, I don't think this is 6mans job to come up with exact descriptions what host operating systems do with this information.

I don't agree with that. We can describe that intention without going into details. How about:

"""
On IPv6-only networks there will be no DHCPv4 server. Hosts that fail to acquire addresses with DHCPv4 and that see this flag set in all RAs from its default gateways SHOULD treat that in the same way as a network with the DoNotAutoConfigure option set as described in RFC 2563. A host SHOULD also increase its timers for retrying DHCPv4 to avoid causing unnecessary background noise on the network.
"""

> The only thing I as an network operator want is to lessen the load of multicasts/broadcasts in the air for devices never-endingly trying to do IPv4. From what I can tell, IETF has no working group with critical mass to work on this problem. Sunset4 is gone.

I recognise this desire, and with what is described above I would be happy.

My main fear is for SMB networks which often are still IPv4-only (which also needs to be fixed, but that's a separate issue), don't have managed switches or WiFi controllers with no RA Guard etc. There are many of such networks. Those networks are vulnerable to rogue RAs already, but happy eyeballs can mitigate the impact of someone messing with that. If this flag can kill IPv4 on the network then hosts become completely disconnected and happy eyeballs won't be able to mitigate anymore.

Yes, a serious attacker can do more harm even without this flag. This flag could however make it possible for kids/students/disgruntled employees/me/etc to bring down the network with a single packet. Such networks have no capacity for debugging anyway, and because of the low number of packets necessary to sustain the attack won't know what hit them. ISPs will get calls about the internet being broken, ICT consultants will spend hours searching for the cause of the problem, they will all blame "that annoying IPv6 thingy" etc etc etc. Let's avoid all of that.

Cheers!
Sander

v2.23.0 | Report a Bug | By Email