IETF Logo Mail Archive

Re: a draft about on-link and subnet prefixes

神明達哉 <jinmei@wide.ad.jp> Wed, 15 March 2017 00:08 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A023D1316E4 for <ipv6@ietfa.amsl.com>; Tue, 14 Mar 2017 17:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.402
X-Spam-Level:
X-Spam-Status: No, score=-2.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.197, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LitQRdeP3igJ for <ipv6@ietfa.amsl.com>; Tue, 14 Mar 2017 17:08:35 -0700 (PDT)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A794F1293E3 for <ipv6@ietf.org>; Tue, 14 Mar 2017 17:08:35 -0700 (PDT)
Received: by mail-qk0-x233.google.com with SMTP id 1so1433272qkl.3 for <ipv6@ietf.org>; Tue, 14 Mar 2017 17:08:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UGMFwgpilSo+QmSaWmm7QJ9WShvw4IlZtUrFP4ytpNo=; b=OG/D+Rs3dtQ2OCDjUJunXmNDi/PA9F24nPcPwIfOKKIXPrpfLJjVNpc5wmtLaWHzzG iZqrbwNwlyDj6GyWAmqOYAuPaDrfyuJwrvELqAjowJdeGrM7tcFQr/BikhQddST19a8D +STinAGOz+h3CNEJVjvYS7osvokaH6kLQ1hqx2CGn5hP1LRAVzqg78w/0C6II/8/LS5L VfeC0vnSM3E5DlXtrxDyxUyBmf0gZWljuaRn0Bn3PimbKQM1HsGLISpZ09mcOxjDZY8z nMQ6w54hYX3icdQWoT9VmJoE7NbPWmbo4RSsiAR0jNvZkmCzyK1k9CbIuP3El2je5kPO yvAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=UGMFwgpilSo+QmSaWmm7QJ9WShvw4IlZtUrFP4ytpNo=; b=DRa7sRfm+SgJgeE2vRuRu8pVwblPVuFbGiwINEFtPRB/5HG4cYunHWzYOe1oXvPc6n icOTkqtDvHE4cbQ5hgCg0nu8z6DwStv5Dp/oByV7XWTjwzN9j9T9CZ2B2rB5/ScCJXCk nmgweAUVYBgKfBQ5g1oFgaolkxWrUIBzZTjIobakqh4xvbX1urqIqD+nkqIsEKMtYMV7 sHmybonyKG0Cdgm0YCNuplDXqEk7Oe+QKvAdw7Vd0JHfI3sahGHTtnmMvwuI+o7lqfiA WK3Huvf5HM1et5uwsYZPlNvchf17wwBc55yz2RmPX/n/uXyigsNJAcFJDbb4l5YLm5+n Ydqg==
X-Gm-Message-State: AFeK/H0vE8dCFud90EabGWJQI9lTp+i5vFMOLBZUHSMujwNIVoE6y6yxPonwzeheCWW0MeLzzbwRHetGQY8aIA==
X-Received: by 10.233.222.197 with SMTP id s188mr295344qkf.311.1489536514451; Tue, 14 Mar 2017 17:08:34 -0700 (PDT)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.61.204 with HTTP; Tue, 14 Mar 2017 17:08:34 -0700 (PDT)
In-Reply-To: <018c1f82-cd5c-7d59-f92b-9401ddfb11fb@gmail.com>
References: <CAJE_bqdd9OXOi+SZ8_OfGWXxEoKSfoR6=Lp3-_=vEaWbjx4udw@mail.gmail.com> <018c1f82-cd5c-7d59-f92b-9401ddfb11fb@gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Tue, 14 Mar 2017 17:08:34 -0700
X-Google-Sender-Auth: p_yCPp48Dw1KEyvO3XBqWZXmpKY
Message-ID: <CAJE_bqfGLngOuGzyTyRFrSOjn1kCkz3RBO0rojFCqqpYWgOZNw@mail.gmail.com>
Subject: Re: a draft about on-link and subnet prefixes
To: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Cc: IPv6 IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/YhSLrzdkJIqcUipRp-na4z_safM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 00:08:39 -0000

At Tue, 14 Mar 2017 09:47:49 +0100,
Alexandre Petrescu <alexandre.petrescu@gmail.com> wrote:

> I suggest adding the following upfront:
>
> "The onlink|SLAAC dichotomy MAY be applied; if it is applied, then the
>   routing towards that subnet MUST use the shortest plen of the two"
>
> E.g. if the on-link prefix is 48 and the SLAAC prefix is 64 then the 48
> (not the 64) must be in the rt tables of routers with routes towards
> that subnet.

Thanks for the feedback.  I'm not sure how to interpret this, but in
any event, adding a new MAY or MUST is clearly out of scope of this
draft.  It only intends to explain what the current specifications try
to specify in case it may no be very clear.

> > I've submitted a new individual draft on the separation between
> > on-link and (SLAAC) subnet prefixes, at the risk of stating the
> > obvious:
> > https://datatracker.ietf.org/doc/draft-jinmei-6man-prefix-clarify/
>
> I have read the draft.  It was a good read, thank you.  It clarifies the
> difference between on-link prefixes and SLAAC prefixes.
>
> Here are my comments in summary:
>
> 1. It does not resolve the question of whether or not the 64bit IID
>     should be required in the IPv6 Addressing Architecture.

No it doesn't, and it's intentional.

> 2. The explanation of the dichotomy onlink|SLAAC should be accompanied
>     by a recommendation of using the shortest plen of the two (even when
>     that plen is not 64) in the Internet routing setup towards that
>     subnet.  This is the crux of it.

I'm not sure what this means.

>     This recommendation should acknowledge that when that plen is larger
>     than 64, SLAAC/Ethernet can not work.

There's no recommendation in this draft; it only talks about facts.
Anyway, it's true that if (SLAAC subnet) plen is larger (or shorter)
than 64 SLAAC over Ethernet does not work.  It's already covered in
bit more generalized text:

   [...]  This means that, for example, if the length of
   interface identifiers for the link is specified as 63, 64, or 65,
   then the SLAAC subnet prefix length must be 65, 64, or 63,
   respectively; otherwise the PIO is ignored for the purpose of SLAAC.

>     This recommendation should acknowledge that when that plen is smaller
>     than 64, SLAAC/Ethernet can work by using 64 for SLAAC and plen for
>     on-link determination.

I'm not sure what this means.  But, as long as the current
specifications go, SLAAC doesn't work on Ethernet if the subnet prefix
is smaller (or larger for that matter) than 64.  If you are trying to
propose loosening it, that's fine - please write a proposal in a
separate draft.  But that's out of scope of this draft, which only
talks about what current standards state.

> 3. The draft would benefit from dealing with LL addresses too.

Perhaps, but I intentionally made it more focused to avoid
distraction, at least for the 00 version.

> Details below:
>
> > Although this misunderstanding would normally not cause troubles in
> > practical deployments, it can be a source of operational surprise or
> >  interoperability problems once an administrator wants to exploit the
> >  idea of this separation more "creatively".
>
> This needs the administrator to have ability to set distinct routes
> towards presumably distinct 'on-link' and SLAAC prefixes.
>
> > For brevity, this document focuses on global unicast prefixes.
> > Discussions on any other types of prefixes, including unicast link-
> > local prefixes, are out of scope of this document.
>
> <LL>

I'll skip any LL-specific discussion to avoid distraction.  If and
when we see the need to cover this topic within this draft, I'll come
back to these points.

> </LL>
>
> > [RFC4861] and [RFC4862] intentionally separate the concept and
> > handling of on-link prefixes and SLAAC subnet prefixes, even when
> > they are specified in the same single PIO.
[...]
> However, this dichotomy has very many consequences.
>
> A number of RFCs and I-Ds misunderstand this dichotomy "on-link"|"SLLAC"
> and make wrong recommendations.  Maybe you want this draft to clarify
> all these RFCs?

Which RFCs are they?  I don't intend to update any existing RFCs in
this draft, but I could refer to those RFCs as example cases if and
when I revise the draft.

> One of the worst consequence is the allocation of single /64 prefix for
> an end user.  Many drafts and their respective deployments only give a
> /64 to the end user: it is used both for SLAAC _and_ for on-link
> determination.  If they agreed the dichotomy then they would give at
> least two distinct prefixes to the end-user: one for SLAAC and one for
> on-link determination.

Perhaps, but such a discussion is out of scope of this draft.

> Another consequence is the possibility to make wrong configurations.
>
> A wrong configuration is the following: in a subnet where plen1 is for
> on-link determination and plen2 is for SLAAC, it is easily possible to
> make a Host believe a Neighbor is on-link whereas the routing system to
> which that subnet is connected routes to another subnet for same Neighbor.
>
> If somebody plays too much with this plen1 and plen2 configurations
> (onlink|SLAAC) on a subnet one can easily make mistakes.  There is no
> recommendation how to avoid these mistakes.
>
> Recommendations about how to play with this onlink|SLAAC dichotomy will
> need to take into account how routing is based on longest-prefix match.
>
> Also these recommendations must make sure that allocating a
> single /64 to an end user does not get into widespread use.

Ditto.

> > Perhaps the administrator of the link wanted to force most of on-link
> > communication to 2001:db8:1:2::/64 to be first sent to a default
> > router, while allowing a particular set of hosts (those using the
> > address that match the on-link prefix) to communicate directly.
>
> I agree with the use-case.
>
> But maybe the administrator should know too that the default router will
> reply back with an ICMP Redirect leading to an end result where the
> on-link prefix is same as the SLAAC prefix in the rt table.

Yes (although the admin would disable sending redirects if this is
really the operation they want and their router supports the knob),
that's why the draft says "first sent to a default router".  Anyway,
as admitted this is an imaginary use case.  I didn't intend to insist
that's necessarily realistic.

> >    An on-link prefix could be longer than an SLAAC subnet prefix.  For
> >    example, when the latter is 2001:db8:1:2::/64, the former could be
> >    2001:db8:1:2:3:4::/80.
>
> I agree it could be.
>
> But in this case, one also must make sure the routing towards that
> subnet is the SLAAC's /64 (not the 'onlink's /80).

I don't see why.

> >    An on-link prefix could also be shorter than an SLAAC subnet prefix.
> >    For example, when the latter is 2001:db8:1:2::/64, the former could
> >    be 2001:db8:1::/48.
>
> I agree it could be.
>
> In this case, one also must make sure the routing towards that subnet is
> the onlink's /48, and not the SLAAC's /64.

Implementation specifics (whether it's implemented as a "route") aside,
an RFC4861-compliant host implementation should already do so.

> Lacking of saying so leads to the undesirable situation of operators
> allocating a /64 for a ptp link.
>
> To combine the two, a recommendation would be:
>
> "The onlink|SLAAC dichotomy may be applied only if the routing towards
>   that subnet uses the shortest plen of the two; that could be a value
> less than 64."

(Aside from whether this makes sense or not) again, there's no
recommendation in this draft.  It only explains what current protocol
specifications state, just more explicitly.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email