IETF Logo Mail Archive

Re: RFC4941bis: consequences of many addresses for the network

Bob Hinden <bob.hinden@gmail.com> Thu, 23 January 2020 17:34 UTC

Return-Path: <bob.hinden@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D81D3120998 for <ipv6@ietfa.amsl.com>; Thu, 23 Jan 2020 09:34:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yzQgZyGoX1SA for <ipv6@ietfa.amsl.com>; Thu, 23 Jan 2020 09:34:27 -0800 (PST)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33F6D1209CD for <ipv6@ietf.org>; Thu, 23 Jan 2020 09:34:27 -0800 (PST)
Received: by mail-wr1-x435.google.com with SMTP id q10so4020199wrm.11 for <ipv6@ietf.org>; Thu, 23 Jan 2020 09:34:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ejeBDJsdRbnYbZxsYxDIqQmqRijPK0ZepCesaK1uEUQ=; b=dQKygRztqjJe6msay3hLbRHAjGnQIiE8eA8vjxkPHyJI2UL1EXD1gDh2BMpBGRIWHM lO+4BCvo2MGg6iLoOhdhz9dIe7ayjpVHnKoS/rz18TRSV0fASrtXWPjZqn8FmY+KfwP7 H4ojaq5/4WGKsqZVhdKukKO+3ZUR3026mQVACuRUc3bTpi3QN6Z1G+03cttfEv95g5uk CN31bAit8uOai+CAhLAYD5pAuT17Rkr9RklQYDRVbtyxO0bTgOBvj27fjC/89es0Q8hh dx3rWlWIxYtJH8Gg0jNKoHS4ZK/Wf9kX2zycA6lJBCDx4jHRwXvE9pGggZylP0SN82Ns hB/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ejeBDJsdRbnYbZxsYxDIqQmqRijPK0ZepCesaK1uEUQ=; b=dt0tp7vQ5sWCJcJd1StPJzawiQEycpw14XeHOTw9elL+pN2Io+ge+le1Cz/D3n3rgd Ks0m7CiGIrjVdShpz1HPN6SEH39rOX+k4T+ScFSXVeuUU1vdjcFS7+QiWrzUJugRe0gy 2hXIsHKFCLrrRtfc/EOAzCl/QwQ3w8yfOeCpqyJLy0gkP/4FrIwA3BbrQ7eGbwOSRavg O4h+gR3oTBT9SpyoNhsfAqVDvpBuq5BOmO2M0RmtZg2uXxdOCbZeLmgnuoiRwozr1JQS sw0pjmk2xL1tkibgPyiNG4FjX/T73M/KxWQta1v+6jTen4MO1vVLAcfo4R7MRGgxZUeO DbIQ==
X-Gm-Message-State: APjAAAX1qAOFpViiNPCwsN6BumNBH1KLIkukV25tH4OdK0PtqjX9YhHQ CaIhnilF/bj6CB66VBNP+O8=
X-Google-Smtp-Source: APXvYqztIwv/xmUoru1iJySxGVmKWEw7AMaqtKXawe26hMc5gQbHeqlMCE9grA1yOEvZCtKOWb2Fbg==
X-Received: by 2002:a05:6000:1142:: with SMTP id d2mr18617962wrx.253.1579800865666; Thu, 23 Jan 2020 09:34:25 -0800 (PST)
Received: from ?IPv6:2601:647:5a00:ef0b:9016:45d6:dcb1:3b90? ([2601:647:5a00:ef0b:9016:45d6:dcb1:3b90]) by smtp.gmail.com with ESMTPSA id n189sm3652460wme.33.2020.01.23.09.34.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Jan 2020 09:34:23 -0800 (PST)
From: Bob Hinden <bob.hinden@gmail.com>
Message-Id: <2044DC74-3529-45BF-9886-56030B5EA515@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_8A3FD36A-7906-45C0-9F64-6042958EFD97"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: Re: RFC4941bis: consequences of many addresses for the network
Date: Thu, 23 Jan 2020 09:34:18 -0800
In-Reply-To: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org>
Cc: Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
To: Ole Trøan <otroan@employees.org>
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/cBpz8ghYqV4MjNJq_VO1rUUhCqA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 17:34:31 -0000

Ole,

Clearly a very number of addresses is a problem for router and other devices on the link.   I note looking at my local machine (MacOS 10.14.6) I have five IPv6 addresses:

Link-local
ULA (temp and secured)
Global  (temp and secured)

My router advertises a Global and ULA prefix.

This seems to be current practice.   Is this a problem?   If I had 100 local devices on my link that would be 700 addresses, 1000 devices, then 7,000 addresses.  Is that excessive?   Also, depends on how the nodes manage this state, completely separate entries for each address, or all the addresses tied to the same link address.

For RFC4941bis, I think text that raises the issue is a good thing, but the issue isn’t created by the bis draft, it a part of SLACC.   We have multiple ways of creating IPv6 addresses, they all contribute to this.

I think a new document that discusses the issue and makes some recommendations would be useful.

Bob






> On Jan 23, 2020, at 12:59 AM, otroan@employees.org wrote:
> 
> While reviewing RFC4941bis (https://tools.ietf.org/html/draft-ietf-6man-rfc4941bis) I think I found one gap.
> 
> A discussion of the consequences of a host having many (active) addresses on the network.
> 
> A 4941bis implementation following the defaults, would at the maximum use 8 active addresses.
> (Valid lifetime of one week and one new address per day.)
> 
> Shorter regeneration intervals or other approaches like a new address per connection could lead to dramatic numbers.
> 
> If we use Ethernet as an example, each new address requires state in the network. In the ND cache in first-hop routers, and in SAVI binding tables in bridges. Given ND's security properties these tables must be policed by the network. A host with a very liberal address regeneration policy might be viewed as performing an attack.
> 
> There is no signal available in SLAAC apart from DAD to reject an address. If the network runs out of resources (or prohibits the additional address by policy) the address will not be served. The host has to be deal with that situation.
> 
> SLAAC is also missing a mechanism to release an address. Which leads me to think that the address regeneration interval must not be shorter than the ND cache scavenger timeout (which in many networks is high to avoid cache churn and high level of address re-resolutions).
> 
> I would like to hear from other network-side implementors and operators.
> Is there an issue here?
> 
> Best regards,
> Ole
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email