IETF Logo Mail Archive

Re: Disabling temporary addresses by default?

Gyan Mishra <hayabusagsm@gmail.com> Tue, 28 January 2020 18:00 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF606120045 for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 10:00:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_PowFkcFjfx for <ipv6@ietfa.amsl.com>; Tue, 28 Jan 2020 10:00:10 -0800 (PST)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 315F8120044 for <ipv6@ietf.org>; Tue, 28 Jan 2020 10:00:10 -0800 (PST)
Received: by mail-io1-xd31.google.com with SMTP id z193so15401805iof.1 for <ipv6@ietf.org>; Tue, 28 Jan 2020 10:00:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dGwWrvoSbLFUj43bCHUIKEAsy2cEqpSaphWlT5G6bCs=; b=a5b3FkeTL8/rX3zQeKLVX1MjK9t1ErJr/VjuBZROlkE+iVrU5h5J1tpKcQ1Cu+6zaM 0FVC43JUjW1KNI87P3P8pVrA4ZawiECUfk+nIasKj6qo8ApzPPWUcZwI9oL91nNUHiSN 7phDNv4L3xKmBwDCjUb4x/wivbUbjJbv4S+V/NqY41aGn3Br1wEvQpv32ZCNBASw3cvD 0ZTzgTVtOeEqeUsIXDwqjFa7Frnik91EVO9hjIE/ltlhl2gTA2Nw3wHBTSDUeYzhLyfc F2v14yu6Uig9PfnWyfgiFQL5WduxTZVdD5yLcvW/VanhrObJ4iHu8sRbhiN3b9TqGV46 RsWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dGwWrvoSbLFUj43bCHUIKEAsy2cEqpSaphWlT5G6bCs=; b=MY6DvyTLyEZCSwNceGJgpe4m/cgsGBorO0UqaCLNcVYl0HEv+4m05AJcsqE7/iwesg AQCdLRbmpPXhK1PZuJYDDJBzlgCYZURgEHjsnulF5qmO+QITgfFeAib+57ICJT4Fgn+Q VmlyMmFcT18kSMWtaxuXDLQTvw+A1odmvLjpCDhH0jm5AWnFkeI3C0NWvdpdeUZQkguV PBzv0goeNJttzraaW2ODqrtjcuYm8cyItR/dIPEtJ0YlSTt5eHnASoZ3+EUZ8fx/CYli 7I1cCJjg4aFEO5eehA7vE0YOeAVnhWRZzug4tp/GsaMXLE5o27Wzq/cuhbBBK5VoRRfv 6yCA==
X-Gm-Message-State: APjAAAXYt5oViNzX4NiXgwCIvzF+B4tTCwpG/NVobSdHbHwSXA3/Lnsu gS9UCTPUvvsxO32d2X03m5aeQbQ0sF1o7jErBqHN7sUR
X-Google-Smtp-Source: APXvYqzNoVZwJhicea15W2iMl06i7R1FM+lQgQockHmjYhv2pY+CLzHGd0JI0nxBSas6f+qHSRm9JkIp21TEBrLArNQ=
X-Received: by 2002:a02:9469:: with SMTP id a96mr19144796jai.52.1580234409163; Tue, 28 Jan 2020 10:00:09 -0800 (PST)
MIME-Version: 1.0
References: <CAKD1Yr11_SSUkCBuQ3-h+eRg0LPZQdhe+h7f0YZy9TiyRWj6mw@mail.gmail.com> <751D59E0-F60B-4FE1-840F-3FEAB82F618F@huitema.net> <c058863d-9e29-3ddb-a020-0ebadef26ad4@si6networks.com> <CABNhwV0KsKN7LQY2D-BJkCtvB40oZCT65EmOCr0oE56c9g7-aQ@mail.gmail.com>
In-Reply-To: <CABNhwV0KsKN7LQY2D-BJkCtvB40oZCT65EmOCr0oE56c9g7-aQ@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Tue, 28 Jan 2020 12:59:58 -0500
Message-ID: <CABNhwV19qxve9HqSzsL7Qr1eE15u=oW5gikjjOX6VamZKnU-Rg@mail.gmail.com>
Subject: Re: Disabling temporary addresses by default?
To: Fernando Gont <fgont@si6networks.com>
Cc: 6man WG <ipv6@ietf.org>, Christian Huitema <huitema@huitema.net>, Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009ec392059d36fefe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/cvUucQXLx2Jg9HpGE76LhUtXfkA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 18:00:15 -0000

On Tue, Jan 28, 2020 at 12:46 PM Gyan Mishra <hayabusagsm@gmail.com> wrote:

>
>
> On Tue, Jan 28, 2020 at 12:11 PM Fernando Gont <fgont@si6networks.com>
> wrote:
>
>> On 28/1/20 13:27, Christian Huitema wrote:
>> >
>> > On Jan 28, 2020, at 6:59 AM, Lorenzo Colitti <lorenzo=
>> 40google.com@dmarc.ietf.org> wrote:
>> >>
>> >> Instead of disabling, why not change the default of the number of
>> addresses maintained? For example, instead of maintaining 1 permanent + 1
>> valid + 7 deprecated, why not just default to maintaining 1 permanent + 1
>> valid + 1 deprecated. That means that applications would have to
>> re-establish their connections once a day instead of once every 7 days. But
>> if they use privacy addresses, they already need to re-establish
>> connections after 7 days. And they can always use not to use privacy
>> addresses via the appropriate socket option.
>> >
>> > That seems plausible, but how about going one step further and for
>> clients just have one temporary and one deprecated address, without any
>> stable address? If the client is not running any server, that makes address
>> management much simpler.
>>
>> rfc4041 bis already allows for that.
>>
>> The only thing is that if the Preferred Lifetime is 1 day, and Valid
>> Lifetime is 2*Preferred Lifetime, and you only do temporary addresses,
>> then your sessions (e.g. SSH) cannot span past one day, *unless* we
>> recommend that invalid addresses are still okay for established
>> connections.
>
>
>
>    The main reason this topic comes has up is due to possible impact of
> usage of the temporary address when it gets deprecated with long lived
> session.  That’s the crux of why this topic is critical and has severe
> operational impact. When the address changes for long lived connections
> from the deprecated temporary address to the new preferred address, the
> session would terminate and have to re-establish, which is impacts the
> user.  Maybe a change to the behavior as how this works is that the long
> lived flow remains active on the deprecated temporary address indefinitely
> until the flow is terminated via graceful TCP close.  This would allow us
> to maintain privacy extension temporary address enabled by default change
> to benefit privacy advocates and also eliminate impact for enterprise users
> where availability and stability is utmost importance.  The second issue is
> maintaining of a multiple addresses on the end host from an operations
> perspective if that can be limited.  One idea to accomplish this is that if
> the privacy temporary address is enabled by default, that is if we are able
> to resolve the operational impact of long lived sessions when the temporary
> address changes - how can we minimize the number of active addresses per RA
> slaac address.  Allow the interface stable random address to be active only
> if the temporary privacy address is disabled - non default scenario.   Once
> the temporary address is enabled default scenario- and preferred, it is now
> used for both incoming and outgoing connections and the interface “stable”
> random address is now disabled.  This will help from an operations
> perspective that all flows in/out now all use the same privacy address.  We
> can limit the number of temporary addresses to 2 which would only occur
> during transition to the new preferred address.  In a normal state when the
> address has not hit the lifetime expire timer, only a single GUI address
> exists on the host plus the link local.
>
>>
>> This operational impact issue with the temporary address changing for
>> long lived sessions  actually existed as well with DHCPv6 with  server
>> redundancy when state sharing did not exist and required a split scope
>> configuration.
>
>
Now with DHCPv6 failover protocol for redundancy the same scope can be used
between servers as stare sharing now works.

DHCPv6 failover protocol
https://tools.ietf.org/html/rfc8156


>> --
>> Fernando Gont
>> SI6 Networks
>> e-mail: fgont@si6networks.com
>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>
>>
>>
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>>
> --
>
> Gyan  Mishra
>
> Network Engineering & Technology
>
> Verizon
>
> Silver Spring, MD 20904
>
> Phone: 301 502-1347
>
> Email: gyan.s.mishra@verizon.com
>
>
>
> --

Gyan  Mishra

Network Engineering & Technology

Verizon

Silver Spring, MD 20904

Phone: 301 502-1347

Email: gyan.s.mishra@verizon.com

v2.23.0 | Report a Bug | By Email