IETF Logo Mail Archive

Re: rfc4941bis: Change to Valid Lifetime of temporary addresses (take two)

"Curtis, Bruce" <bruce.curtis@ndsu.edu> Thu, 20 February 2020 17:25 UTC

Return-Path: <bruce.curtis@ndsu.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CFF41209C4 for <ipv6@ietfa.amsl.com>; Thu, 20 Feb 2020 09:25:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ndsu.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s9C1K31zcrbd for <ipv6@ietfa.amsl.com>; Thu, 20 Feb 2020 09:25:53 -0800 (PST)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2118.outbound.protection.outlook.com [40.107.92.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED0481209C0 for <6man@ietf.org>; Thu, 20 Feb 2020 09:25:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gH8xXL+F9p78t9gGBRmySBVNsz+3h5lVzlz8wxdq8B/PDVq47l9WR570kL3HUHrN5kQt8w0B989AjIJNxqZnYOs4A/K+RabZZdFW58FT9PnlOHzL77x+oVT571b4ds0stCgIm1x3+s9Vxjxmf8a9+GaJH9Bu+GHWiCp0HGd9ZHirNXwY6DxHEAcjH/0+P5QQNPufDjCvb+MUBeJKSOqw0fUbcTBJoxKd6dbeaBAQngDSa966L76ftWA3OytknGys1sGJpnW6lH/tbEhIWh0dajzSjKfyGHUONrnYxXCJ+LPnbfPi/E/TSFW051j/eBX61X90JK7b+s+0xVSGKMyYtg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=14if3GBMb4mqoLQAKedQS+HxJ9CHoTWEqnqVem8O15c=; b=lgvmzyhDzXfs8H3JvtQeuGo3oNcQbgrUotJgm1nBBXQsNt7yz2ANxhEjpSmwMeyfrqJ4cu1+h0AcyzIMSip13E8AvDc63WNMVhkzt3csfBEy+8B9VRc8Avp05gNrdJEN1R7sZUXzP6JKUP+sX7kFxCHJUjC6KFDGlGi/MZyL0jOwucjUwqq7TtMJlqJjfV8uJCx5b+x1mo11rWhBiEj0RnzdUv2UgWHq1LVSpySq395dMjdD3066AfSJ2veTaceSQtxiem0ZG1XxxqZq+v6mTUpp55XF1y6UrSi6E6AjzeM7ug2PlWhb6OgHywh+FiL+jfCnRdMJzXHtaEDeytFTlw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ndsu.edu; dmarc=pass action=none header.from=ndsu.edu; dkim=pass header.d=ndsu.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ndsu.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=14if3GBMb4mqoLQAKedQS+HxJ9CHoTWEqnqVem8O15c=; b=bTCJrtC6WyAaWX3g5xhh2TxEdc/LUX6hZW+u4+rFcowAxe04XUBl9wjRZ3AMAOn5k4QAI/JQARCmZXNcc3GoF1oxng1onp3225XggiDGIET8vP0cJkfrNgm2V+4h0HyhJ+YaIAttDublV3psRuXD+EDbgZEoHdeqhSJfEKDMN2s=
Received: from DM5PR08MB3418.namprd08.prod.outlook.com (2603:10b6:4:67::26) by DM5PR08MB3370.namprd08.prod.outlook.com (2603:10b6:4:62::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.17; Thu, 20 Feb 2020 17:25:51 +0000
Received: from DM5PR08MB3418.namprd08.prod.outlook.com ([fe80::58ca:eb3:eebf:62bb]) by DM5PR08MB3418.namprd08.prod.outlook.com ([fe80::58ca:eb3:eebf:62bb%4]) with mapi id 15.20.2729.033; Thu, 20 Feb 2020 17:25:51 +0000
From: "Curtis, Bruce" <bruce.curtis@ndsu.edu>
To: Fernando Gont <fgont@si6networks.com>
CC: Lorenzo Colitti <lorenzo@google.com>, "6man@ietf.org" <6man@ietf.org>
Subject: Re: rfc4941bis: Change to Valid Lifetime of temporary addresses (take two)
Thread-Topic: rfc4941bis: Change to Valid Lifetime of temporary addresses (take two)
Thread-Index: AQHV6BLM1a40GoTMykOlqp8ACOKyaw==
Date: Thu, 20 Feb 2020 17:25:51 +0000
Message-ID: <1F788A35-26D7-4683-8601-338477B4FBBF@ndus.edu>
References: <9cb65947-f634-e250-bfdc-134cfa2c91e9@si6networks.com> <eae18699-6141-e18c-783e-1ecab18733e5@si6networks.com> <CAKD1Yr1bZwz6gO1OUR16gubYd+k5EGjO+xqargy-pM6ZVMk8dw@mail.gmail.com> <b9e49215-ac91-ccdc-a518-7282d9571e69@si6networks.com>
In-Reply-To: <b9e49215-ac91-ccdc-a518-7282d9571e69@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=bruce.curtis@ndsu.edu;
x-originating-ip: [2001:4930:95::120]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 07c8409b-533d-463f-0121-08d7b629eec9
x-ms-traffictypediagnostic: DM5PR08MB3370:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM5PR08MB33700DE8C6063EDCF6DAC673EB130@DM5PR08MB3370.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 031996B7EF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(396003)(136003)(376002)(366004)(199004)(189003)(81166006)(71200400001)(8676002)(81156014)(9686003)(6512007)(4326008)(6916009)(75432002)(316002)(8936002)(6486002)(786003)(36756003)(54906003)(76116006)(5660300002)(86362001)(2906002)(66556008)(33656002)(966005)(478600001)(186003)(91956017)(64756008)(53546011)(6506007)(66946007)(66574012)(66446008)(66476007); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR08MB3370; H:DM5PR08MB3418.namprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ndsu.edu does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7vUHysP0hW9MRPtM8e/DPHi9rmmT+7y3prLwAhq/mqJDxdY3VzybQ2+x3o2CkIbpCgaYRvSMZtk4UVvS+2CLKTnoJoF2Q6UGX5cn6Mg5WigA4Ea1yfqjVD+1BGbhLzFPMYhMIO3vHv4M/krEOD7BNKepqZauiCJv/vAg/VpLtnlTqZcTSGAj+QE4aNmPlhikasP/qwTmxYr1Ixb1qTnWDM57iCNjqzFW0fZPvC4F9iu7rWdvEdZkyu3cG/SSuAMmqcvAZQB+R/ORCuXdGlOlcovY9F1DPdLC3MFsN679+CiIx08vczhg65aHj9d3z0jublWVPJHDwyi7WIbN9SgWnEpYc9tKIG7GrtGfrjOQLYElHrn1Mz9hRJiBn+xqutfXIZUGNLa8M2LrUYHdK3XxfBToi+TGKRhEsOQcMdj6jkk98/bOHzAWcMYJy/cUCXnQHuG8MA4i+P35z7ST3nLomM+UkRViiupbaOI/hsBJa63ItNZqU9qhqNREWXXZoq7WpaUrUM8LXmVJUlVPLWVlRQ==
x-ms-exchange-antispam-messagedata: cbw7/NH6AUA82LSW3WJaP6a5yHZc88HP4NjR8BWXjQpUSHZFc1qtMBXC2PV+CvIkWemQWHpATLn7o6kFRlMlQ12/3N0/8liyvrlHYLB2OaqDx10UKzKeOjzw0vYEel8IBjQB9E5bERUqWwxZ1T1+CRnsyjd7SnuQs8cX52lR1t8=
Content-Type: multipart/alternative; boundary="_000_1F788A3526D746838601338477B4FBBFndusedu_"
MIME-Version: 1.0
X-OriginatorOrg: ndsu.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 07c8409b-533d-463f-0121-08d7b629eec9
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2020 17:25:51.0500 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ec37a091-b9a6-47e5-98d0-903d4a419203
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5unGtKZa5rABfQ7uARIgZj9nGAvdwXtYHmpIUmldBFBZWEpwmgdBJSWAJMiOnsWRuXJMnOCv5p8mAA+VEAK8BQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR08MB3370
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/iV9sKmD6LRaumyKwkQV-n-WttDo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2020 17:25:58 -0000


On Feb 15, 2020, at 12:06 PM, Fernando Gont <fgont@si6networks.com<mailto:fgont@si6networks.com>> wrote:

On 11/2/20 18:58, Lorenzo Colitti wrote:
I think this change is an improvement. Keeping arond 5 addresses that are not useful seems like a waste of network capacity. An application that is not resistant to connection disruption, and *really* wants to use long-lived sessions, should probably be using PREFER_SRC_PUBLIC anyway.

If the addresses are not used, they will not waste network resources.

The only difference between short and long valid lifetimes is whether ongoing ling-lived connections will be aborted or not.

e.g., with RFC4941, a host will typically have one preferred address, and 6 unpreferred (but valid) addresses. If there are no long-lived connections, the unpreferred addresses will remain configured, but will not be employed to send or receive packets. Unless I'm missing something, they wouldn't seem to be wasting network resources. OTOH, if there *are* ongoing long-lived connections, these addresses would be actively used, and require effort from the network.


There are at least one scenario where unpreferred (but valid) addresses can use network resources.

 In at least one vendor’s implementation of IP Source Guard closet switches keep track of active IP addresses by periodically sending Neighbor Solicitation packets.   So even though there might not be any active connections using an IPv6 address the closet switch will still have info about that IPv6 address (which port it is on and which MAC address is associated with that IPv6 address).  The IP Source Guard feature from this vendor does also include the capability of setting a limit on the number of IPv6 addresses per port.

In at least one vendor’s wireless solution the wireless controller tracks IPv6 Neighbor status in a cache and uses that cache to act as a proxy and reply to Neighbor Solicitation requests with a unicast packet (and dropping the multicast Neighbor Solicitation request so no wireless clients see the Neighbor Solicitation request).  But this particular wireless controller also limits each client to 8 IPv6 addresses. "When the ninth IPv6 address is encountered, the controller removes the oldest stale entry and accommodates the latest one.”   Although unpreferred (but valid) addresses might not use resources in this vendors implementation it is possible that other vendors might implement IPv6 Neighbor Solicitation suppression and proxy in a way that would result in unpreferred (but valid) IPv6 numbers using resources.

Keeping a long valid lifetime means that long-lived connections (that last more than one day and less than a week) that currently use temporary addresses  would survive without problem. Whereas reducing the valid lifetime might mean that they are torn down. This "breakage" might push such applications to do the right thing and deliberately employ stable addresses, albeit with a transition period (when the code is updated) where things might break.

In most cases, a valid lifetime of two days will be enough. In other cases, the app knows connections are likely long lived, and should explicitly opt out of temp-addresses. But there are other cases where the nature of the app might lead to using temp addresses, but the connection might end up being long lived (e.g. a user downloading a large file via HTTP, over a very slow internet connection).

That's my reasoning for wondering if we should really reduce the valid lifetime, and whether it results in any savings for the network in cases where the addresses are not employed for ongoing connections. (when they are, the price the network pays is the price for keeping such connections alive).

Thoughts?

Thanks,
Fernando





On Mon, Feb 10, 2020 at 8:35 AM Fernando Gont <fgont@si6networks.com<mailto:fgont@si6networks.com> <mailto:fgont@si6networks.com>> wrote:
   Folks,
   This is simply a reminder/request for input regarding this proposed
   change.
   My understanding is that folks proposing this came from "if folks are
   concerned, we could do this".
   I would like to get more input comments on the topic from other
   participants.
   The change certainly would be fine. That said, in the context of
   RFC7934, I'm curious if we could really be concerned about nodes using 7
   concurrent addresses (in the worst case scenario). FWIW, such number of
   ongoing active addresses would only be hit if all of the unpreferred
   addresses are in use by ongoing long-lived connections. Again, the
   change would be fine, but I'd like input regarding whether it's really
   warranted.
   Thoughts?
   Thanks!
   Cheers,
   Fernando
   On 30/1/20 19:27, Fernando Gont wrote:
    > Folks,
    >
    > It has been suggested by Lorenzo Colitti, David Farmer, and
   others, to
    > change the default Valid Lifetime of temporary addresses.
    >
    > Namely, to change it from the current (RFC4941) "one week", to "two
    > days". This indirectly limits the maximum number of temporary
   addresses
    > employed by hosts. (2, compared to the current 11 (as per RFC4941)).
    >
    > This requires these changes:
    >
    > * Section 3.5:
    >
    > OLD:
    >    Because the precise frequency at which it is appropriate to
   generate
    >    new addresses varies from one environment to another,
   implementations
    >    SHOULD provide end users with the ability to change the
   frequency at
    >    which addresses are regenerated.  The default value is given in
    >    TEMP_PREFERRED_LIFETIME and is one day.  In addition, the
   exact time
    >    at which to invalidate a temporary address depends on how
    >    applications are used by end users.  Thus, the suggested default
    >    value of one week (TEMP_VALID_LIFETIME) may not be appropriate
   in all
    >    environments.  Implementations SHOULD provide end users with the
    >    ability to override both of these default values.
    >
    > NEW:
    >    Because the precise frequency at which it is appropriate to
   generate
    >    new addresses varies from one environment to another,
   implementations
    >    SHOULD provide end users with the ability to change the
   frequency at
    >    which addresses are regenerated.  The default value is given in
    >    TEMP_PREFERRED_LIFETIME and is one day.  In addition, the
   exact time
    >    at which to invalidate a temporary address depends on how
    >    applications are used by end users.  Thus, the suggested default
    >    value of two days (TEMP_VALID_LIFETIME) may not be appropriate
   in all
    >    environments.  Implementations SHOULD provide end users with the
    >    ability to override both of these default values.
    >
    >
    > * Section 5:
    >
    > OLD:
    >    TEMP_VALID_LIFETIME -- Default value: 1 week.  Users should be
   able
    >    to override the default value.
    >
    > NEW:
    >    TEMP_VALID_LIFETIME -- Default value: two days.  Users should
   be able
    >    to override the default value.
    >
    >
    > Comments? Objections?
    >
    > Thanks!
    >
    > Cheers,
   --     Fernando Gont
   SI6 Networks
   e-mail: fgont@si6networks.com<mailto:fgont@si6networks.com> <mailto:fgont@si6networks.com>
   PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
   --------------------------------------------------------------------
   IETF IPv6 working group mailing list
   ipv6@ietf.org<mailto:ipv6@ietf.org> <mailto:ipv6@ietf.org>
   Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
   --------------------------------------------------------------------


--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com<mailto:fgont@si6networks.com>
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492




--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Bruce Curtis
Network Engineer  /  Information Technology
NORTH DAKOTA STATE UNIVERSITY
phone: 701.231.8527
bruce.curtis@ndsu.edu<mailto:bruce.curtis@ndsu.edu>

v2.23.0 | Report a Bug | By Email