Re: Objection to draft-ietf-6man-rfc4291bis-07.txt - /63 and /65 RAs on linux

神明達哉 <jinmei@wide.ad.jp> Fri, 03 March 2017 22:02 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84E1912963E for <ipv6@ietfa.amsl.com>; Fri, 3 Mar 2017 14:02:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.37
X-Spam-Level:
X-Spam-Status: No, score=-2.37 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.229, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_vk-ZiwcdMg for <ipv6@ietfa.amsl.com>; Fri, 3 Mar 2017 14:02:12 -0800 (PST)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 817A21295CE for <ipv6@ietf.org>; Fri, 3 Mar 2017 14:02:12 -0800 (PST)
Received: by mail-qk0-x22e.google.com with SMTP id g129so15282976qkd.1 for <ipv6@ietf.org>; Fri, 03 Mar 2017 14:02:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=uT9gEqrIg7dN6w+C4TnM9CKOM/2n5nTo587ukB0KyPg=; b=nNrvFXFNo2c2nfTxwbsmP/9t5609+smc7wOLu6DAqq2tl79Jzvj5zeA8z0qWzOGzdZ R/cqWIo3JaBs1SF1w4KTIJW+C5pfRumSVqYo2+Dfb1qJ6c2SVSiIBuSPDiICyUzcmpWv Pizdw/BbBDd3thI1yar+AF4XpN4iny5P6N2Rn/WaBLxiwTKs2P5Y7/83pHG0MMP9x2eh LCgoEllipvQTnTaByyEHQBeUsIQ9/5GvksABfnoDKU6kuoMVI16bxO5jOPue5guVRyfO UmXdKj9AfSB+2EsbWhVwT4FgAZpCaLeF0oU0oD3ffw/3KjY0gGvco+SwNaToyUnGya/t Mxpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=uT9gEqrIg7dN6w+C4TnM9CKOM/2n5nTo587ukB0KyPg=; b=teZC2ja3ufIM9uuRYkkxBl4ElndnYkkzAoFiGOJFqg89wZrj5xzCmowWhmOpqvkBuq XW5yTep42akKO2cZGSD//BKxNN/ErvS3/45tAdF4lIed7spX8XEl8RlW2J18iMiSP7U+ L6xKHr0Q31o8D1YvfQXo8E1CH8XhFQKsVlADKtr5WOMos1kmdHaucbvEN08HQAbzKgsW YRXsv3vWmh2SendZ5Z4FbnZdV8TcihM+MuqoJ+Z/Rr4solkdPSIzX9XHq9nvfcKmmoK1 IPIzXXxgTrq535YduCyN9Bb7WMzrhF2fZTWgKcZnKin1RSFnLSLiotE0hgBmbiXs4pli gmJg==
X-Gm-Message-State: AMke39lZf8vPqu9IlbniaW3VUrBfYmLKZ6qQkFz9Id+Vo17St/9yV3O5UNU2Ai4OzK39o9xQwQ1QhJbpO1AgQQ==
X-Received: by 10.55.122.130 with SMTP id v124mr4492634qkc.19.1488578531348; Fri, 03 Mar 2017 14:02:11 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.61.204 with HTTP; Fri, 3 Mar 2017 14:02:10 -0800 (PST)
In-Reply-To: <68803ac3-97f4-838c-ffd2-a294d7fb6d0d@gmail.com>
References: <20170223134026.GI5069@gir.theapt.org> <27cce319-18ac-5c0e-3497-af92344f0062@gmail.com> <de4988be-6031-08d9-84ce-21c3fa4f9bc9@gmail.com> <98401ef7-cf41-b4a0-4d11-a7d840181bd0@gmail.com> <1047f5fc-ae40-be52-6bab-27f31fe5e045@gmail.com> <9a94feac-8d59-b153-d41c-04fc371e4db4@gmail.com> <CAO42Z2z7v4gDk91b6Of-1sczV88m3B9kzn0MeJU_VBJ416k6Ww@mail.gmail.com> <ae35b45a-0398-840f-fc0d-1f64dd2fcc58@gmail.com> <37851ee3-03be-8bee-6190-f4d28df86305@gmail.com> <alpine.DEB.2.02.1703012051590.30226@uplift.swm.pp.se> <b5784622-c24e-a531-4e68-249b03701941@gmail.com> <CAAedzxrSTFe0GgYuvtXPNE=R_ZCXotxL7HbKdj5A4-869rncmw@mail.gmail.com> <ba025be6-709d-87b4-f388-d6f143408277@gmail.com> <alpine.DEB.2.02.1703021029010.30226@uplift.swm.pp.se> <4e17a9f4-6daf-787f-0321-3327fe601d70@gmail.com> <bead3cd8-f7f9-37b3-66f9-e76ae94056d1@baanhofman.nl> <63d98caf-ab70-088f-ff6b-ad27a11619e0@gmail.com> <CAJE_bqcOLSK061p_biSD3GK1y464Ld=8Zp3-hAuJqQ2R2t3JRw@mail.gmail.com> <68803ac3-97f4-838c-ffd2-a294d7fb6d0d@gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Fri, 03 Mar 2017 14:02:10 -0800
X-Google-Sender-Auth: iyHNJMqg2OzZYK4PJa8EEUSvzg4
Message-ID: <CAJE_bqc7cFrhCaiGMGeSUf1zMsXpcoDUVvYQ13L-Soe4Rwf6RA@mail.gmail.com>
Subject: Re: Objection to draft-ietf-6man-rfc4291bis-07.txt - /63 and /65 RAs on linux
To: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/kJQY8wZacMrh7wmthMUI-UZWnBg>
Cc: IPv6 IPv6 List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 22:02:14 -0000

At Fri, 3 Mar 2017 22:09:47 +0100,
Alexandre Petrescu <alexandre.petrescu@gmail.com> wrote:

> > Both, and I believe at least most implementers have had no
> > difficulty in interpreting the spec that way.
>
> If it is both, then it requires that the prefix used for address
> autoconfiguration of LL addresses to be 64bit length.
>
> But the LL prefix is fe80::/10.
>
> "fe80::/10" means it is a prefix.  It does not mean it is "a mask for
> implementation in BSD and other OSs C macros to recognise the LL address".
>
> So, what goes between /10 and /64?  Why?

For (auto)configuring a link-local address?  If so, it's all-0 bits,
as defined in Section 2.5.6 of RFC4291:

   |   10     |
   |  bits    |         54 bits         |          64 bits           |
   +----------+-------------------------+----------------------------+
   |1111111010|           0             |       interface ID         |
   +----------+-------------------------+----------------------------+

> > - uses the 64-bit IID (as specified in RFC2464) - uses the fe80::/64
> >  prefix (as defined in RFC4291 Section 2.5.6)
>
> And ignores the same document's fe80::/10.  And some implementer does
> not appreciate that.

I'm not sure what you mean by this here, but out of curiosity, who is
that implementer and what does it actually do by not appreciating
that?  Auto-configuring a link-local address that does not match fe80::/64?

> > - combine these to configure a link-local address fe80::<64-bit IID>
> > as specified in Section 5.3 of RFC4862
>
> And who tells the implementer what to put between /10 and /64?

> Should that be 0s?  1s?  An arbitrary random mix of 0s and 1s?

0s, as described in RFC4291 Section 2.5.6.

> > To me there's nothing confusing or unclear here, and I suspect the
> > Linux implementation essentially does the same thing.
>
> I think you dont want to see the potential confusion because you do not
> ask yourself what to put between /10 and /64.  I think you silently
> assume that should be 0s.

If "what to put between /10 and /64" is for (auto)configuring
link-local addresses, yes, I assume it's 0s.  But not "silently" -
it's based on Section 2.5.6 of RFC4291.

BTW, I do not necessarily disagree that there may be "some confusion"
if one sees this:

      Link-Local unicast   1111111010           FE80::/10       2.5.6
(Section 2.4 of RFC4291)

and this:

   |   10     |
   |  bits    |         54 bits         |          64 bits           |
   +----------+-------------------------+----------------------------+
   |1111111010|           0             |       interface ID         |
   +----------+-------------------------+----------------------------+
(Section 2.5.6 of RFC4291)

like, wondering "what if the intermediate 54 bits are non-0?  should
it be called a link-local address?".

But, at least in terms of auto-generating link-local addresses, the
specs are clear enough to me that these bits should be set to 0.
That's why I always try to clarify the context is to auto-generate a
link-local address in this conversation.

If you want to further clear any possible confusion between the
intermediate 54 bits, I wouldn't discourage you to write a "mystery of
the intermediate 54 bits for fe80::/10" draft:-)

> >> It does not forbid that that 64bit prefix be formed by
> >> self-appending a 0 to a /63 from the RA, or other mechanism.
> >
> > It's not the job of RFC2464.  RFC4862 imposes the restriction
> > through its Section 5.5.3 bullet d):
>
> Well then, it should.
>
> BEcause currently RFC2464 says "An IPv6 address prefix used
> for stateless autoconfiguration [ACONF] of an Ethernet interface
> must have a length of 64 bits".
>
> If we go by your recommendation above, then it means RFC2464 must not
> say that.

I guess we're just not on the same page...trying to rephrase my point,
it doesn't matter that RFC2464 "does not forbid that that 64bit prefix
be formed by self-appending a 0 to a /63 from the RA", since RFC4862
forbids it anyway (by the "sum must be 128" requirement).

> > I guess that "rt entry for that /63 prefix" is to treat the /63
> > prefix as on-link (assuming the corresponding PIO has L bit on).
>
> YEs.
>
> > If so, that's the correct behavior per RFC4861 (not 4862).
>
> So RFC4862 should not require the Host to ignore a received non 128
> plen+IID, because RFC4861 accepts it.

Here I actually see conflating.  RFC4862 only says the host MUST
ignore such prefix *for SLAAC*.  It doesn't say, for example, it
should ignore the entire RA or even for that particular PIO for other
purposes than SLAAC.  But I admit this point may be subtle and can
easily be misunderstood.  RFC4862 tried to clarify that subtlety a bit
in the following paragraph of that section (that was actually written
by me):

      It is the responsibility of the system administrator to ensure
      that the lengths of prefixes contained in Router Advertisements
      are consistent with the length of interface identifiers for that
      link type.  It should be noted, however, that this does not mean
      the advertised prefix length is meaningless.  In fact, the
      advertised length has non-trivial meaning for on-link
      determination in [RFC4861] where the sum of the prefix length and
      the interface identifier length may not be equal to 128.  Thus, it
      should be safe to validate the advertised prefix length here, in
      order to detect and avoid a configuration error specifying an
      invalid prefix length in the context of address autoconfiguration.

but this conversation seems to suggest it's still not clear enough.

> As such, either rfc4862 or rfc4861 should be modified to make it work
> together.

4861 and 4862 already work together.  But, we could make it even
clearer that prefix length validation for on-link determination
(actually there's no restriction for this) and prefix length
validation for SLAAC are independent, if and when we want to update
these RFCs.

> Maybe rfc4862 should not require the Host to refuse a
> received plen+IID not making for 128.

No, it should still require that, as there's currently no defect in
the spec even if it may still not be crystal clear for some.  However,
you have the right to propose loosening the requirement, so if you
think that change is necessary, please feel free to write a draft.

> > It's also correct to ignore that prefix for SLAAC per RFC4862 (not
> > 4861).
>
> If some RFC requires the Host to ignore the PIO and some other RFC
> requires the Host to interpret it, and both RFCs are mandatory to
> implement, under the same conditions, isn't there a conflict?

No, there's no conflict, once one understands the two types
validations are independent:

- RFC4861 does not impose any restriction on the prefix length in PIO
  for on-link determination purpose (and therefore the host is
  expected to accept any length of prefix for on-link determination)
- RFC4862 requires the host to ignore the PIO of some particular
  length for the purpose of SLAAC (and therefore the host is expected
  to not use a prefix of "invalid length" to configure an address)

Both can coexist.  BSDs literally implement it.  From your previous
message, I guess so does Linux.  I also suspect so do other major OS
implementations such as Windows or Solaris, as this separation has
been in fact one of common test cases in IPv6 protocol conformance
test suites.

--
JINMEI, Tatuya