Re: Feedback on draft-linkova-6man-grand-01
Jen Linkova <furry13@gmail.com> Mon, 02 December 2019 06:26 UTC
Return-Path: <furry13@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D5F8120071 for <ipv6@ietfa.amsl.com>; Sun, 1 Dec 2019 22:26:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.152
X-Spam-Level:
X-Spam-Status: No, score=0.152 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZffA9IsbxxKL for <ipv6@ietfa.amsl.com>; Sun, 1 Dec 2019 22:26:14 -0800 (PST)
Received: from mail-qk1-x744.google.com (mail-qk1-x744.google.com [IPv6:2607:f8b0:4864:20::744]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF03E12002F for <6man@ietf.org>; Sun, 1 Dec 2019 22:26:13 -0800 (PST)
Received: by mail-qk1-x744.google.com with SMTP id f5so13117565qkm.13 for <6man@ietf.org>; Sun, 01 Dec 2019 22:26:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=hYbkLf9H6G8ryRMFnqyufuV///dyyCaCcb9zxzghetk=; b=o7ta+9hB8FbERz+2adC/h9E37D68z9IA77KVV+dlpl6vI2vmnBm9vk/HpVru7G+zq5 WJN22NNDtktoLJuHgVv5y/zN1ij3udoCxFt0LFho4rXptnkNbq0YE7ShITK529tzMZ38 SLpCnieUY//vobNf+JOTXZMgGkMeL1tRcye+Ca5M8fF/UR/07zO7S6pzFEowXkShjYVA 1ZBUVJoJyX+vjN2e3wGbL2LZ3JaoOSGHQyPwqw4hhFHMjh2u1PIyLWeNb1Kz01X+uN93 9T3A1YNAu1POC8Rj+vsvMjrMHE7SHTSkmpAe68QAMvnC8BeZZFb9R9eAIcdtPUdA73eT x8Jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=hYbkLf9H6G8ryRMFnqyufuV///dyyCaCcb9zxzghetk=; b=ksPTia55b8OvzjhUEp30Nrvho1a1EbxH2xEEKCxO/PShY83ibZJHv42EB/TWY9BKve L8SagRJ8ArnVITp042MhOkFwiobWsjmWxMdi5jmCOlYA7mTukFF9osnWIifvePPrSlDs 5C/TZ8sXr5Ma8CG4dgUcqELJ1HydvmvOT/PZX7ZI1UZJl3GiE28+RBb/MsWjZ7IZFW7t nul9OHAEvshX9ujVtBi/khHYlxHrhqnJlh1MKh3l4lILOKCjTfauR8N4GpYSiNQnwsxX yK6jty7lHhHm7sgvOH927xAdvyKpRm4EWsOZvu8l0+Yh/qGFIrbcsW4dlmRZjdipKRqz jGmg==
X-Gm-Message-State: APjAAAWFulfQm0/5hZ+B7bzDK2K54+D1J1rmC5pOz23X0BMc3ddbiuzc z+Zvbhj6O0ejdu4cxbVJ1ipoyqvLDsJt1a8cNYs=
X-Google-Smtp-Source: APXvYqziDnROmUDb6f99AjPE9TsDXRDikcTVZY9dmHkX5ps9EJRghWnE1llLoFjICjULb+RrTH67Y31f6yaPD5JqoIc=
X-Received: by 2002:a05:620a:6ce:: with SMTP id 14mr3629076qky.417.1575267972171; Sun, 01 Dec 2019 22:26:12 -0800 (PST)
MIME-Version: 1.0
References: <3fbc97b1-123b-49e8-0c66-47815177e0ca@si6networks.com> <CAFU7BATNSXBypROU3p2JW_=9HN0rtKYq2oe4oJL65eifZdkdNw@mail.gmail.com> <4F310898-2EC0-410D-A08D-EBD5E07BCAE9@gmail.com>
In-Reply-To: <4F310898-2EC0-410D-A08D-EBD5E07BCAE9@gmail.com>
From: Jen Linkova <furry13@gmail.com>
Date: Mon, 02 Dec 2019 17:26:00 +1100
Message-ID: <CAFU7BASOe-mY67vdHYTL+q8SRTcbcWnFKKpTHD-otponbKLiMQ@mail.gmail.com>
Subject: Re: Feedback on draft-linkova-6man-grand-01
To: Gyan Mishra <hayabusagsm@gmail.com>
Cc: Fernando Gont <fgont@si6networks.com>, "6man@ietf.org" <6man@ietf.org>, Jen Linkova <furry@google.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/muWlhMSmzfle7sUP1JoKbfDUxtU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2019 06:26:15 -0000
On Mon, Dec 2, 2019 at 4:52 PM Gyan Mishra <hayabusagsm@gmail.com> wrote: > The changes that you are proposing to RFC 4861 have you tested in a lab environment to ensure no adverse consequences to the changes or collateral damage by changing something might break something else With ICMPV6 RS/RA state machine. I did some tests using Cisco with glean enabled (IOS already has the proposed changes and more implemented). > Here is a github link to a test done related to the override flag being set and ND cache resiliency when an address gets recycled. In this case the address is recycled to different Mac and so the override flag has to be set to update the entry. > > https://gist.github.com/leblancd/e550d41cad5a1c0ecb81837dfbc93cc5 I looked at that file and I'm a bit confused. I'm not sure how that test is relevant to the proposed changes. What I see in that file is the standard ND behaviour. > This relates to Section 3 and 3.1 avoiding disruption. So I understand you would set the override flag to clear if the address is optimistic but you don’t state to set the override flag if the address is Valid and preferred. The section 2.1 states: "To minimize the potential disruption in case of duplicate addresses the host SHOULD NOT set the Override flag for a preferred address and MUST NOT set the Override flag if the address is in Optimistic [RFC4429] state" >So this is a corner case with the optimistic DAD state you are addressing to not set the override flag to avoid disruption in case of duplicate address. Have you been able to recreate this issue occurring in the lab with the current RFC 4861 stack. Please note that ' MUST NOT set the Override flag if the address is in Optimistic state' requirement is actually coming from RFC4429 which explicitly prohibits setting Override flag in Neighbor Advertisements for Optimistic Addresses (section 2.2 of https://tools.ietf.org/html/rfc4429). So, my draft just follows RFC4429 recommendations. > Section 3.2 > I am getting lost reading this section. Where it says that the rightful owner does not use the address for communication. The Section 3.2 describes the scenario when the router does not have a NC entry for the address. Therefore the address is either unique (no disruption), or the rightful owner has not been receiving any traffic via that router for a while (if it has then the router would have had the entry). The latter case is discussed in the section. If you could elaborate what is not clear in the section I'd be happy to update the text.. > Is DAD not complete and is the rightful address not used because the interface is in some other DAD state and not Valid/Preferred. The scenario described is that the rightful owner (host A) might have an address in preferred state but just not use it for sending/receiving traffic. Then another host (host B) joins the network and configures the same address in the Optimistic state first. If the host B does not send any unsolicited NAs, everything works as before. If it does send an NA, then the entry would be created in the STALE state. As soon as the host B starts sending traffic, the return traffic would trigger address resolution. > There are a lot of scenarios and permutations to think of with the updates mentioned in the draft. Should all of those be spelled out in this update or only corner cases with issues you have encountered that you are addressing with the update? Well, I tried to enumerate all of them but I could have missed smth indeed. So let me try again. Let's say a host gets an address assigned and it's uniqueness has not been confirmed yet (the address is still Optimistic). Scenario #1: The router does not have any entry for the address: see section 3.2 Scenario #2: The router has INCOMPLETE entry: see section 3.3. Scenario 3: The router has an entry and it's in some other state: see section 3.1 What did I miss? > I think addressing all scenarios would help to ensure the change being made is not breaking another scenario and other with the RS/RA state machine. totally agree. Any pointers to the scenarios I missed are highly appreciated. Thank you! > On Nov 27, 2019, at 7:36 PM, Jen Linkova <furry13@gmail.com> wrote: > > Hi Fernando, > Thanks for your review! > Comments inline. > > On Wed, Nov 27, 2019 at 11:42 PM Fernando Gont <fgont@si6networks.com> wrote: > > As the main purpose of sending unsolicited NAs upon configuring a new > > address is to proactively create a Neighbor Cache entry on the first- > > hop routers, the gratuitous NAs SHOULD be sent to all-routers > > multicast address (ff02::2). Limiting the recipients to routers only > > would help reduce the multicast noise level. > > > In the context of RFC8028, one might argue that you could simply send > > the unsolicited NAs unicast to the routers that advertised this prefix. > > This would: > > > * reduce multicast traffic > > > * also reduce the number of unnecessary entries in local routers (there > > would be no point to create entries for addresses configured for, say, > > 2001:2b8::/64 at Router A, if you will only use Router B as the default > > router for packets sourced from those addresses). > > > The main drawback of this approach is it would work in 50% of cases if > the network provides first-hop router redundancy. There is no > guarantee that the traffic is symmetrical - the host can easily choose > a router A as a default gateway but the return flow can reach the LAN > via the router B. > See https://tools.ietf.org/html/draft-ietf-v6ops-nd-cache-init-00#section-2.3.2.2 > > I'll update the text to clarify it. > > As the INCOMPLETE entry means that the router has > > started the ND process for the address and the multicast NS has been > > sent, the rightful owner is expected to reply with solicited NA with > > the Override flag set. > > > I should re-check the spec. The NA would certainly have the solicited > > flag set. Although I'm not sure it woudl always have the override flag set. > > > It *SHOULD* unless it's anycast or the device is a proxy: > https://tools.ietf.org/html/rfc4861#section-7.2.4 > > " If the Target Address is either an anycast address or a unicast > address for which the node is providing proxy service, or the Target > Link-Layer Address option is not included, the Override flag SHOULD > be set to zero. Otherwise, the Override flag SHOULD be set to one." > > When a valid Neighbor Advertisement is received (either solicited or > > unsolicited), the Neighbor Cache is searched for the target's entry. > > If no entry exists, hosts SHOULD silently discard the advertisement. > > There is no need to create an entry if none exists, since the > > recipient has apparently not initiated any communication with the > > target. Routers SHOULD create a new entry for the target address > > with the link-layer address set to the Target link-layer address > > option (if supplied). The entry its reachability state MUST also be > > set to STALE. If the received Neighbor Advertisement does not > > contain the Target link-layer address option the advertisement SHOULD > > be silently discarded. > > > Shouldn't this only happen if the "solicited" flag is not set? > > > Valid point. I do not see any harm is doing it for Solicited but I'm > happy to limit to unsolicited NA only... > > Announcing a new address to all-routers multicast address may inform > > an on-link attacker about IPv6 addresses assigned to the host. > > However hiding information about the specific IPv6 address should not > > be considered a security measure as it falls into 'Security through > > obscurity' category. > > > I'd remove the "security through obscurity" bit, and note that this > > information is normally disclosed with dad, anyway, and not just to > > routers, but to all nodes. > > > Not *exactly* true if the network deploys all those smart WiFi devices > but it's more an operational consideration. > I'll update the text, thanks! > > Food for thought: > > Maybe routers could simply create the ND cache entries, if the entry is > > not present, when the corresponding DAD packets are received? > > This would mean no changes on clients, and just updates on routers. > > (me thinking out loud) > > > Please note that this draft does not discuss *all* possible > approaches. The operational issue and various solutions are documented > in https://tools.ietf.org/html/draft-ietf-v6ops-nd-cache-init-00. > Your proposal 'why not DAD' is discussed in > https://tools.ietf.org/html/draft-ietf-v6ops-nd-cache-init-00#section-2.4 > > I should probably make it explicit in the Introduction section that > the readers of draft-linkova-6man-grand shall read the 6ops doc first. > > -- > SY, Jen Linkova aka Furry > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -- SY, Jen Linkova aka Furry
- Feedback on draft-linkova-6man-grand-01 Fernando Gont
- Re: Feedback on draft-linkova-6man-grand-01 Jen Linkova
- Re: Feedback on draft-linkova-6man-grand-01 Gyan Mishra
- Re: Feedback on draft-linkova-6man-grand-01 Jen Linkova
- Re: Feedback on draft-linkova-6man-grand-01 Gyan Mishra