IETF Logo Mail Archive

RE: Disabling temporary addresses by default?

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Wed, 29 January 2020 13:42 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65E27120103 for <ipv6@ietfa.amsl.com>; Wed, 29 Jan 2020 05:42:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.498
X-Spam-Level:
X-Spam-Status: No, score=-14.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=CQ6QJIjn; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=JAG7GGNN
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pyoe8OtOYO7X for <ipv6@ietfa.amsl.com>; Wed, 29 Jan 2020 05:42:52 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D82721200FD for <ipv6@ietf.org>; Wed, 29 Jan 2020 05:42:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18396; q=dns/txt; s=iport; t=1580305371; x=1581514971; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=HKUKiV1JxrKWfS7CbLu4w1DuLT5wsqDCgm9LSC0LdFg=; b=CQ6QJIjnzJ1p0OcmfuyRC2S7jwuejz1W33R4nOcsv9w5W/drV5GXMASL 5TKfDKjX4MHC8UQU9S5tNYFIv0u0HAb80wTZIwMjJMDjGPPeXFBuOk2QC sro4VsEFgplYWnb+MwpeCthiolonmJaWiYQf2LEvHxy8S65nOGRQs/DeH c=;
IronPort-PHdr: 9a23:H7SWyxPb5LJtrdF9SJsl6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEu6w/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBjjMP73ZSEgAOxJVURu+DewNk0GUMs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BqEAB9ijFe/40NJK1mDg8BAQEJAREFBQGBe4ElLyQFJwVsD0kgBAsqhBSDRgOKcZYMhGKCUgNUCQEBAQwBAS0CAQGEQAIXghMkOBMCAw0BAQQBAQECAQUEbYU3DIVfAgEDEhEKEwEBNwEPAgEIQgICAjAlAgQBDQ0agwWBfU0DLgECoWkCgTmIYnWBMoJ/AQEFhHoYggwJgTiMIBqBQT+BEUeCTD6ES4MOMoIsjTyDGYVemSkKgjmWUoJIiAqQLY5gmw0CBAIEBQIOAQEFgWkigVhwFYMnUBgNjh2BJwECgkmKGDoBdIEpilssghcBAQ
X-IronPort-AV: E=Sophos;i="5.70,378,1574121600"; d="scan'208,217";a="712009568"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 29 Jan 2020 13:42:50 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 00TDgn1q031582 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 29 Jan 2020 13:42:50 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 29 Jan 2020 07:42:49 -0600
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 29 Jan 2020 07:42:48 -0600
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 29 Jan 2020 07:42:48 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TLMUvN0iUE0rb9Gg5jmdwPrg/tL78uy/m44hZhYltlXYSdk94GbURmA3OAq+haworUQ0qrf0Kml8yJHivM0ws6pXJZKM4pjcRhy1hl9K+CjUv4/Z1PlJR+RFAMkNZvFR7WwD6U+MKG83KqZc+97b2Mq9iV0Pfxk+nngLCMlNVkB6qCv1NQJUWce3eGpLg4OzSuh2FeyBobim+9uwA8/hQYUzrTboEID2gONVbbOfbxpxqLIMnRuLkl/pg72dGV0JT2oyzIR2rPDvnHcYQGzptjLtzaWAKt5u+IhUua9yFN57woKxgLrTi9c8/tUkIrLqxdUYDcRcSg4prDvGFJdN9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HKUKiV1JxrKWfS7CbLu4w1DuLT5wsqDCgm9LSC0LdFg=; b=XqNjJ8gtTHpDDCSLnd9PrEu0GpDxBkN4ipzUDGHa3C2/yUDW/EEZpjVkm1S+SOZBh31jN/znJsDQ4N8hOg5WtdsyndfhgJD5NnzsyXxo7po93nSFFQDVlSKMb/ThUqg5BGSKiH8ZGq7IEtTGwJf56f1zDNiq5C+ciXSkVVQ+YWtv8YqauwmObbgHVw1SfYmps7fMsNwHvNFioSxgVTdjAMh9FMRYUbLW7rZj4M5a6DeWtymhgnpEphvvgCw+y1aMdKvF55mWbk8QvxF1pEjv/35vRvBeISgm09v64L+zTXXqm+fDduHGXawJB4GiY8kf0mlI1WE9YLRi9Ow8u2S3rQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HKUKiV1JxrKWfS7CbLu4w1DuLT5wsqDCgm9LSC0LdFg=; b=JAG7GGNNNUKA4zEvpofLAF2EYEF4YKMbbkfe/PKAvFLBoZWNNoZJDUJnUGUfabjaSIarEx1rYZMt7CJgkCN7VkJo5vRRRsT+LVh06Evw1LsGkTsQZ98tfH06fOac+KbZufltGIAeAzXLPH3VX9s9EwVrKTfQGACW3mYCTujnYZc=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (20.178.250.159) by MN2PR11MB4333.namprd11.prod.outlook.com (10.255.90.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.24; Wed, 29 Jan 2020 13:42:48 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::fd76:1534:4f9a:452a]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::fd76:1534:4f9a:452a%3]) with mapi id 15.20.2665.027; Wed, 29 Jan 2020 13:42:48 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Tim Chown <Tim.Chown@jisc.ac.uk>, "otroan@employees.org" <otroan@employees.org>
CC: 6man WG <ipv6@ietf.org>
Subject: RE: Disabling temporary addresses by default?
Thread-Topic: Disabling temporary addresses by default?
Thread-Index: AQHV1euTT19k9AvOzEO5+CNBalam/qgBWlSAgAARzwCAADEm4A==
Date: Wed, 29 Jan 2020 13:42:28 +0000
Deferred-Delivery: Wed, 29 Jan 2020 13:41:50 +0000
Message-ID: <MN2PR11MB3565D26CD5F21ED2CD7F62A1D8050@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <03C832CE-7282-4320-BF1B-4CB7167FE6BE@employees.org> <DE7B0688-230F-4A5C-8E24-9EAED9FD9FEB@puck.nether.net> <AFEBAD7D-DF24-4924-8B9A-60DF22BA1953@consulintel.es> <c42affce-fbd3-23ec-c9ff-4f05cdf38630@si6networks.com> <41173152-A8E8-4241-9DE7-376AA7AFB813@consulintel.es> <c4166907-b6c9-a4ef-fd59-cf539bbe0405@si6networks.com> <43D76C96-C16B-4BEB-B9B8-C68D53BCE63F@fugue.com> <fb5b8377-892d-2777-ef9b-4f9ddefa6c93@si6networks.com> <CAKD1Yr034_tu7ZoJ1FCfDYhNSN6igm-ZQyR4u3U+UDMr=huGOw@mail.gmail.com> <1af0b06d-f9d7-5ea1-27f3-b417eb9148fa@si6networks.com> <7606A049-318D-4526-917D-F2A801BF7050@cisco.com> <CAKD1Yr1d9kORFdoOJr22J_UDJ9hLPr6AQLyWuh7=bAQKa+aXGw@mail.gmail.com> <MN2PR11MB356588FC3E8A6410B725D159D80A0@MN2PR11MB3565.namprd11.prod.outlook.com> <CAKD1Yr35meRGh_POo_2jrHA_oazO1xUOG5G_rx43xNLFYHQsMQ@mail.gmail.com> <MN2PR11MB356526F01CAE1CADEF8E4472D80A0@MN2PR11MB3565.namprd11.prod.outlook.com> <CAKD1Yr0-rmyzz3y1d+pCpA0+tGuhSdjojaJovXUzVuyx6UdeLA@mail.gmail.com> <98179a48-8d86-4673-6c82-fc0022988862@foobar.org> <F84FEFAF-1F78-47D4-B3E0-981DCFD0CB58@employees.org> <CAKD1Yr11_SSUkCBuQ3-h+eRg0LPZQdhe+h7f0YZy9TiyRWj6mw@mail.gmail.com> <30A6C187-EB5F-427A-BAC6-BB847A288F7B@employees.org> <A9182ABC-9E5D-4F7F-808E-ED461367D1F8@jisc.ac.uk>
In-Reply-To: <A9182ABC-9E5D-4F7F-808E-ED461367D1F8@jisc.ac.uk>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2001:420:44f3:1300:41e7:7725:e525:b2e8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ca20b5c7-fb3d-40c4-d81d-08d7a4c120c1
x-ms-traffictypediagnostic: MN2PR11MB4333:
x-microsoft-antispam-prvs: <MN2PR11MB4333E8E09E6E8D97D56FA32ED8050@MN2PR11MB4333.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02973C87BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(39860400002)(346002)(376002)(396003)(189003)(199004)(66556008)(64756008)(66446008)(66476007)(2906002)(81156014)(81166006)(8936002)(86362001)(5660300002)(8676002)(110136005)(6506007)(478600001)(66946007)(76116006)(9686003)(55016002)(316002)(7696005)(71200400001)(4326008)(52536014)(33656002)(186003)(6666004); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4333; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RiJAf6nhoaBVom/s6ue8nEqFYkQSysCr6ipJXE9U9O/cFS7xyVqTeJFfofyBZTwgPuieNo+Ce49F3lPmRSm8kCjffWuYdcHUfh6i4H6s4zwHYcqSYq5cbU0UktFp6/yjoDURtuTlHVmdBqqcaWyBg97guhiifJca+p/0ILYkIj4rxEYP+sclG1BpZEhBLRy2qUyShxBoL9e0asGPPmICxqZOhAfoRKyN+HRu5nvKxQneh/An5cGlngVmj/taLdS3y5r0Bh/q0IXS3aIXevPw84rrobcazGnflzQnC2dadRV4hFbY3Eh2gdM3YUNbCibBMa2q3bKFWA0L9pr6JVzSL0kd31GggtrNwYY0tJKSyqX7mdbzLsBQEK0fBWCXQXZCEVPcyGqp1/tKddvTH2YKgnzd+z7IW4OKOJTr1kA9DXJky2p+rR9Y5WvGrGpuMQlP
x-ms-exchange-antispam-messagedata: QoGe4MNBisr4ipSdii/VQHHj2FLguaLv8wpgmSHrvrQQo7dfyjdtqfYs/57L95RMP0MY5ZN/RaaXcY6WuFIfhj03rN4qfokhipgfWhmEKCcxlAe7FjbMAqBSMg5RiFqilB3W52rQO+i6a1cm1iovVhSvlvb5p7Oc97lc4FqB/PCcvS8kHmILX4xWFJz0PXBP+6ixTXPvkq74fo3S01xJmg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB3565D26CD5F21ED2CD7F62A1D8050MN2PR11MB3565namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ca20b5c7-fb3d-40c4-d81d-08d7a4c120c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2020 13:42:47.8983 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: u9kCP8zeDb82kIoERWk4RJanIt5qht3RNDUSG/PsFfJ1/0uxP1BBOVlkSiVXy8da+viXbf4zweOfkgX0QHZHNA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4333
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/pKE5HkbJO1fIcaS4Reybt3xoUVI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 13:42:55 -0000

What problems are we talking about? I’ve seen several things:

A) On the host:
   1) desire to avoid leaking user info and network info around the us
   2) simplicity in address allocation
   3) match address lifetime with session needs

B) On the network:
   1) avoid misusing wireless resources (broadcasts)
   2) match the state in the network with the needs of the client adapt resource allocation
   3) maintain a complete picture of the addresses in use to set up forwarding (think overlays) and provide visibility to ops
   4) SAVI, protecting the hosts against addresses impersonation and stealing


The number of temp addresses is only remote to most of these issues.

A1) temp addresses beyond one session leaks information. The ideal would thus be one address per session. Since there can be a number of concurrent sessions it is hard to provide an upper bound to the number of addresses a host may use at one point of time, but certainly there could be several.
A2) Multiplying the mechanisms creates hassle and possible interactions between the mechanisms. The ideal would be a simple exchange where the host may provide an address or get one back, the address being guaranteed unique and inserted in the access routers by the end of the exchange so it is usable immediately.

A3) The lifetime of a session may vary. If the duration is unknown then the address should be renewable whereas RFC 4941 just deprecates its.

B1) The more addresses a node uses with classical ND, the more broadcast churn on the Wi-Fi. Having multiple addresses exacerbates the problem but it’s really a protocol issue more than a conceptual issue with having multiple addresses.

B2) On the network side, there’s a lot of memory available to maintain state. What hurts is that the network does not know when the hosts creates a new address and when it releases it. The more BCPs we change over time the less the network can guess. The network cannot even recognize a permanent and a temporary address.

B3) Because it is blind with IPv6 ND, the network maintains state for addresses that are not used any more, and may release state for addresses that are still in use. It has to resorts to LRU and limits the count of addresses per MAC. Then again the amount of addresses in use only exacerbates the problem, but it is really a protocol issue.

B4) If the network maintains a state about the address, that state can be associated with a proof of ownership. This simplifies dramatically the SEND problem, since the proof is done onece with the network as opposed to individually with each peer, and the token can be larger than 64 bits.

The problem is thus NOT that the node has too many addresses, and it is thus NOT to define how many address a node should have, and what would be the default lifetime. There is no good answer for that, this thread has been quite clear about that. The problem is to keep the network in sync with the needs of the hosts so the network can serve them optimally within resources.

The ideal would be that the host maintains a state with the network for all the addresses in use, with a sense of lifetime, mobility, and possibly a proof of ownership of the resources that it claims.

One can get a lot more by being polite and just asking.

So I’m asking. Please look at RFC 8505.

Pascal

v2.23.0 | Report a Bug | By Email