IETF Logo Mail Archive

Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05

Mark Smith <markzzzsmith@gmail.com> Wed, 29 May 2019 00:58 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B9ED1200B2 for <ipv6@ietfa.amsl.com>; Tue, 28 May 2019 17:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTYKwiGmHUj4 for <ipv6@ietfa.amsl.com>; Tue, 28 May 2019 17:58:20 -0700 (PDT)
Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF55A120025 for <ipv6@ietf.org>; Tue, 28 May 2019 17:58:20 -0700 (PDT)
Received: by mail-oi1-x22f.google.com with SMTP id 203so614218oid.13 for <ipv6@ietf.org>; Tue, 28 May 2019 17:58:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=O6xX/u88qhHLKYYuKvOmsAU80YWZkWO0b785U22GFnA=; b=f82+iTsJ/VCj+/qO15Qy2cinmmnByqIgZVN2VadhUK1KDXUoL1RA705vNtg2pJkv5u VExJQLgASScdPeYaOG8d/o+L79yxoC2ZSGfsnwvFF1zI5BkTS050clZ0YHG1j8vJHJCL W4gjuqMSN8wmY12KwQjInXsvtMeOJPQMKDz2oAhjXcgOwmCsgc4tTFhNPBY5DhvB5Ewk KuWc0Iwo9fotjnWAWxyqFOCyQN8UYbXLtmVvRDV2yVPUm6mdxL+XAeSBY1CeS3KLDY5v DNjFEIZWmi/0Yd025REdH2FO1W21HchMX/dlYyEoplWPyCLDhtRD8m3TTFUZukCBDymQ +EHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=O6xX/u88qhHLKYYuKvOmsAU80YWZkWO0b785U22GFnA=; b=RanO4ItIsD77vCwrvKBSV4WRHsrmcIiTjlOdY79np2/Blj5HdzqlKob+uaMU8uSHRp CwvqrnXx4L/NoR3+1Kzq6Jfbdtga6h333eRpJYQfzFq2q9P0J1oMEs7Pi3btNfIq9t+6 uDeT8H5ctJN9xdOYPwbl1JUOw1quAD5JOjggbBdXbH5UuTtVPYU9kKN8zGWjzDxX4aHf YQD3pvvXns/jFtjZglrY7MLq/lToLPFlfe0YZKD7UoUGRaeJaZfawBd9tMtlfz7+rGkg VhdoC6/95ssezu2jn0BUoNOq7Hgx7KcX07i72+ZBfGTVSKOv2bIBLHvWoJw1veWfeaon ZZNQ==
X-Gm-Message-State: APjAAAUoau3IYoKdqfu+tN4yrUD5IxPIs3jj+y8zdd5iG2h4MFU6sz0i qSm22kMfFd2PA/7q+0xov3+oraOHQTQplGVesp0=
X-Google-Smtp-Source: APXvYqz9JgeSKb1OJvghFE+d0FL2vj8DwRgvjEOIWEaj2nIS3tIYXGtxTN6mLZaH1WDH4XlNmkU1n5PxX2062efNOI0=
X-Received: by 2002:aca:c187:: with SMTP id r129mr4365119oif.164.1559091499946; Tue, 28 May 2019 17:58:19 -0700 (PDT)
MIME-Version: 1.0
References: <F8BFFCAD-E58E-4736-8A1C-56579B6F6032@employees.org> <232c1a43-0fd9-4eae-737b-260a3906f72a@gmail.com> <663F6C0B-7B8A-4088-B9C0-B2867B0C3EB8@gmail.com> <CAN-Dau3VJN7qNHAW-yStMrDRCa4vsDs2ObkAxswnYbcHde2t_w@mail.gmail.com> <m1hPqHO-0000J8C@stereo.hq.phicoh.net> <CAN-Dau3R=4JbcbK7tWkJKYzVjq7DvAAEjVsbCLbZdYYO8OJ0YA@mail.gmail.com> <m1hQ7Dm-0000M3C@stereo.hq.phicoh.net> <CAN-Dau040j6U+1CCn0QJiVMy2nVShHqqSFdCkM-FbMAH-2wjRA@mail.gmail.com> <m1hQCYr-0000KBC@stereo.hq.phicoh.net> <561d9dc3-c769-c774-8f65-f975ac2a10a0@gont.com.ar> <m1hT1DZ-0000HEC@stereo.hq.phicoh.net> <ce07ade8-5105-055f-4798-f4ef20a2393c@si6networks.com> <CAN-Dau02MYCrKx2BgyuYJeHBdoz6SHCnp+-byM+LMM8af0S+rA@mail.gmail.com> <40e99171-6dda-29e3-6152-da5ca5219ed9@foobar.org> <CAN-Dau0ALqfAA-Dz56oHAfOtY7E2obx5E7TgoeH357Mckp3t9g@mail.gmail.com> <093ba8e2-6f0a-4c91-9df1-cda33fffea97@foobar.org> <CAN-Dau3kVqb+ZEHB7iPGeRuq1Mu8UHR3FEZv8SgmiqZexaFhuA@mail.gmail.com> <12db9629-f92a-e12a-5ff1-7db2c5d2137e@foobar.org> <F6F0C9DC-545E-4FE5-BB4C-55BB29022E84@steffann.nl> <CAO42Z2yUDi3FHOZsLrHqwLsEWkB1X9FREa8m6dU6ecOr=SsX4g@mail.gmail.com> <E51102E7-D4F0-4469-8888-5072F624EE06@steffann.nl> <CAN-Dau1S57wQ+3+m+m5grMe5N2SdfFqhELteSYfkmAC85_8H3w@mail.gmail.com>
In-Reply-To: <CAN-Dau1S57wQ+3+m+m5grMe5N2SdfFqhELteSYfkmAC85_8H3w@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Wed, 29 May 2019 10:57:53 +1000
Message-ID: <CAO42Z2wL4mz_MTh-E7vHVu0WmpZJtBQYiMnz5uNGOTFOkBujrg@mail.gmail.com>
Subject: Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05
To: David Farmer <farmer@umn.edu>
Cc: Sander Steffann <sander@steffann.nl>, 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/pWnLegK3SJx6gS4ZWmRV-Vs7-Ic>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 00:58:22 -0000

I hesitate to respond, because when people start resorting to
classifications/name calling, changing the problem definition to suit
their alternative solutions, even the meaning of base words in the
English language, the discussion has probably devolved that time would
be better spent elsewhere.

On Tue, 28 May 2019 at 22:53, David Farmer <farmer@umn.edu> wrote:
>
>
>
> On Mon, May 27, 2019 at 7:47 PM Sander Steffann <sander@steffann.nl> wrote:
>>
>> Hi Mark,
>>
>> Blocking 0x800/0x806 on individual link-layer ports would prevent IPv4
>> traffic including link-layer broadcasts on the link, but it doesn't
>> stop hosts initialising their IPv4 stack and trying to acquire an IPv4
>> address via DHCP. It requires link-layer per-host port configuration,
>> which would involve configuring 100s if not 1000s of individual ports.
>>
>>
>> Most switch operating systems and/or automation solutions provide easy ways to do that, but let's look a bit further.
>>
>> RFC2563 should stop an IPv4 host sending IPv4 packets after the
>> initial DHCP transaction. However, it doesn't prevent link-layer
>> broadcast DHCPDISCOVERS, which is flooded to all other hosts on the
>> link and has to be processed by their main OS CPU to be discarded,
>> because the NIC can't filter them using the DA. This is where the main
>> battery cost will be when mobile nodes join the link, likely
>> continuously on big Wifi networks at e.g. conferences.
>>
>>
>> Do you have numbers on this? I'd like to see whether this is a significant drain on batteries.
>
>
> Personally, I'm not particularly worried about DHCPDISCOVERS at least in most cases,
> there are a few badly behaved clients, but in general exponential backoff in the client should deal with this nicely. Personally, my issue is IPv4 LL, in particular, service advertisement/discovery traffic using IPv4 LL. This service advertisement/discovery traffic can be sizable and is already problematic for many WiFi networks so the elimination of such traffic that is by definition futile is an unqualified win in such situations.
>>

The thing about DHCPDISCOVERS is that they're a fundamental indicator
of whether or not a host has IPv4 enabled or not.

They're important here because if a host has stopped issuing
DHCPDISCOVERS, then unless it has a manually configured IPv4 address,
the host also won't be sending any other IPv4 traffic you mention.
That means no sending of ARP DUD (ACD), mDNS, Netbios or any other
IPv4 triggered link-layer broadcasts or multicasts.

An IPv4 host without an IPv4 address has no need to use and is unable
to use those other protocols. It is an IPv6 Only host now, rather than
a Dual Stack host.



>> A link with a DHCPv4 server on it supporting RFC2563 is not an IPv6
>> Only link, because IPv4 is still present on the link. There should be
>> no IPv4 services/infrastructure and no IPv4 packets on an IPv6 Only
>> link, including IPv4 zero-conf link-local traffic. An IPv4 only
>> zero-conf printer should not work on an IPv6 Only link, intentionally.
>>
>>
>> This is what I consider an overly restrictive view ("purist") of an IPv6-only link. Telling your clients that ask for IPv4 using DHCP that there isn't any isn't an operational problem.
>
>
> Let's stop calling each other names, it's not helpful. Yes, the idea of wanting to block all IPv4 traffic is restrictive, but equally, the idea that IPv6 should not impact IPv4 in any way is also restrictive. We simply disagree which is more desirable, different people and networks can have different priorities.
>>



>> The combination of those two mechanisms would go close to achieving what this flag would, except that the first mechanism prevents the
>> second from working.
>>
>> So individually or in combination, neither of these are a solution to
>> the problem of achieving an IPv6 only link.
>>
>>
>> Ok. SAVI then instead of full ethertype filtering. Widely implemented and it allows DHCP, DHCP filtering and if the clients don't get addresses assigned it will drop their traffic.
>
>
> Using RFC2563 with SAVI and ARP filtering (Ether type 0x0806) is an interesting option, or maybe filtering IPv4 LL traffic.  However, both of these require much more thought than simply filtering Ethertypes 0x0800 and 0x0806.  Filtering by Ethertype is simple and elegant, further, it is a basic feature supported by many more network devices than the more sophisticated Layer 3 aware filtering otherwise required to not also block the DHCPv4 exchange required for RFC2563 to work.
>
> I want a belt and suspenders approach; I want to signal dual-stack clients that IPv4 isn't available, or at least that they SHOULD NOT autoconfigure an IPv4 LL address, RFC2563 does this nicely, the belt. However, for any dual-stack clients that ignore the signal provided, I also want to filter the unwanted and futile IPv4 traffic on the network to ensure that it doesn't bother other dual-stack clients on the network, the suspenders.
>
> So, RFC2563 with fairly sophisticated Layer 3 aware filtering is an option that achieves the desired results, at least my desired results. However, the IPv6-Only flag has the added advantage of allowing the use of simple and more widely available Ethertype filtering.
>
> Also, the testing that I did shows that most newer clients no longer support RFC2563. I'd be happy to be wrong on this and I'm not 100% sure my test was valid, but even if I'm wrong this shows that making RFC2563 work as desired isn't trivial.
>
> Thanks.
> --
> ===============================================
> David Farmer               Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================

v2.23.0 | Report a Bug | By Email