IETF Logo Mail Archive

Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05

David Farmer <farmer@umn.edu> Tue, 28 May 2019 12:53 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF91A120136 for <ipv6@ietfa.amsl.com>; Tue, 28 May 2019 05:53:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dsn0G_ktJ2Yp for <ipv6@ietfa.amsl.com>; Tue, 28 May 2019 05:53:54 -0700 (PDT)
Received: from mta-p7.oit.umn.edu (mta-p7.oit.umn.edu [134.84.196.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A2421200CD for <ipv6@ietf.org>; Tue, 28 May 2019 05:53:54 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id BE7B5646 for <ipv6@ietf.org>; Tue, 28 May 2019 12:53:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PalRg5A8FMwH for <ipv6@ietf.org>; Tue, 28 May 2019 07:53:53 -0500 (CDT)
Received: from mail-ua1-f69.google.com (mail-ua1-f69.google.com [209.85.222.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 715CB621 for <ipv6@ietf.org>; Tue, 28 May 2019 07:53:53 -0500 (CDT)
Received: by mail-ua1-f69.google.com with SMTP id u3so4808809uao.4 for <ipv6@ietf.org>; Tue, 28 May 2019 05:53:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aaQQ/g/Xo+pr6mboB/troB9qNTJIb3w8vu+0pHfIFZ8=; b=pmSffNyxENoN9N79odm4mpq2gX2WTLeJU1BjTRhOOAzDiFC2+cs5Dki+87Jgvzc2uw wg4bnajf1qRMePxMaO03W9FwepTWVQp8rvgvo04TRd70sMj8BZ2qN7bD2Roqt25XVBXl 2fXdf4zLlLHobFIlwzGELbcd4YBhvi3Ft9ug51v/8ZHP1e9CgzGVPoxrBhRRhFLT4IP/ /gPzquBQiFydaGhWTAlfelb9sG+yIJ45jzkYb4572pTXmyyEugIqpcXieTho/duc8wll eKr/jkjNjGI8ubpxGpp3r5w+x4Gsp9yk0gjW+DC4GFP73WfvGDbX/qZvM36+utiemwwJ 5fqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aaQQ/g/Xo+pr6mboB/troB9qNTJIb3w8vu+0pHfIFZ8=; b=qAw/ipJaE2687ohun7mSFCoLLAndi4h9WSx14kaEzA67v6rVsxUAZTY0tjyIqyqLWc Ghhkx/y/eI0AzRgSLEo2pSZBGjdQH2fcKbnT1RABl4kxDiuT8KmPu6+6JEjwvC1tDgXj SGhJxE+1HvKgAEwtgm99P05L7eQlF17KDuMDeOzFyVObSYeGFXzdmSVinz6h8UVmuQhk 4np49lyBgcVd/QW7aeQ1EzCE8AWPurs3yHzQMGuBU6oNsYcI7A3xx9J1AXC5I1Nj2lZw YyxNIDB0EEAGNXK/hH11Vx8Ku3sK5P4N3Fc9gulbQiiqAiaXHQRrGcSQOYr8lD9EpUSB 9+GQ==
X-Gm-Message-State: APjAAAWDm/yXL388NFRsJUwkzc3+2IqZ++7jpqgLVg0ZxHrFicI32jPp H54/5yAu+dcITnj6qhaObDpXy2vAcrlUSqMNsokAQ0uF4oR5k5BVoRI4GJsJ6L2f1/7wzZPLIhS knbNXipgIlTu6b+/dW2vq2qeg
X-Received: by 2002:ab0:2ed:: with SMTP id 100mr39787333uah.119.1559048032346; Tue, 28 May 2019 05:53:52 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwN7Zfq/RtabiVubqAQ3rrooFI/6rDeVuYZW30mCSHHlWum3fEon9MYtOru4tegHLBBSn8Tf01jZ+2zmnC71OA=
X-Received: by 2002:ab0:2ed:: with SMTP id 100mr39787263uah.119.1559048031784; Tue, 28 May 2019 05:53:51 -0700 (PDT)
MIME-Version: 1.0
References: <F8BFFCAD-E58E-4736-8A1C-56579B6F6032@employees.org> <232c1a43-0fd9-4eae-737b-260a3906f72a@gmail.com> <663F6C0B-7B8A-4088-B9C0-B2867B0C3EB8@gmail.com> <CAN-Dau3VJN7qNHAW-yStMrDRCa4vsDs2ObkAxswnYbcHde2t_w@mail.gmail.com> <m1hPqHO-0000J8C@stereo.hq.phicoh.net> <CAN-Dau3R=4JbcbK7tWkJKYzVjq7DvAAEjVsbCLbZdYYO8OJ0YA@mail.gmail.com> <m1hQ7Dm-0000M3C@stereo.hq.phicoh.net> <CAN-Dau040j6U+1CCn0QJiVMy2nVShHqqSFdCkM-FbMAH-2wjRA@mail.gmail.com> <m1hQCYr-0000KBC@stereo.hq.phicoh.net> <561d9dc3-c769-c774-8f65-f975ac2a10a0@gont.com.ar> <m1hT1DZ-0000HEC@stereo.hq.phicoh.net> <ce07ade8-5105-055f-4798-f4ef20a2393c@si6networks.com> <CAN-Dau02MYCrKx2BgyuYJeHBdoz6SHCnp+-byM+LMM8af0S+rA@mail.gmail.com> <40e99171-6dda-29e3-6152-da5ca5219ed9@foobar.org> <CAN-Dau0ALqfAA-Dz56oHAfOtY7E2obx5E7TgoeH357Mckp3t9g@mail.gmail.com> <093ba8e2-6f0a-4c91-9df1-cda33fffea97@foobar.org> <CAN-Dau3kVqb+ZEHB7iPGeRuq1Mu8UHR3FEZv8SgmiqZexaFhuA@mail.gmail.com> <12db9629-f92a-e12a-5ff1-7db2c5d2137e@foobar.org> <F6F0C9DC-545E-4FE5-BB4C-55BB29022E84@steffann.nl> <CAO42Z2yUDi3FHOZsLrHqwLsEWkB1X9FREa8m6dU6ecOr=SsX4g@mail.gmail.com> <E51102E7-D4F0-4469-8888-5072F624EE06@steffann.nl>
In-Reply-To: <E51102E7-D4F0-4469-8888-5072F624EE06@steffann.nl>
From: David Farmer <farmer@umn.edu>
Date: Tue, 28 May 2019 07:53:34 -0500
Message-ID: <CAN-Dau1S57wQ+3+m+m5grMe5N2SdfFqhELteSYfkmAC85_8H3w@mail.gmail.com>
Subject: Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05
To: Sander Steffann <sander@steffann.nl>
Cc: Mark Smith <markzzzsmith@gmail.com>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001f7d870589f22805"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/qUvHvQlTUEcwwWc36-axsBs9Vqk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 12:53:57 -0000

On Mon, May 27, 2019 at 7:47 PM Sander Steffann <sander@steffann.nl> wrote:

> Hi Mark,
>
> Blocking 0x800/0x806 on individual link-layer ports would prevent IPv4
> traffic including link-layer broadcasts on the link, but it doesn't
> stop hosts initialising their IPv4 stack and trying to acquire an IPv4
> address via DHCP. It requires link-layer per-host port configuration,
> which would involve configuring 100s if not 1000s of individual ports.
>
>
> Most switch operating systems and/or automation solutions provide easy
> ways to do that, but let's look a bit further.
>
> RFC2563 should stop an IPv4 host sending IPv4 packets after the
> initial DHCP transaction. However, it doesn't prevent link-layer
> broadcast DHCPDISCOVERS, which is flooded to all other hosts on the
> link and has to be processed by their main OS CPU to be discarded,
> because the NIC can't filter them using the DA. This is where the main
> battery cost will be when mobile nodes join the link, likely
> continuously on big Wifi networks at e.g. conferences.
>
>
> Do you have numbers on this? I'd like to see whether this is a significant
> drain on batteries.
>

Personally, I'm not particularly worried about DHCPDISCOVERS at least in
most cases, there are a few badly behaved clients, but in general
exponential backoff in the client should deal with this nicely. Personally,
my issue is IPv4 LL, in particular, service advertisement/discovery traffic
using IPv4 LL. This service advertisement/discovery traffic can be sizable
and is already problematic for many WiFi networks so the elimination of
such traffic that is by definition futile is an unqualified win in such
situations.

> A link with a DHCPv4 server on it supporting RFC2563 is not an IPv6
> Only link, because IPv4 is still present on the link. There should be
> no IPv4 services/infrastructure and no IPv4 packets on an IPv6 Only
> link, including IPv4 zero-conf link-local traffic. An IPv4 only
> zero-conf printer should not work on an IPv6 Only link, intentionally.
>
>
> This is what I consider an overly restrictive view ("purist") of an
> IPv6-only link. Telling your clients that ask for IPv4 using DHCP that
> there isn't any isn't an operational problem.
>

Let's stop calling each other names, it's not helpful. Yes, the idea of
wanting to block all IPv4 traffic is restrictive, but equally, the idea
that IPv6 should not impact IPv4 in any way is also restrictive. We simply
disagree which is more desirable, different people and networks can have
different priorities.

> The combination of those two mechanisms would go close to achieving what
> this flag would, except that the first mechanism prevents the
> second from working.
>
> So individually or in combination, neither of these are a solution to
> the problem of achieving an IPv6 only link.
>
>
> Ok. SAVI then instead of full ethertype filtering. Widely implemented and
> it allows DHCP, DHCP filtering and if the clients don't get addresses
> assigned it will drop their traffic.
>

Using RFC2563 with SAVI and ARP filtering (Ether type 0x0806) is an
interesting option, or maybe filtering IPv4 LL traffic.  However, both of
these require much more thought than simply filtering Ethertypes 0x0800 and
0x0806.  Filtering by Ethertype is simple and elegant, further, it is a
basic feature supported by many more network devices than the
more sophisticated Layer 3 aware filtering otherwise required to not also
block the DHCPv4 exchange required for RFC2563 to work.

I want a belt and suspenders approach; I want to signal dual-stack clients
that IPv4 isn't available, or at least that they SHOULD NOT autoconfigure
an IPv4 LL address, RFC2563 does this nicely, the belt. However, for any
dual-stack clients that ignore the signal provided, I also want to filter
the unwanted and futile IPv4 traffic on the network to ensure that it
doesn't bother other dual-stack clients on the network, the suspenders.

So, RFC2563 with fairly sophisticated Layer 3 aware filtering is an option
that achieves the desired results, at least my desired results. However,
the IPv6-Only flag has the added advantage of allowing the use of simple
and more widely available Ethertype filtering.

Also, the testing that I did shows that most newer clients no longer
support RFC2563. I'd be happy to be wrong on this and I'm not 100% sure my
test was valid, but even if I'm wrong this shows that making RFC2563 work
as desired isn't trivial.

Thanks.
-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email