IETF Logo Mail Archive

Re: RDNSS sanity checks (was Re: 6MAN WG Adoption Call: draft-gont-6man-nd-opt-validation-01)

Tomoyuki Sahara <tsahara@iij.ad.jp> Fri, 27 February 2015 06:30 UTC

Return-Path: <tsahara@iij.ad.jp>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58CD21A893B for <ipv6@ietfa.amsl.com>; Thu, 26 Feb 2015 22:30:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.697
X-Spam-Level: *
X-Spam-Status: No, score=1.697 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oWY7nu4-vLg9 for <ipv6@ietfa.amsl.com>; Thu, 26 Feb 2015 22:30:44 -0800 (PST)
Received: from omgo.iij.ad.jp (mo00.iij.ad.jp [202.232.30.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DA771A893A for <ipv6@ietf.org>; Thu, 26 Feb 2015 22:30:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iij.ad.jp; h=Content-Type: Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding: Message-Id:References:To;i=tsahara@iij.ad.jp;s=omgo2;t=1425018642;x= 1426228242; bh=obE3zAd03t3eKVFKPrRkP8e9+meMSu7W/FrCnCuhqMY=; b=szd6BBPep7OJKR4m 26hrOwgZSfaCOZnQHLCtZ8odwZFNlU4vaZ/6TjyRk6ukjqVq74ZfXIES1r2UM0/pD3EhjLyIpeb/h CSBd9VYEE/H1A62sCrknYcmmANhPhVQFLWTXfHNeb4k6XNY1fO80Y/rbhAtHAGtgZZOPoN3uGg7hU p3cShChVP95E18KsdIdW34MLEOPdv6rAIFf6zbUCswA3C+u3cLPyZ08L/JwCJC63lhS3+bHinoxFo jjQ0yfbMZbE+GGe7Ic3hm0od58iRkD8rgdVzl6fJCMFNFvHObcrCnxHTtBfGZWcXLD0lNg0uGsEMC hzqYNsIqHaK47Hginw==;
Received: by omgo.iij.ad.jp (mo00) id t1R6Ugur031398; Fri, 27 Feb 2015 15:30:42 +0900
X-MXL-Hash: 54f00f1206cc688f-d41af9719a08698bd51c07f8f7c1317e370c848f
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Subject: Re: RDNSS sanity checks (was Re: 6MAN WG Adoption Call: draft-gont-6man-nd-opt-validation-01)
From: Tomoyuki Sahara <tsahara@iij.ad.jp>
In-Reply-To: <54ED1841.8040004@si6networks.com>
Date: Fri, 27 Feb 2015 15:30:40 +0900
Content-Transfer-Encoding: 7bit
Message-Id: <72684F8D-03D7-44DF-9B30-CCAF4DAB371B@iij.ad.jp>
References: <2812B09B-1A2B-4D28-8317-FCB05ACB030C@employees.org> <CO1PR05MB442518E17F1A48EF3E964D5AE6F0@CO1PR05MB442.namprd05.prod.outlook.com> <BLUPR05MB46892B958CAF3C6DABBD5FDD16C0@BLUPR05MB468.namprd05.prod.outlook.com> <54909F8B.2060009@globis.net> <42A3CABC-F3D0-4E69-8933-934CA7E3E7AB@iij.ad.jp> <54ED1841.8040004@si6networks.com>
To: Fernando Gont <fgont@si6networks.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/qbhroeFOfyZTcKoPXZZ1hkUY-EU>
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Feb 2015 06:30:45 -0000

>> In Section 10 (about RDNSS option) of this document:
>> 
>>>   The Lifetime field specifies the maximum time in seconds that a node
>>>   may use the IPv6 addresses included in the option for name
>>>   resolution, with a value of 0 indicating that they can no longer be
>>>   used.  If the Lifetime field is not equal to 0, it MUST be at least
>>>   1800 (MinRtrAdvInterval) and at most 3600 (2*MaxRtrAdvInterval).  If
>>>   the RDNSS option does does not pass this validation check, it MUST be
>>>   ignored.  However, the rest of the ND message MAY be processed.
>> 
>> The maximum value of the lifetime field should be larger.
>> 
>> Although the description above is consistent with RFC6106 (says the value
>> of lifetime field SHOULD be <= 2*MaxRtrAdvInterval in section 5.1), it is
>> too short because only a few packet losses removes DNS server information
>> from hosts on the subnet as described in
>> draft-gont-6man-slaac-dns-config-issues-00.
>> 
>> The suggested "default" value in the draft is 5*MaxRtrAdvInterval.  The
>> "maximum" value must be larger than it.  I don't have any good technical
>> reason, but I propose 10*MaxRtrAdvInterval which is twice the default
>> value.
> 
> The thing here is that since s document is all about validation of
> incoming packets (as opposed to how you set the Lifetime for the packets
> you send I'm not sure what we can do about this *in this document*). May
> be this calls for resurrecting draft-gont-6man-slaac-dns-config-issues-00?

Yes.  I think the draft provides a reasonable and practical solution for an
operational problem caused by too short lifetime value in RFC6106.

And if the sentence "If the Lifetime field is not equal to 0, it MUST be ...
at most 3600 (2*MaxRtrAdvInterval)" remains unchanged in this document, it
will prevent operators configuring their routers to send RFC6106 options
with lifetime greater than 3600, because he expects client PCs will ignore
the options according to this validation rule.  So I suggested larger
maximum value here.  Or, the validation rule should be removed for now.


Thanks,
Tomoyuki

v2.23.0 | Report a Bug | By Email