IETF Logo Mail Archive

Re: Feedback on draft-linkova-6man-grand-01

Gyan Mishra <hayabusagsm@gmail.com> Mon, 02 December 2019 05:52 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D30881200B3 for <ipv6@ietfa.amsl.com>; Sun, 1 Dec 2019 21:52:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.096
X-Spam-Level:
X-Spam-Status: No, score=-0.096 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rBwm5bWXz7r for <ipv6@ietfa.amsl.com>; Sun, 1 Dec 2019 21:52:30 -0800 (PST)
Received: from mail-qk1-x743.google.com (mail-qk1-x743.google.com [IPv6:2607:f8b0:4864:20::743]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 411D512002F for <6man@ietf.org>; Sun, 1 Dec 2019 21:52:30 -0800 (PST)
Received: by mail-qk1-x743.google.com with SMTP id e187so31465434qkf.4 for <6man@ietf.org>; Sun, 01 Dec 2019 21:52:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=txzzOtRSg82wLzu+C7JWmSWwK36ReVXWOrvr3dOK1Zw=; b=uv8R1/wPscZulgfJ6xsRcaRl1FxqA1/UczJo6UMZn16JXgQg8Q/OGR/PsEkEauFMli QE3sj0QHMAZpEkDdT4XLSquEEbJ1K5K00OwG7gbH+NXJ7NiEy6A3fLvUp9aMkiKXPMi2 FJ6Brx03reg4fkNewx3O7vrPjr0DqvXchor+k7CYbrS8qNQo1it/03Z2YoN7eY4BOO/e qhnSWVd0rS4F36arx8E+pWRyAFHIJxPCW7u2jpfE2EYTyptSM3qILrPT5ivNzUPZGW/h gNAeOfyHxIrvdTtnt6FKVGv+z2mKH0S5xBzBG6wPMEIrxihzc9N7vhWczddzmkLeE67q yLaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=txzzOtRSg82wLzu+C7JWmSWwK36ReVXWOrvr3dOK1Zw=; b=Qg2G5dvJxIo6v6Y1DD7+cDKZSsOZIy5fH5aBFdnJdllRFHdse57uRGxtLvAt7AKH4V 5g/QbFuDC53O9agIXA+opr/IXieU64RNRa7u760BKtugaWmw7HlD5UpL1D3alEF4noGy ksZ1L8Yc67uE1elQrT5wMxoQrgrp7rX1DrZilLQE26gJ8L/Avl7Y4U7DiBiAu8z4YZiD RJhJVMMai7KVv4rX/1eyKN0y8prqgM44TUd78zgMXU0UD9HsqjEaMbbq2qcq4abVOU5X AUKiUNizr2Ob+X3FszbKOmmjQcve17gGkBu61h7sBxv+xIzjS928C3vq02WGx2INeFQe ljBQ==
X-Gm-Message-State: APjAAAVPAbZ8ftFB/Ej40kk4CY6xdUjBZWIl69SkV9Fkc46yAvpvGE5H Qobk8n/e7IKDnfezvMNYe8NGRzOySco=
X-Google-Smtp-Source: APXvYqycM6NQi3wL0uQMZxyxrFFLCiUINk6uVr3il7dbTifaKSrFnntcxqVB+K3Cyyi/PQl7H0wvIA==
X-Received: by 2002:a37:4985:: with SMTP id w127mr30612441qka.125.1575265948661; Sun, 01 Dec 2019 21:52:28 -0800 (PST)
Received: from [192.168.1.213] (pool-72-83-194-140.washdc.fios.verizon.net. [72.83.194.140]) by smtp.gmail.com with ESMTPSA id r48sm15883998qte.49.2019.12.01.21.52.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 01 Dec 2019 21:52:28 -0800 (PST)
From: Gyan Mishra <hayabusagsm@gmail.com>
X-Google-Original-From: Gyan Mishra <hayabusaGSM@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-D92C2BF5-7024-41B3-BC44-0FB685341A79"
Mime-Version: 1.0 (1.0)
Subject: Re: Feedback on draft-linkova-6man-grand-01
X-Mailer: iPhone Mail (16G102)
In-Reply-To: <CAFU7BATNSXBypROU3p2JW_=9HN0rtKYq2oe4oJL65eifZdkdNw@mail.gmail.com>
Date: Mon, 02 Dec 2019 00:52:27 -0500
Cc: Fernando Gont <fgont@si6networks.com>, "6man@ietf.org" <6man@ietf.org>, Jen Linkova <furry@google.com>
Content-Transfer-Encoding: 7bit
Message-Id: <4F310898-2EC0-410D-A08D-EBD5E07BCAE9@gmail.com>
References: <3fbc97b1-123b-49e8-0c66-47815177e0ca@si6networks.com> <CAFU7BATNSXBypROU3p2JW_=9HN0rtKYq2oe4oJL65eifZdkdNw@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/xvx6gHJgOSYebwDQkJXeNID0uMA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2019 05:52:33 -0000

Jen

The changes that you are proposing to RFC 4861 have you tested in a lab environment to ensure no adverse consequences to the changes or collateral damage by changing something might break something else With ICMPV6 RS/RA state machine.

Here is a github link to a test done related to the override flag being set and ND cache resiliency when an address gets recycled. In this case the address is recycled to different Mac and so the override flag has to be set to update the entry.

https://gist.github.com/leblancd/e550d41cad5a1c0ecb81837dfbc93cc5

This relates to Section 3 and 3.1 avoiding disruption. So I understand you would set the override flag to clear if the address is optimistic but you don’t state to set the override flag if the address is Valid and preferred.  So this is a corner case with the optimistic DAD state you are addressing to not set the override flag to avoid disruption in case of duplicate address.  Have you been able to recreate this issue occurring in the lab with the current RFC 4861 stack.


Section 3.2

I am getting lost reading this section.  Where it says that the rightful owner does not use the address for communication.

Is DAD not complete and is the rightful address not used because the interface is in some other DAD state and not Valid/Preferred.  So the off link default traffic is not able to get back to the optimistic address.  The optimistic address is on the same subnet routable as long as RA RIO has been received.  

3.2. Neighbor Cache Entry Does Not Exist If there is no entry then it would be created/updated with the supplied LLA and its state set to STALE. In that case as soon as the entry is used for sending traffic to the host, the entry state will be changed to DELAY and the Neighbor Unreachability Detection would be started and the rightful owner LLA will be entered in the cache. So in the scenario when the rightful owner does not use the address for communication then it might be a short (a few seconds) period  time when the data packets sent from the outside could reach the host
with the optimistic address. However it seems likely that hosts using Optimistic DAD would start sending/receiving traffic right away, so the first return packet would trigger the NUD process and rewrite the cache.
 

There are a lot of scenarios and permutations to think of with the updates mentioned in the draft.  Should  all of those be spelled out in this update or only corner cases with issues you have encountered that you are addressing with the update? 

 I think addressing all scenarios would help to ensure the change being made is not breaking another scenario and other with the RS/RA state machine.

Gyan

Sent from my iPhone

> On Nov 27, 2019, at 7:36 PM, Jen Linkova <furry13@gmail.com> wrote:
> 
> Hi Fernando,
> Thanks for your review!
> Comments inline.
> 
> On Wed, Nov 27, 2019 at 11:42 PM Fernando Gont <fgont@si6networks.com> wrote:
>>>   As the main purpose of sending unsolicited NAs upon configuring a new
>>>   address is to proactively create a Neighbor Cache entry on the first-
>>>   hop routers, the gratuitous NAs SHOULD be sent to all-routers
>>>   multicast address (ff02::2).  Limiting the recipients to routers only
>>>   would help reduce the multicast noise level.
>> 
>> In the context of RFC8028, one might argue that you could simply send
>> the unsolicited NAs unicast to the routers that advertised this prefix.
>> This would:
>> 
>> * reduce multicast traffic
>> 
>> * also reduce the number of unnecessary entries in local routers (there
>> would be no point to create entries for addresses configured for, say,
>> 2001:2b8::/64 at Router A, if you will only use Router B as the default
>> router for packets sourced from those addresses).
> 
> The main drawback of this approach is it would work in 50% of cases if
> the network provides first-hop router redundancy. There is no
> guarantee that the traffic is symmetrical - the host can easily choose
> a router A as a default gateway but the return flow can reach the LAN
> via the router B.
> See https://tools.ietf.org/html/draft-ietf-v6ops-nd-cache-init-00#section-2.3.2.2
> 
> I'll update the text to clarify it.
> 
>>> As the INCOMPLETE entry means that the router has
>>>   started the ND process for the address and the multicast NS has been
>>>   sent, the rightful owner is expected to reply with solicited NA with
>>>   the Override flag set.
>> 
>> I should re-check the spec. The NA would certainly have the solicited
>> flag set. Although I'm not sure it woudl always have the override flag set.
> 
> It *SHOULD* unless it's anycast or the device is a proxy:
> https://tools.ietf.org/html/rfc4861#section-7.2.4
> 
> " If the Target Address is either an anycast address or a unicast
> address for which the node is providing proxy service, or the Target
>   Link-Layer Address option is not included, the Override flag SHOULD
>   be set to zero.  Otherwise, the Override flag SHOULD be set to one."
> 
>>>   When a valid Neighbor Advertisement is received (either solicited or
>>>   unsolicited), the Neighbor Cache is searched for the target's entry.
>>>   If no entry exists, hosts SHOULD silently discard the advertisement.
>>>   There is no need to create an entry if none exists, since the
>>>   recipient has apparently not initiated any communication with the
>>>   target.  Routers SHOULD create a new entry for the target address
>>>   with the link-layer address set to the Target link-layer address
>>>   option (if supplied).  The entry its reachability state MUST also be
>>>   set to STALE.  If the received Neighbor Advertisement does not
>>>   contain the Target link-layer address option the advertisement SHOULD
>>>   be silently discarded.
>> 
>> Shouldn't this only happen if the "solicited" flag is not set?
> 
> Valid point. I do not see any harm is doing it for Solicited but I'm
> happy to limit to unsolicited NA only...
> 
>>>   Announcing a new address to all-routers multicast address may inform
>>>   an on-link attacker about IPv6 addresses assigned to the host.
>>>   However hiding information about the specific IPv6 address should not
>>>   be considered a security measure as it falls into 'Security through
>>>   obscurity' category.
>> 
>> I'd remove the "security through obscurity" bit, and note that this
>> information is normally disclosed with dad, anyway, and not just to
>> routers, but to all nodes.
> 
> Not *exactly* true if the network deploys all those smart WiFi devices
> but it's more an operational consideration.
> I'll update the text, thanks!
> 
>> Food for thought:
>> Maybe routers could simply create the ND cache entries, if the entry is
>> not present, when the corresponding DAD packets are received?
>> This would mean no changes on clients, and just updates on routers.
>> (me thinking out loud)
> 
> Please note that this draft does not discuss *all* possible
> approaches. The operational issue and various solutions are documented
> in https://tools.ietf.org/html/draft-ietf-v6ops-nd-cache-init-00.
> Your proposal  'why not DAD' is discussed in
> https://tools.ietf.org/html/draft-ietf-v6ops-nd-cache-init-00#section-2.4
> 
> I should probably make it explicit in the Introduction section that
> the readers of draft-linkova-6man-grand shall read the 6ops doc first.
> 
> -- 
> SY, Jen Linkova aka Furry
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email