IETF Logo Mail Archive

Re: Detailed review of Significance of IPv6 Interface Identifiers

Ray Hunter <v6ops@globis.net> Tue, 03 September 2013 12:38 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F94F21E8122 for <ipv6@ietfa.amsl.com>; Tue, 3 Sep 2013 05:38:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GesI5B3JzxYm for <ipv6@ietfa.amsl.com>; Tue, 3 Sep 2013 05:38:14 -0700 (PDT)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 8422C21E80E1 for <6man@ietf.org>; Tue, 3 Sep 2013 05:38:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 9D96D8700CD; Tue, 3 Sep 2013 14:37:57 +0200 (CEST)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X0HKYybOp768; Tue, 3 Sep 2013 14:37:57 +0200 (CEST)
Received: from Rays-iMac-2.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 79AD58700CA; Tue, 3 Sep 2013 14:37:57 +0200 (CEST)
Message-ID: <5225D81F.6020009@globis.net>
Date: Tue, 03 Sep 2013 14:37:51 +0200
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.8 (Macintosh/20130427)
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: Detailed review of Significance of IPv6 Interface Identifiers
References: <520B3529.80802@si6networks.com> <520BF653.8060603@gmail.com> <522309E1.7050806@globis.net> <5223EC0B.8080607@gmail.com> <5224284E.6020604@globis.net> <5224F28E.3040306@gmail.com>
In-Reply-To: <5224F28E.3040306@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Fernando Gont <fgont@si6networks.com>, "6man@ietf.org" <6man@ietf.org>, draft-ietf-6man-ug@tools.ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 12:38:15 -0000

> Brian E Carpenter <mailto:brian.e.carpenter@gmail.com>
> 2 September 2013 22:18
> On 02/09/2013 17:55, Ray Hunter wrote:
>>> Brian E Carpenter <mailto:brian.e.carpenter@gmail.com>
>>> 2 September 2013 03:38
>>> Ray,
>>>
>>>> So AFAICS the u/l restriction and uniqueness restriction is only
>>>> relevant when EUI64 is used in the context of specific LAN hardware, but
>>>> perhaps not all router interface hardware.
>>> The phrasing in the draft looks completely compatible with that to me.
>> I'm not sure what the text is trying to say though.
>
> Ray, are you asking for a change in the text? Please be specific.
>
> <snip>
>
>> So any IETF standard that assumes a 1:1 relationship between IID and
>> IEEE LAN hardware is heading for trouble.
>
> Agreed - in what way does the draft imply anything else?
I agree on the conclusion and the meaning. But the reasoning is not
clear to me, nor particularly correct.
>
> (The words in RFC 4291 that we are obsoleting do seem to imply
> a 1:1 relationship, but that's what the draft fixes.)
Agreed
>     Brian
>
Original text:

/However, this has not so far proved to be the case.  Also, there is
   evidence from the field that despite the IEEE standard [IEEE802], MAC
   addresses with universal scope are sometime incorrectly assigned to
   multiple MAC interfaces.  Firstly, there are recurrent reports of
   manufacturers assigning the same MAC address to multiple devices.
   Secondly, significant re-use of the same virtual MAC address is
   reported in virtual machine environments.  Once transformed into IID
   format (with "u" = 1) these identifiers would purport to be
   universally unique but would in fact be ambiguous.  This has no known
   harmful effect as long as the replicated MAC addresses and IIDs are
   used on different layer 2 links.  If they are used on the same link,
   of course there will be a problem, very likely interfering with link-
   layer transmission.  If not, the problem will be detected by
   duplicate address detection [RFC4862] [RFC6775], but such an error
   can usually only be resolved by human intervention./

Proposed text:


/
However, the expected advantages or application of interface identifiers
with universal scope have not materialised.

There is also evidence from the field that MAC addresses are not as
unique as one might expect, where for example manufacturers have
erroneously allocated the same burned in address to multiple devices.

Furthermore, IEEE standards and operational practices have advanced
significantly since RFC4291 was published.

There are at least three use cases in wide-spread production where a
router or other operating system interface at layer 3 may not enjoy
direct access to LAN hardware on a 1:1 relationship so that it can
access a "burned in address" from the MAC layer to create a unique IID
per interface with universal scope (which seemed to be an underlying
assumption when RFC4291 was written):

- use of software drivers to spoof an operating system into thinking it
is talking to hardware, when in fact no LAN hardware is present e.g. LAN
interfaces on virtual machines. Significant re-use of the same virtual
MAC address has been reported in virtual machine environments. 

- use of an intermediate NIC teaming layer or Link Aggregation Group
that takes a number of underlying layer 2 links and presents them as a
single MAC interface to the client operating systems (IEEE 802.3ad draft
v1, IEEE 802.1ax LACP, proprietary). IEEE 802.1ax states that the MAC
address of the LAG MAY be an address of one of the underlying links in
the Link Aggregation Group, but this is not limited in any way in
implementations. LACP may also add and delete links from the Link
Aggregation Group dynamically, and it would seem counterintuitive that
the associated IID, and thus the IPv6 address, had to change every time
this happened, because the whole purpose of the LAG is to shield the OS
from such low level changes.

- "Router on a stick", or "firewall on a stick", where a specialist
device such as an inter-VLAN router or firewall is connected to a layer
2 switch fabric via a single high speed interface, and multiple sub
interfaces are defined at Layer 3, all of which share a common layer 2
MAC address. These sub interfaces may be transported as a VLAN trunk
(e.g. 802.1Q) into the layer 2 switch fabric, where the individual VLANs
may then be presented on different hardware interfaces, such that the
device may appear to source traffic on multiple physical interfaces
using the same layer 2 address.

Once transformed into IID
   format (with "u" = 1) these identifiers would purport to be
   universally unique but would in fact be ambiguous.  This has no known
   harmful effect as long as the replicated MAC addresses and IIDs are
   used on different layer 2 links.  If they are used on the same link,
   of course there will be a problem, very likely interfering with link-
   layer transmission.  If not, the problem will be detected by
   duplicate address detection [RFC4862] [RFC6775], but such an error
   can usually only be resolved by human intervention.
/




Does that help?
> ------------------------------------------------------------------------


-- 
Regards,
RayH

v2.23.0 | Report a Bug | By Email