IETF Logo Mail Archive

Re: [v6ops] Deprecating failed prefixes in the host

Paolo <oselists@gmail.com> Thu, 02 February 2023 23:32 UTC

Return-Path: <oselists@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 347C8C14F74E for <v6ops@ietfa.amsl.com>; Thu, 2 Feb 2023 15:32:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.073
X-Spam-Level:
X-Spam-Status: No, score=-1.073 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id egs2l750Ed1A for <v6ops@ietfa.amsl.com>; Thu, 2 Feb 2023 15:32:25 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 698E8C14F724 for <v6ops@ietf.org>; Thu, 2 Feb 2023 15:32:25 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id f10so3880023qtv.1 for <v6ops@ietf.org>; Thu, 02 Feb 2023 15:32:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=zFshi9qlai3HwKXpG50Xo74XAEdgonZy57HkYg7ma4Y=; b=bIRtjRjQS7Gc7OfIVRH3w9pcP5Bt3CoFcikL2yjUgt7K784hpG5DpcsfBY4kSP28PE HvFPwfxdsPsDjZ5uiboT5meyWpGD7vqxUkPYwDchk+jt+RdEpn/BXe66Huqb3Yw6/gRf H3piuXRHLhdiHCB44QWSQIsSP2zpchrUYZBLBwdJNnNpzNxOTPQZCvXcWG+Z1TyDU3UE 3Y4YgBmgkKX91h0t48mbPcG4F7e+TgK1rmURP3hngF3SVVEVLzSAnCz5OshzCqq8TZ24 Ae7aknKlUY6qHPnKDgrO/hE1hjm5bfhfyYOUq1tJieO1rznd0C3Hg9uiVENqNVCjq8th Lvfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zFshi9qlai3HwKXpG50Xo74XAEdgonZy57HkYg7ma4Y=; b=Hi1SaFCMja/5FETBV9GIP/h1VQuLVVWzNPmx57qxNjF4fxWI9GQTm/1x0EKT/jts9F zAfG42auk/AbH1N1UB5kLpPEcGNBmNZS7nMUSQcn/8rVd8GIzMug0gMaLQb3SOnKDV6a tXsfNWsW8bC+abNktD0pp6rjb9yjiKKZ5CvnFA0UPsWWYbxOie0rxQcN6LAiGRmErerD N5Mya68T3/8mskIJGKRBIxBxdqjqsLFxctElzplrtgJsx04Z4wXdYU/s5QYYxJ5UM8q/ PzlNS/BZc1LXiMT7lEBUjI7T7CuDNFERWVsG2gAe5QZEGN8REwX2Fz+XHC9gZ5w39dME kLmw==
X-Gm-Message-State: AO0yUKUt9VOYVTmlCPUXPZ+Wll8058mfqXODHF+dBBsa+pac4Y+btxfk kcvzrcuY7rsh4Do6yEAnHshWHDmP7LKtAmROSkt+HmITStE=
X-Google-Smtp-Source: AK7set+iRg/JWipAErtFn0uZ1+HN8VCvAPTM3nLIq5CGk4teFkIq9louZRkul5fBlgOhJ9pvgrm00yiAetcj/ZipRv0=
X-Received: by 2002:a05:622a:1a10:b0:3b9:ed29:d2ad with SMTP id f16-20020a05622a1a1000b003b9ed29d2admr186019qtb.255.1675380744305; Thu, 02 Feb 2023 15:32:24 -0800 (PST)
MIME-Version: 1.0
References: <82a51e2a-80f2-fcd3-7c88-96aa5a46e9c0@gmail.com> <8170b634-b006-c0b6-ff08-037eafa5c8c6@gmail.com>
In-Reply-To: <8170b634-b006-c0b6-ff08-037eafa5c8c6@gmail.com>
From: Paolo <oselists@gmail.com>
Date: Fri, 03 Feb 2023 00:32:24 +0100
Message-ID: <CALNgcmOJcGjR2M6ySn-qoZTK9iJ2we75KsryWf2qW_AkKFLGbg@mail.gmail.com>
Cc: IPv6 Operations <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000020c14d05f3bffa78"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/93sqHpU4jmzTF2WxScWFJFYCj30>
Subject: Re: [v6ops] Deprecating failed prefixes in the host
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2023 23:32:29 -0000

Hi folks,

this is a great discussion. It strikes me that a provider blackout or
brownout might be somewhat related to "flash renumbering", a  flash
DEnumbering if you will. In this case could RFC 9096 be of any inspiration
for work in this area? And how about draft-ietf-6man-slaac-renum. Of
course, the router can only do so much to help, even with additional
precautions and best practices.

Re: "cross-prefix Happy Eyeballs", instinctively I'd be led to think that
if MPTCP didn't break the Internet, then such a mechanism wouldn't either,
and would be considerably less impactful due to, for example:

1. "Abandon Non-Winning Connections"
2. The relative rarity of both necessary conditions: multihoming and lack
of PI space. We are talking a specific segment of small-medium businesses
here, not large enterprises and not billions of households. And, I imagine,
it would certainly be worse for the Internet's health if those businesses
were all to apply for PI space and announce it twice (or thrice) without
any real requirement outside of simple redundancy.

Thanks,

Paolo

On Thu, Feb 2, 2023 at 5:14 AM Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> Answering some of the comments made, the new version now at
> https://github.com/becarpenter/misc/blob/main/deprecator.py picks a
> random RIPE Atlas anchor probe as its ping target (unless the user supplies
> their own ping target). Thanks to the RIPE Atlas community for not shooting
> me down in flames.
>
> (An even better approach would be choose a new random ping target every
> hour or so, it's easy enough to code that too.)
>
> On my Windows host, I have noticed some odd behaviour of the source
> selection logic if a ULA is active. No such problem on Linux. For personal
> reasons I have no time to track that down right now.
>
> Again, there's no pretence that this is an operational solution; it's just
> a proof of half-baked concept.
>
> Regards
>     Brian
>
> On 24-Jan-23 15:20, Brian E Carpenter wrote:
> > Hi,
> >
> > We keeping falling over the same issue with multi-provider multi-homing:
> routing magic can keep traffic away from the link to/from a failing
> provider, but hosts don't know about this and keep sending traffic *from*
> addresses within the failing provider's prefix.
> >
> > As Eduard Vasilenko has pointed out, source address selection at the
> host is the root cause of this, and RFC6724 doesn't specify a way to change
> source address selection automatically. Also, we don't currently have a
> mechanism for rapidly withdrawing a failing prefix.
> >
> > To be clear, a typical user program acting as a client uses
> getaddrinfo() to choose a destination address, but does not use bind() to
> set a source address - instead it uses connect() and the system chooses a
> source address. So the need is to avoid choosing a source address that lies
> within the prefix of a failing provider.
> >
> > This message suggests a host-only mechanism to achieve this. If you want
> a name for it,
> > consider "unhappy eyeballs". I'm not claiming originality, because it
> seems obvious to me.
> >
> > The mechanism is brutal: have a program running continuously on the host
> that regularly tests the liveness of each assigned source address, e.g.,
> once a minute. The liveness test is simply a ping to some target address
> somewhere in the Internet, sourced from the address being tested (i.e., it
> *does* use bind()). If the ping fails several times in a row, deprecate the
> source address in question, i.e. set its preferred lifetime to zero.
> RFC6724 will then ignore it, so no new sessions will use it. Keep the
> deprecated address in the liveness test, and if it starts to work again,
> un-deprecate it (i.e. restore its lifetime).
> >
> > This is brutal because it does nothing for sessions that are already in
> progress when a source address fails. They will just time out. I'm sure
> that solutions such as TAPS is proposing will be much more elegant. It's
> also brutal because it doesn't know anything about prefixes, it just
> detects failing /128 addresses. (I don't know if there is a userland
> mechanism for deprecating a whole prefix.) But this works for legacy client
> code that simply uses connect().
> >
> > Sounds horrible? Yes. It's also very hard to test; I don't have a setup
> that allows a proper test. But simulating a ping failure isn't so hard.
> >
> > You can find a quick and nasty Python version for Windows 10 and Linux at
> > https://github.com/becarpenter/misc/blob/main/deprecator.py
> > This is experimental software that might disturb network access; if you
> run it, it is entirely at your own risk. It needs sudo or Administrator
> privilege.
> >
> > There's an associated and harmless test program at
> > https://github.com/becarpenter/misc/blob/main/deptest.py
> >
> > (By the way, there seems to be an unexpected interaction between the
> RFC6724 source-selection algorithm and the presence of a ULA on Windows 10:
> under investigation.)
> >
> > Regards
> >      Brian Carpenter
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email