Re: [v6ops] Éric Vyncke's No Objection on draft-ietf-v6ops-slaac-renum-04: (with COMMENT)
Fernando Gont <fgont@si6networks.com> Thu, 22 October 2020 16:47 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AABBB3A0898; Thu, 22 Oct 2020 09:47:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.146
X-Spam-Level:
X-Spam-Status: No, score=-2.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6n3mxPa-XPt; Thu, 22 Oct 2020 09:47:06 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01673A0874; Thu, 22 Oct 2020 09:47:05 -0700 (PDT)
Received: from [IPv6:2800:810:464:b9c:452e:36a3:27fd:8f9b] (unknown [IPv6:2800:810:464:b9c:452e:36a3:27fd:8f9b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 4EF43283A26; Thu, 22 Oct 2020 16:47:01 +0000 (UTC)
To: Éric Vyncke <evyncke@cisco.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-v6ops-slaac-renum@ietf.org, v6ops-chairs@ietf.org, v6ops@ietf.org, Owen DeLong <owen@delong.com>, jiangsheng@huawei.com, mellon@fugue.com
References: <160336150623.22400.9696222623015648417@ietfa.amsl.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <86223251-2455-b57a-3ea7-cd1d4e27fee4@si6networks.com>
Date: Thu, 22 Oct 2020 13:43:09 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <160336150623.22400.9696222623015648417@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/AQ3rPowmTxluW-cs3pkuBdAvs7k>
Subject: Re: [v6ops] Éric Vyncke's No Objection on draft-ietf-v6ops-slaac-renum-04: (with COMMENT)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2020 16:47:10 -0000
Hello, Eric, Thanks so much for your comments! In-line.... On 22/10/20 07:11, Éric Vyncke via Datatracker wrote: [....] > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for the work put into this document. It is easy to read but errs > sometimes on the anecdotes side rather than on the facts side (except for > Jordi's survey). As discussed before, I personaly wonder whether it is a real > problem for the IETF: it is largely about CPE/node implementation issues and > not a protocol one (even if I agree that the RFC 4861 default timers were badly > chosen 20 years ago). As noted in the introduction, I believe this both an operational and a protocol related problem. One of the many reasons for which you may experience this is related to CPEs -- but that's not the only one. There are also operational scenarios that lead to the same problem. There's also a protocol robustness problem: the default timers in RFC4861 means that as soon as something happens out of plans, you have a long outage. The protocol itself should be more robust in that respect. > > Please find below a couple of non-blocking COMMENT points and one nit but > please also check: - Ted Lemon's IoT directorate review with his note about > sleeping devices and time-outs: > https://datatracker.ietf.org/doc/review-ietf-v6ops-slaac-renum-04-iotdir-telechat-lemon-2020-10-19/ > - Sheng Jiang's Internet directorate review: > https://datatracker.ietf.org/doc/review-ietf-v6ops-slaac-renum-04-intdir-telechat-jiang-2020-10-19/ FWIW, we're working on these. > == COMMENTS == > > -- Section 1 -- > "for an unacceptably long period of time, thus resulting in connectivity > problems." while the 'long period of time" is explained in the end of this > section, giving a hint would help the reader to appreciate the problem. I found > this introduction rather qualitative than quantitative. How about adding "(more than one week)"? > "it is not an unusual behavior" may be... but, documenting (OS versions, > specific use cases) would make this argument stronger. OpenBSD's implementation seems one case. See e.g.: https://marc.info/?l=openbsd-misc&m=160243530006001&w=2 [...] > "there has been evidence that some 802.1x supplicants do not reset network > settings after successful 802.1x authentication." this is a very outdated > behavior of Windows if not mistaken and fixed years ago. In all cases, > documenting (OS version, specific case) would make this argument stronger. Will try to find out. This had been reported by Jen. > "Lacking any explicit signaling to deprecate the previously-advertised > prefixes", as the explicit mechanism exists, I suggest to s/explicit/reliable/ What we meant here is that the signaling doesn't take place. So yes, we'd hope for reliable signaling of this condition. BUt there's no signaling at all. > "because of egress-filtering by the CPE or ISP" or is it ingress-filtering when > packets are sourced by an 'internal' host ? I guess it's in the eyes of the observer? :-) e.g., my CPE might filter on egress, and my ISP could filter on ingress from me. > "or routed elsewhere" I wonder how a packet could be routed elsewhere if the > source address is wrong. Policy-based routing ? Suggest to remove those words. What we meant was "... or the return traffic being discarded or routed elsewhere". > -- Section 2.1 -- > Jordi's survey (a good one) does not say how often and how planned are those > prefix changes? My own /48 is not 'stable per contract' but has been stable for > 7 years (as long as the BNG does not change it will stay the same as AAA & DHCP > are linked together at my ISP). So, the 37% is probably not meaning that 37% of > the CPE are changing of prefix everyday. No. But when the change happens, you may experience the problem. At least for me, whether that's once a day, once a week, or once a month, still means there's a problem. > Did the authors check with the German ISP? AFAIK, the default policy has > changed. FWIW, BFDI seems to me a government organization, rather than an ISP. > Suggest to change the reference from RFC 4941 to the -bis document that is in > the same IESG telechat (so will not cause delay in the publication of this > document). Wouldn't this actually be the other way around? If we reference a draft, some might want to the draft to be published as RFC before progressing this one.... > -- Section 2.3 -- > No reply required but I find the last part of this section quite smart. I would > not have thought about this corner case ;-) :-) > -- Section 2.5 -- > "Not unusually, the two protocols are implemented in two different", I am > afraid that this is again 'anecdote' and not 'facts'. Citing implementations > details would make this statement stronger. Example: Linux radvd(8) does not do DHCPv6-PD. OpenBSD rad() does not do DHCPv6-PD, either. In fact, the only one that I can think of that does both is dhcpcd. > -- Section 3 -- > To be honest, I was about to ballot a DISCUSS on this section as I think that > there could be other mitigation techniques. E.g., the ISP could advertise 2 > prefixes by DHCP-PD for a while (would need to re-read DHCPv6 to be sure) > allowing an easier roll-over of the prefixes (esp. when planned prefix change). > Or possibly remove completely this section as 3.1 obvious and it is not > exhaustive. IIRC, the procedure to do graceful renumbering in dhcpv6 is largely unspecified. That said, if RECONFIGURE is nto supported, then you need to wait for the clients to contact the server -- which is not a lot different than simply waiting for the prefixes to expire. Note: I'm not a fan myself of Section 3.1 as a mitigation. But rather this was a result of what some part of the wg sees as a way to avoid the problem. > > -- Section 3.2 -- > While I agree that the default timers are wrong and that the suggested values > are way better, this is a change in the CPE doing SLAAC and not in operator > settings (or did I badly understood 'operator' as 'network operator' in the > sense of ISP as opposed as residential user?). Here we're talking about any routers, and not necessarily just the CPE. > Is the same technique also > described in the SLAAC CPE document ? Yes. > > == NITS == > > -- Section 3.2 -- > The use of () in the first paragraph renders it difficult to parse. Consider > rewriting it. How about: An operator may wish to override some SLAAC default lifetimes such that, under normal circumstances, the associated timers will be refreshed/reset by local routers but, in the presence of network faults, the corresponding information will be phased out in a timelier manner. ? Thanks! Regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [v6ops] Éric Vyncke's No Objection on draft-ietf-… Éric Vyncke via Datatracker
- Re: [v6ops] Éric Vyncke's No Objection on draft-i… Fernando Gont