IETF Logo Mail Archive

Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios

Richard Patterson <richard@helix.net.nz> Mon, 25 February 2019 10:33 UTC

Return-Path: <richard@helix.net.nz>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDFF6130E84 for <v6ops@ietfa.amsl.com>; Mon, 25 Feb 2019 02:33:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=helix-net-nz.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Lmidbm54W59 for <v6ops@ietfa.amsl.com>; Mon, 25 Feb 2019 02:33:09 -0800 (PST)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43290130E58 for <v6ops@ietf.org>; Mon, 25 Feb 2019 02:33:08 -0800 (PST)
Received: by mail-yb1-xb31.google.com with SMTP id s5so3557449ybp.6 for <v6ops@ietf.org>; Mon, 25 Feb 2019 02:33:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=helix-net-nz.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=m+0nhSQ35CrTfoDF687FvYXc+XpfwSIXuysOp9LG4H4=; b=oqlSldaSYucxWJR2j7sqkKLD9SQxChR9Xja1Mde3WE/+6jA7f9RRudTWEbkZVaxCNY 4PlgzDHzqI8SwP1dni8hSFze64FXgbFmpKVWWoczw5g8DNIHTvxLC+WmopZN/w80bHw8 uIgu2/flyVHG54ylJSB7WEbTbyNiQSWr53BELKunQLEkC/wxjHLogguD9lV4NC4BE5OO DZ+tAOUnmeNjk2xDmF8FUpYG4P16HdEpH1R7r0DLE2JpLBQsx09Zki+GOKmC+pJ2qY5W oXL82e/x5BCUEx8rsCghveSpmz8NBYCsayNfjWkMLZ9FPMaKdxoGbYILyi44gD+9bw3V lKEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=m+0nhSQ35CrTfoDF687FvYXc+XpfwSIXuysOp9LG4H4=; b=nRCbqVYDPZxND+jLkeG+VLb3kr87AXD+qC+wqPVlpk+iv0Os+/d92cOHhIQQN1cUS0 Pj0r0oepf0BBmS03SriLWz9E9SvS4H7gwJCa21VA3Y2O3vz54r/OtGR4ACjh3PnWc968 Gg2miSqXZL//RXZAW6qRGtoalIFs2jlk0Ky71YH92MVJeQ667IjfgofBUE3u8Ok/hYD+ Sy7qj6svKvFjui0CcifqAI7An+URc8YFvg/QXDbRfcDnim/Zk7K+OKhFGQPjWqw5U727 4mpoaKuR/Wg/FRVpowoA05IRj7imsCNjSzD9/Coe7HDATETGT3Qq6QqOFmeFpRjVb3Px W1jg==
X-Gm-Message-State: AHQUAuZXZTQ+8mzocrcVmSw/LISKulTJJlJZ76lBGSgh8D1YlOOmA+ik WhdWULpvhKFiL1zEG5MtffMAvx6HFCQ=
X-Google-Smtp-Source: AHgI3IZJXo3tnuqw0HceFxT0GQkcQudbvwafNLZXVOO1TxSO8rmyLCuraQMLZl2xqfVeWLZhKa319A==
X-Received: by 2002:a25:9110:: with SMTP id v16mr13107108ybl.490.1551090787850; Mon, 25 Feb 2019 02:33:07 -0800 (PST)
Received: from mail-yw1-f43.google.com (mail-yw1-f43.google.com. [209.85.161.43]) by smtp.gmail.com with ESMTPSA id z201sm3402868ywd.23.2019.02.25.02.33.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Feb 2019 02:33:06 -0800 (PST)
Received: by mail-yw1-f43.google.com with SMTP id o184so3446945ywo.5; Mon, 25 Feb 2019 02:33:06 -0800 (PST)
X-Received: by 2002:a81:360e:: with SMTP id d14mr13220168ywa.489.1551090786602; Mon, 25 Feb 2019 02:33:06 -0800 (PST)
MIME-Version: 1.0
References: <6D78F4B2-A30D-4562-AC21-E4D3DE019D90@consulintel.es> <B6E2EC33-EEAF-40D0-AFCC-BDAFA9134ACD@consulintel.es> <20190220113603.GK71606@Space.Net> <28fbc2c305c640c9afb3704050f6e8d7@boeing.com> <20190220213107.GS71606@Space.Net> <019c552eb1624d348641d6930829fd1f@boeing.com> <CAKD1Yr0HBG+rhyFWg9zh0t3mW486Mjx9umjn+CRqAZg4z9r0dg@mail.gmail.com> <20190221073530.GT71606@Space.Net> <CAO42Z2wmB2W52b4MZ2h9sW5E9cQKm-HRjyf--q8C26jezS7LXQ@mail.gmail.com> <a73818d31db7422b99a524bc431b00ed@boeing.com> <CAO42Z2z9-48Gbb_Exf+oWUqDO=axSLpZBtqeDcxkAoFq5OziGw@mail.gmail.com> <CALx6S3624hnGauG1HaSWPMvQw0t2Q5R3gb8W4R8w3kuK7dcrWQ@mail.gmail.com> <1F07F2BB-2F37-4D12-9731-7892DF4E3D88@consulintel.es> <0a582916-af14-bd82-a4cd-002a36f8830b@huitema.net> <67515a73-26a5-3ed0-da88-1a4ce64550d3@foobar.org> <360afa02-cf23-375c-4876-780d3c2aa5ac@gont.com.ar>
In-Reply-To: <360afa02-cf23-375c-4876-780d3c2aa5ac@gont.com.ar>
From: Richard Patterson <richard@helix.net.nz>
Date: Mon, 25 Feb 2019 10:32:54 +0000
X-Gmail-Original-Message-ID: <CAHL_VyD34V=TRcsCp0DOO9HJNHyy5xkiMQ_cZoBa7zTE4fe5OA@mail.gmail.com>
Message-ID: <CAHL_VyD34V=TRcsCp0DOO9HJNHyy5xkiMQ_cZoBa7zTE4fe5OA@mail.gmail.com>
To: Fernando Gont <fernando@gont.com.ar>
Cc: IPv6 Operations <v6ops@ietf.org>, "6man@ietf.org" <6man@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ApIAr9PuAEcaolnswwtfI1jaGBw>
Subject: Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 10:33:12 -0000

On Sat, 23 Feb 2019 at 05:22, Fernando Gont <fernando@gont.com.ar> wrote:

> * As per RFC4862, it turns out that you cannot remove a stale prefix vy
> sending an RA wiht a "Prefix Lifetime" of 0. SO, with current standards,
> not even the CPEs can (even if they wanted to) do something to fix the
> problem.


The Valid Lifetime cannot be zeroed or shortened below 2 hours, but
the Preferred Lifetime can.  So we can't invalidate the prefix, but we
can deprecate it so it's not used for new outbound sessions.   This is
what we've implemented in our CPEs, after an unavoidable change in
prefix, and it seems to have mitigated (or reduced the impact of) the
issue.

RFC4862 §5.5.3

e)  If the advertised prefix is equal to the prefix of an address
      configured by stateless autoconfiguration in the list, the
      preferred lifetime of the address is reset to the Preferred
      Lifetime in the received advertisement.

....

      Note that the preferred lifetime of the corresponding address is
      always reset to the Preferred Lifetime in the received Prefix
      Information option, regardless of whether the valid lifetime is
      also reset or ignored.  The difference comes from the fact that
      the possible attack for the preferred lifetime is relatively
      minor.  Additionally, it is even undesirable to ignore the
      preferred lifetime when a valid administrator wants to deprecate a
      particular address by sending a short preferred lifetime (and the
      valid lifetime is ignored by accident).

v2.23.0 | Report a Bug | By Email