Re: [v6ops] Interesting problems with using IPv6

Chuck Anderson <cra@WPI.EDU> Fri, 12 September 2014 23:13 UTC

Return-Path: <cra@WPI.EDU>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D19161A00A8 for <v6ops@ietfa.amsl.com>; Fri, 12 Sep 2014 16:13:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.354
X-Spam-Level:
X-Spam-Status: No, score=-5.354 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id POK8Tgj90GPf for <v6ops@ietfa.amsl.com>; Fri, 12 Sep 2014 16:13:03 -0700 (PDT)
Received: from MAIL1.WPI.EDU (MAIL1.WPI.EDU [130.215.36.91]) by ietfa.amsl.com (Postfix) with ESMTP id B6CE21A0099 for <v6ops@ietf.org>; Fri, 12 Sep 2014 16:13:01 -0700 (PDT)
Received: from MAIL1.WPI.EDU (MAIL1.WPI.EDU [130.215.36.91]) by MAIL1.WPI.EDU (8.14.9/8.14.9) with ESMTP id s8CNCw42015954; Fri, 12 Sep 2014 19:12:58 -0400
X-DKIM: Sendmail DKIM Filter v2.8.3 MAIL1.WPI.EDU s8CNCw42015954
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wpi.edu; s=_dkim; t=1410563578; bh=AmbYsB1leIb9QEhHrIljUsxihqzm5swykDbcpmUfI0k=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Transfer-Encoding:In-Reply-To; b=RcJZse6Oz+hGpQj9GkTxJMxc7WGx3jy1Oo/CIIjx+462N3BOgOTCjd/1MCQ/IRnFH rIDQ8xKLW9ZZt/yH8fKEorZsfx0JXLUph99B/kfHYnEu66E4M498+HItLdttZOg/O/ GZgamRwyQlpt0HddcUxuLxMGurRJC8Kmud5Es51M=
Received: from MX3.WPI.EDU (mx3.wpi.edu [130.215.36.147]) by MAIL1.WPI.EDU (8.14.9/8.14.9) with ESMTP id s8CNCwd2015951; Fri, 12 Sep 2014 19:12:58 -0400
Received: from angus.ind.WPI.EDU (ANGUS.IND.WPI.EDU [130.215.130.21]) by MX3.WPI.EDU (8.14.4/8.14.4) with ESMTP id s8CNCvtq014989; Fri, 12 Sep 2014 19:12:58 -0400 (envelope-from cra@WPI.EDU)
Received: from angus.ind.WPI.EDU (localhost [127.0.0.1]) by angus.ind.WPI.EDU (8.14.4/8.14.4) with ESMTP id s8CNCvUt029477; Fri, 12 Sep 2014 19:12:57 -0400
Received: (from cra@localhost) by angus.ind.WPI.EDU (8.14.4/8.14.4/Submit) id s8CNCt0C029476; Fri, 12 Sep 2014 19:12:55 -0400
X-Authentication-Warning: angus.ind.WPI.EDU: cra set sender to cra@WPI.EDU using -f
Date: Fri, 12 Sep 2014 19:12:55 -0400
From: Chuck Anderson <cra@WPI.EDU>
To: Owen DeLong <owen@delong.com>
Message-ID: <20140912231254.GO31944@angus.ind.WPI.EDU>
References: <1410082125488.85722@surrey.ac.uk> <540CB702.3000605@gmail.com> <20140908183339.GB98785@ricotta.doit.wisc.edu> <540E26D9.3070907@gmail.com> <1410227735.13436.YahooMailNeo@web162204.mail.bf1.yahoo.com> <540ECB9E.9000102@foobar.org> <CAKD1Yr1_sCLHv=D3MeCe47Fa0dxXTXH5B+=wOKpvmEDFkJFiZw@mail.gmail.com> <75B6FA9F576969419E42BECB86CB1B89155AF364@xmb-rcd-x06.cisco.com> <20140909142226.GP15839@angus.ind.WPI.EDU> <101C89B1-019B-4E51-B869-FABC534E6D3D@delong.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <101C89B1-019B-4E51-B869-FABC534E6D3D@delong.com>
User-Agent: Mutt/1.5.20 (2009-12-10)
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/Dka1WWIhOFbeUN_F5I6fyCwGLFw
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Interesting problems with using IPv6
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Sep 2014 23:13:06 -0000

On Fri, Sep 12, 2014 at 03:33:52PM -0700, Owen DeLong wrote:
> > It is not reasonable to expect a switch to scale to maintaining state
> > for 300 * (# of hosts connected) Solicited-Node multicast groups.
> 
> Nor does any rational use of SLAAC+Privacy addresses result in anything near that.

Actually deployed networks are encountering 300+ privacy addresses on
some machines.  Is that a bug or by design of the OS vendor?  I don't
know.

> > 15,000 MLD groups for 48 hosts on a 48 port switch is unreasonable.
> 
> 25*48 = 1,200, not 15,000. Even if we double that, it’s still 2,400 max.
> 
> A potential improvement could be if privacy addressing created a persistent random lower 24 bits and only rehashed the upper 40 bits of the suffix with each address rotation. In that way, you’d only have ~2 ND multicast groups per host.

Agreed.  Good idea.

> > 90,000 MLD groups for a 300 port switch stack is also unreasonable.
> > Most switches cannot handle that many IPv4 multicast groups--expecting
> > them to handle that many IPv6 multicast groups is unreasonable.
> 
> Again, this is not anything close to a real world scale for the situation. Using hyperbole derived numbers to make things sound bad enough that you can blame the protocol for a situation that is much more directly the result of bad network design is absurd.

It isn't hyperbole.  It has been observed multiple times by different
people:

http://blog.bimajority.org/2014/07/16/ipv6-privacy-addresses-windows-just-say-no/

"it was a Windows machine, [...] I saw that it was responsible for the
vast majority of those multicast memberships: 350 different multicast
groups in all, nearly all of which were “solicited node” groups for
different IPv6 “privacy” addresses"

http://blog.bimajority.org/2014/09/05/the-network-nightmare-that-ate-my-week/

"I used Ubuntu as an example, but it is hardly the worst offender. We
have seen Windows machines with more than 300 IPv6 addresses"

And a thorough description of the problem and possible solutions:

http://inconcepts.biz/~jsw/ipv6_nd_problems_with_l2_mcast.pdf

> > Having designed a ubiquitous protocol 16 years ago that can't be
> > implemented reasonably cheaply on current hardware is an operational
> > problem that can and should be dealt with by tweaking the protocol in
> > some cases.  I think the protocol change proposals put forward in the
> > article are a quite reasonable starting point for discussing how to
> > mitigate this issue and shouldn't be dismissed out of hand.
> 
> I think that the protocol can be implemented reasonably cheaply on current hardware if you don’t design your network so poorly that the fact it hasn’t collapsed in on itself in IPv4 is a minor miracle. Lots of people have very large IPv6 networks running just fine on a  pretty wide variety of commodity hardware at this point.

The only reasonable way to avoid this problem today via network
design, is to design you network to use DHCPv6 instead of SLAAC or
turn off privacy addressing on all hosts.  Unfortunately for less
managed networks (the exact use case that SLAAC is designed for--hands
off) it isn't feasible to go to every host and manually turn off
privacy addressing.  That means the only practical way to solve this
problem is to only ever use DHCPv6.  This is a somewhat surprising
result, perhaps unanticipated by those who worked on ND & MLD, and
probably not desireable for those who champion SLAAC.

> Smaller layer 2 zones would greatly improve his situation. Turning off privacy addressing would also help. (This is, as has been pointed out, under the control of the network operator as he can set the M bit, turn off the A bit, and give out DHCP addresses as an example.)

He doesn't have large Layer 2 zones.

> I suspect there are a number of other viable solutions.  OTOH, modifying ipv6 to support such an environment seems a fools errand to me.

Modifying ND is not without precedent.