Re: [v6ops] MAC table shortage in IPv6 networks caused by multiple IPv6 prefixes/addresses//FW: New Version Notification for draft-liu-v6ops-running-multiple-prefixes-01.txt
Andrew Yourtchenko <ayourtch@cisco.com> Thu, 10 July 2014 10:54 UTC
Return-Path: <ayourtch@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 430C81B287B for <v6ops@ietfa.amsl.com>; Thu, 10 Jul 2014 03:54:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.152
X-Spam-Level:
X-Spam-Status: No, score=-15.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DD5JKwkCmRik for <v6ops@ietfa.amsl.com>; Thu, 10 Jul 2014 03:54:42 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B37F91B287A for <v6ops@ietf.org>; Thu, 10 Jul 2014 03:54:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5553; q=dns/txt; s=iport; t=1404989694; x=1406199294; h=date:from:to:cc:subject:in-reply-to:message-id: references:mime-version; bh=4mc5tRXkNJ9jhQr2xl1se6glOt0go9Qrmq3lrQVrtpw=; b=SFyHapPIeaC01jIYkHGzJntETQjpCcVpXwoVPqP5/K+UHYcRfmx/hOOB qCMLQUMB//yn6kNspWcKUZJqkuVHOSeOfd5qP+2zXREuqKucAUWip+WL8 aKQTXIik6GW/wtg5pza3tOkI6Lkysj5zQ08be9Uqq1+QkdpCnUdsqlZYj c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AroHACFwvlOtJV2b/2dsb2JhbABZgw5SWqt4AQEBAQEBBQFukjyGbVMBgQoWdYQDAQEBAwEnQQ8CBQsLEygLTgkGDog/CA3HcheFeoh5AQFPB4RDAQScSJJNggGBRGqBCzk
X-IronPort-AV: E=Sophos;i="5.01,637,1400025600"; d="scan'208";a="59727020"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-7.cisco.com with ESMTP; 10 Jul 2014 10:54:51 +0000
Received: from xhc-aln-x11.cisco.com (xhc-aln-x11.cisco.com [173.36.12.85]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s6AAsekL005570 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 10 Jul 2014 10:54:40 GMT
Received: from ams-ayourtch-8813.cisco.com (10.55.47.212) by xhc-aln-x11.cisco.com (173.36.12.85) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 10 Jul 2014 05:54:39 -0500
Date: Thu, 10 Jul 2014 12:54:20 +0200
From: Andrew Yourtchenko <ayourtch@cisco.com>
X-X-Sender: ayourtch@ayourtch-mac
To: "Liubing (Leo)" <leo.liubing@huawei.com>
In-Reply-To: <8AE0F17B87264D4CAC7DE0AA6C406F453D8F291C@nkgeml506-mbx.china.huawei.com>
Message-ID: <alpine.OSX.2.00.1407101220310.93503@ayourtch-mac>
References: <8AE0F17B87264D4CAC7DE0AA6C406F453D8EEA21@nkgeml506-mbx.china.huawei.com> <8AE0F17B87264D4CAC7DE0AA6C406F453D8F1C32@nkgeml506-mbx.china.huawei.com> <alpine.DEB.2.02.1407091226000.7929@uplift.swm.pp.se> <CFE32281.2067C%evyncke@cisco.com> <alpine.DEB.2.02.1407091710020.7929@uplift.swm.pp.se> <alpine.OSX.2.00.1407091840270.99248@ayourtch-mac> <8AE0F17B87264D4CAC7DE0AA6C406F453D8F291C@nkgeml506-mbx.china.huawei.com>
User-Agent: Alpine 2.00 (OSX 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1684318330-1404989682=:93503"
X-Originating-IP: [10.55.47.212]
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/Fn8YWjpsPD9l_Eth9Z_xD7FehwM
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] MAC table shortage in IPv6 networks caused by multiple IPv6 prefixes/addresses//FW: New Version Notification for draft-liu-v6ops-running-multiple-prefixes-01.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jul 2014 10:54:45 -0000
Hi Leo, On Thu, 10 Jul 2014, Liubing (Leo) wrote: > Hi Andrew, > >> I'll take the numbers below from the maximums of the graphs, so it is not >> scientific at all but gives the ballpark: >> >> IPv4: 9.46k -> 9.35k >> IPv6: (16.60k global + 7.73k link-local ) -> (6.76k global + 7.55k link-local) >> >> So, yeah there is a ~1.7x bloat in the neighbor table due to privacy addresses, >> but that does not look too dramatic, does it ? > [Bing] Would you like to share more details of the network? E.g. it is a dual-stack or something else. It's dualstack, the vast majority of the clients are on a single wireless segment (the total number of wired devices is ~300-400, so I treat them as noise. The wireless clients are addressed with SLAAC, and are outside of my control (conference attendees). The segment has no officially designated servers. The configuration from the first hop router is below: interface Vlan4 description !!! WIRELESS CLIENTS !!! CiscoLive2014 !!! .. IPv4 configuration omitted .. ipv6 address FE80::1 link-local ipv6 address 2001:4D38:A:400::1/64 ipv6 nd reachable-time 1800000 ipv6 nd prefix default 86400 9000 off-link no-autoconfig ipv6 nd prefix 2001:4D38:A:400::/64 604800 86400 off-link ipv6 nd prefix 2001:4D38:A:6800::/64 604800 0 off-link ipv6 nd router-preference High ipv6 nd ra lifetime 9000 no ipv6 redirects no ipv6 unreachables ipv6 verify unicast source reachable-via rx ipv6 route 2001:4D38:A:400::/64 vlan4 Note a few bits that are specific for the conference setup, and some are specific to the topology: 1) maximally high lifetimes (RAs are throttled on their way to the clients down to 1 RA in 10 minutes). 2) clearing on-link bit: results in clients never trying to resolve the other clients' addresses => less memory usage on the portable devices, smaller ND caches there. 3) default no-autoconfig: to force the necessity to add the prefixes manually, to force the operator to always have the "ipv6 nd prefix ..." with the correct config. 4) two prefixes, one with zero preferred lifetime: there was a second VLAN for disaster recovery purposes, where the clients would have ended up if there was a catastrophic failure no the main pair of the wireless controllers. That VLAN had a mirrored configuration. Experimentally, I've found such a configuration to cause a rapid deprecation of the "wrong" prefix on a iOS and OSX, resulting in minimal disruption to them in case of switchover. 5) interface route for the prefix, to send the traffic to it (configuring the prefix "off-link" had removed the directly connected route). > It is quite often that a host would have at least 3 IPv6 addresses: a >link-local, a global and a privacy address. If ULAs are enabled, >DHCPv6/SLAAC co-existing, there might be more IPv6 addresses. Right. I was well within the constraints for the first hop, so opted to not have DHCPv6. If I wanted a tighter control, I'd have turned off SLAAC and used stateful DHCPv6. Maybe I'll experiment with it this year. > So I was just guessing, maybe the 1.7x only represent that part of the nodes is enabling IPv6? The %% of the nodes running IPv6 was about 80-85% (http://2014.ciscolive-ipv6.com/munin/ipv6noc/ipv6noc/neighbors_dualstack_percentage.html - the dips are the the night times, a lot of internal apps were IPv4 so the neighbor entries went away) I calculated this %% by taking the "show arp" and "show ipv6 neigh" outputs and correlating the hosts by mac address. As I said Apple devices (they are the most aggressive today wrt the privacy addresses) are ~50% of the network, so maybe in another setup the figures would be different. Do you have some numbers you could share ? > Plus, an IPv6-MAC binding would cost more cache space than an IPv4-MAC binding (2-4 times due to implementation). > >> I re-read the original mail starting this thread and the problem description >> there to me boils down to two issues: >> >> 1) one IP node has more IP addresses in version 6 than in version 4. >> 2) an IP address takes more lookup space in version 6 than in version 4. >> >> Do I grok it right ? > [Bing] Basically yes. This is one of the problems cause by multiple > IPv6 addresses in draft-liu-v6ops-running-multiple-prefixes. Ok, then I think that's a tricky one - we can not decrease the number of bits in IPv6 address, nor get the end hosts to go back to ARP for address resolution :-) Also, if iOS 8.0 indeed changes the MAC address upon the wireless connection, the problem is just about to get much worse and not IPv6-specific ;-) So, I think there are several means to combat the lookup space churn: 1) IPv6-only networks. We can't do that today and IPv4 is relatively not *so* much but it's something. 2) Table maintenance/cleanup mechanisms. These appear to work today reasonably. 3) provisioning hardware according to anticipated scale - and either using larger router boxes, or splitting large L3 domains into several smaller segments, like Mikael mentioned. 4) using DHCPv6-only allocation of addresses, with one address per host assignment. Do you think there is something more that is needed besides the above approaches to steer the addresses on the host ? --a
- [v6ops] Multiple IPv6 prefixes issues-//FW: New V… Liubing (Leo)
- [v6ops] MAC table shortage in IPv6 networks cause… Liubing (Leo)
- Re: [v6ops] MAC table shortage in IPv6 networks c… Gert Doering
- Re: [v6ops] MAC table shortage in IPv6 networks c… joel jaeggli
- Re: [v6ops] MAC table shortage in IPv6 networks c… Mikael Abrahamsson
- Re: [v6ops] MAC table shortage in IPv6 networks c… Gert Doering
- Re: [v6ops] MAC table shortage in IPv6 networks c… Randy Bush
- Re: [v6ops] MAC table shortage in IPv6 networks c… Dale W. Carder
- Re: [v6ops] MAC table shortage in IPv6 networks c… Eric Vyncke (evyncke)
- Re: [v6ops] MAC table shortage in IPv6 networks c… Mikael Abrahamsson
- Re: [v6ops] MAC table shortage in IPv6 networks c… Richard Hartmann
- Re: [v6ops] MAC table shortage in IPv6 networks c… Mikael Abrahamsson
- Re: [v6ops] MAC table shortage in IPv6 networks c… Andrew Yourtchenko
- Re: [v6ops] MAC table shortage in IPv6 networks c… Mikael Abrahamsson
- Re: [v6ops] MAC table shortage in IPv6 networks c… Brian E Carpenter
- Re: [v6ops] MAC table shortage in IPv6 networks c… George Michaelson
- Re: [v6ops] MAC table shortage in IPv6 networks c… Randy Bush
- Re: [v6ops] MAC table shortage in IPv6 networks c… Brian E Carpenter
- Re: [v6ops] MAC table shortage in IPv6 networks c… Randy Bush
- Re: [v6ops] MAC table shortage in IPv6 networks c… Liubing (Leo)
- Re: [v6ops] MAC table shortage in IPv6 networks c… Liubing (Leo)
- Re: [v6ops] MAC table shortage in IPv6 networks c… Andrew Yourtchenko
- Re: [v6ops] MAC table shortage in IPv6 networks c… Liubing (Leo)
- Re: [v6ops] MAC table shortage in IPv6 networks c… Andrew Yourtchenko
- Re: [v6ops] MAC table shortage in IPv6 networks c… Liubing (Leo)
- Re: [v6ops] MAC table shortage in IPv6 networks c… Eric Vyncke (evyncke)
- Re: [v6ops] MAC table shortage in IPv6 networks c… Jared Mauch
- Re: [v6ops] MAC table shortage in IPv6 networks c… Andrew Yourtchenko
- Re: [v6ops] MAC table shortage in IPv6 networks c… Andrew Yourtchenko
- Re: [v6ops] MAC table shortage in IPv6 networks c… Liubing (Leo)
- Re: [v6ops] MAC table shortage in IPv6 networks c… Liubing (Leo)