Re: [v6ops] Interesting problems with using IPv6

Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 13 September 2014 02:59 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21CBF1A02E2 for <v6ops@ietfa.amsl.com>; Fri, 12 Sep 2014 19:59:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_57=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72kEUfxs9WBJ for <v6ops@ietfa.amsl.com>; Fri, 12 Sep 2014 19:59:42 -0700 (PDT)
Received: from mail-pd0-x22d.google.com (mail-pd0-x22d.google.com [IPv6:2607:f8b0:400e:c02::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92A771A02D8 for <v6ops@ietf.org>; Fri, 12 Sep 2014 19:59:42 -0700 (PDT)
Received: by mail-pd0-f173.google.com with SMTP id ft15so2442469pdb.18 for <v6ops@ietf.org>; Fri, 12 Sep 2014 19:59:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=ItxupuhRbXgFyBvoS+GsKAxSxPcyP1biBDCSS+JD+U8=; b=rnV0MgWSpw7bXWrNsMLOb8/qYtehUYQvWbvil+tnCTFx7f/5Yd2lM42J1+9eVtx7+0 FK7pYoCObAzznXu+lLE/CDys3PorekHElZLtKiNasCw0KyyOs3/86Hg1ssZgEFmcr64m ymIj/1GNkpVVOrIBhrYT+QEla5VuxIGmfDw5k5apayu2L13/mVsYbQ2NVXuQFaKAlN2Q XrUivJ3eG74HNrr68Ij9urGyR/SaJerUU0A03dXdOg/O1MvbpCfgwq5q7L5MQYeD9zgz 7sZHba/7wbtLngIR0X84pF0oUnLJ3byhDzsTuijtXxBPJ+0ktmEPas2Wmiwt8wkULhj4 KzTw==
X-Received: by 10.69.31.170 with SMTP id kn10mr17977350pbd.100.1410577182263; Fri, 12 Sep 2014 19:59:42 -0700 (PDT)
Received: from [192.168.178.23] (89.198.69.111.dynamic.snap.net.nz. [111.69.198.89]) by mx.google.com with ESMTPSA id w11sm5071634pbt.84.2014.09.12.19.59.39 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 12 Sep 2014 19:59:41 -0700 (PDT)
Message-ID: <5413B329.2010804@gmail.com>
Date: Sat, 13 Sep 2014 14:59:53 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Chuck Anderson <cra@WPI.EDU>
References: <1410082125488.85722@surrey.ac.uk> <540CB702.3000605@gmail.com> <20140908183339.GB98785@ricotta.doit.wisc.edu> <540E26D9.3070907@gmail.com> <1410227735.13436.YahooMailNeo@web162204.mail.bf1.yahoo.com> <540ECB9E.9000102@foobar.org> <CAKD1Yr1_sCLHv=D3MeCe47Fa0dxXTXH5B+=wOKpvmEDFkJFiZw@mail.gmail.com> <75B6FA9F576969419E42BECB86CB1B89155AF364@xmb-rcd-x06.cisco.com> <20140909142226.GP15839@angus.ind.WPI.EDU> <101C89B1-019B-4E51-B869-FABC534E6D3D@delong.com> <20140912231254.GO31944@angus.ind.WPI.EDU>
In-Reply-To: <20140912231254.GO31944@angus.ind.WPI.EDU>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/OQa9GGYuEK7SEv7qc2saGKJhn5s
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Interesting problems with using IPv6
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Sep 2014 02:59:44 -0000

Excuse front posting, but telling somebody "your network breaks
our specs" just invites the response "your specs broke my
network." I think the obvious next step in this matter is to
write down operational and implementation guidance to prevent
this sort of problem occurring. That seems to be part of v6ops'
job. (Sorry, I'm not volunteering.)

Regards
   Brian

On 13/09/2014 11:12, Chuck Anderson wrote:
> On Fri, Sep 12, 2014 at 03:33:52PM -0700, Owen DeLong wrote:
>>> It is not reasonable to expect a switch to scale to maintaining state
>>> for 300 * (# of hosts connected) Solicited-Node multicast groups.
>> Nor does any rational use of SLAAC+Privacy addresses result in anything near that.
> 
> Actually deployed networks are encountering 300+ privacy addresses on
> some machines.  Is that a bug or by design of the OS vendor?  I don't
> know.
> 
>>> 15,000 MLD groups for 48 hosts on a 48 port switch is unreasonable.
>> 25*48 = 1,200, not 15,000. Even if we double that, it’s still 2,400 max.
>>
>> A potential improvement could be if privacy addressing created a persistent random lower 24 bits and only rehashed the upper 40 bits of the suffix with each address rotation. In that way, you’d only have ~2 ND multicast groups per host.
> 
> Agreed.  Good idea.
> 
>>> 90,000 MLD groups for a 300 port switch stack is also unreasonable.
>>> Most switches cannot handle that many IPv4 multicast groups--expecting
>>> them to handle that many IPv6 multicast groups is unreasonable.
>> Again, this is not anything close to a real world scale for the situation. Using hyperbole derived numbers to make things sound bad enough that you can blame the protocol for a situation that is much more directly the result of bad network design is absurd.
> 
> It isn't hyperbole.  It has been observed multiple times by different
> people:
> 
> http://blog.bimajority.org/2014/07/16/ipv6-privacy-addresses-windows-just-say-no/
> 
> "it was a Windows machine, [...] I saw that it was responsible for the
> vast majority of those multicast memberships: 350 different multicast
> groups in all, nearly all of which were “solicited node” groups for
> different IPv6 “privacy” addresses"
> 
> http://blog.bimajority.org/2014/09/05/the-network-nightmare-that-ate-my-week/
> 
> "I used Ubuntu as an example, but it is hardly the worst offender. We
> have seen Windows machines with more than 300 IPv6 addresses"
> 
> And a thorough description of the problem and possible solutions:
> 
> http://inconcepts.biz/~jsw/ipv6_nd_problems_with_l2_mcast.pdf
> 
>>> Having designed a ubiquitous protocol 16 years ago that can't be
>>> implemented reasonably cheaply on current hardware is an operational
>>> problem that can and should be dealt with by tweaking the protocol in
>>> some cases.  I think the protocol change proposals put forward in the
>>> article are a quite reasonable starting point for discussing how to
>>> mitigate this issue and shouldn't be dismissed out of hand.
>> I think that the protocol can be implemented reasonably cheaply on current hardware if you don’t design your network so poorly that the fact it hasn’t collapsed in on itself in IPv4 is a minor miracle. Lots of people have very large IPv6 networks running just fine on a  pretty wide variety of commodity hardware at this point.
> 
> The only reasonable way to avoid this problem today via network
> design, is to design you network to use DHCPv6 instead of SLAAC or
> turn off privacy addressing on all hosts.  Unfortunately for less
> managed networks (the exact use case that SLAAC is designed for--hands
> off) it isn't feasible to go to every host and manually turn off
> privacy addressing.  That means the only practical way to solve this
> problem is to only ever use DHCPv6.  This is a somewhat surprising
> result, perhaps unanticipated by those who worked on ND & MLD, and
> probably not desireable for those who champion SLAAC.
> 
>> Smaller layer 2 zones would greatly improve his situation. Turning off privacy addressing would also help. (This is, as has been pointed out, under the control of the network operator as he can set the M bit, turn off the A bit, and give out DHCP addresses as an example.)
> 
> He doesn't have large Layer 2 zones.
> 
>> I suspect there are a number of other viable solutions.  OTOH, modifying ipv6 to support such an environment seems a fools errand to me.
> 
> Modifying ND is not without precedent.
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops