IETF Logo Mail Archive

Re: [v6ops] Stability and Resilience (was Re: A common...)

Owen DeLong <owen@delong.com> Fri, 22 February 2019 22:30 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F1FF130E83; Fri, 22 Feb 2019 14:30:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=delong.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iigwid28rami; Fri, 22 Feb 2019 14:30:41 -0800 (PST)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id AACE4130E7F; Fri, 22 Feb 2019 14:30:38 -0800 (PST)
Received: from kiev.delong.com (kiev.delong.com [192.159.10.5]) (authenticated bits=0) by owen.delong.com (8.15.2/8.15.2) with ESMTPSA id x1MMUZPs026308 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Feb 2019 14:30:35 -0800
DKIM-Filter: OpenDKIM Filter v2.11.0 owen.delong.com x1MMUZPs026308
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delong.com; s=mail; t=1550874636; bh=OUu3Z+N43ySD0QAjtaBcpXO4WeAMMniNI8LAOEb4E98=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=2Ao7zzyNvxNu8Br5qABBYUSbHIbN11jJn1vtgAkKzlp+5fYSNQd9FixPhEcGZPJXl 5YHSPoyAdUwWzOSlAv2pIJ0dODFHqGOaXpfaBjArpJRjC7SR+ks3YyuwZCvOJSu4tM AfdTsRJ1n2meAl3xdHaMrGK6LertbZjZpGYdP8a0=
From: Owen DeLong <owen@delong.com>
Message-Id: <40957060-9A71-4D1D-BF2D-46305D60EE6F@delong.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B5FF9A25-0191-4787-8E47-F85784368B2D"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 22 Feb 2019 14:30:35 -0800
In-Reply-To: <763ED571-AC76-419A-A0B6-43F9AC763F53@jisc.ac.uk>
Cc: Lee Howard <lee@asgard.org>, IPv6 Ops WG <v6ops@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>
To: Tim Chown <Tim.Chown@jisc.ac.uk>
References: <6D78F4B2-A30D-4562-AC21-E4D3DE019D90@consulintel.es> <B6E2EC33-EEAF-40D0-AFCC-BDAFA9134ACD@consulintel.es> <20190220113603.GK71606@Space.Net> <28fbc2c305c640c9afb3704050f6e8d7@boeing.com> <20190220213107.GS71606@Space.Net> <019c552eb1624d348641d6930829fd1f@boeing.com> <CAKD1Yr0HBG+rhyFWg9zh0t3mW486Mjx9umjn+CRqAZg4z9r0dg@mail.gmail.com> <20190221073530.GT71606@Space.Net> <CAO42Z2wmB2W52b4MZ2h9sW5E9cQKm-HRjyf--q8C26jezS7LXQ@mail.gmail.com> <a73818d31db7422b99a524bc431b00ed@boeing.com> <CAO42Z2z9-48Gbb_Exf+oWUqDO=axSLpZBtqeDcxkAoFq5OziGw@mail.gmail.com> <0629af5e-5e1b-7e01-5bf4-b288a2d36809@asgard.org> <DD0A06B0-C704-451C-AA43-CAF420F24B4D@delong.com> <763ED571-AC76-419A-A0B6-43F9AC763F53@jisc.ac.uk>
X-Mailer: Apple Mail (2.3445.9.1)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (owen.delong.com [192.159.10.2]); Fri, 22 Feb 2019 14:30:36 -0800 (PST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/S3FpD0b3a4goe56KvGzTCO0FwkY>
Subject: Re: [v6ops] Stability and Resilience (was Re: A common...)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 22:30:44 -0000


> On Feb 22, 2019, at 09:30 , Tim Chown <Tim.Chown@jisc.ac.uk> wrote:
> 
> Hi,
> 
>> On 22 Feb 2019, at 17:04, Owen DeLong <owen@delong.com <mailto:owen@delong.com>> wrote:
>>> Networks should, as much as possible, be resilient to prefix changes. Some things networks can do to improve resilience:
>>> 
>>> Write a learned prefix to non-volatile memory and issue a DHCPv6 Renew for that prefix on reboot.
>>> 
>>> 
>>> Use dynamic DNS and shorter TTLs.
>>> 
>>> 
>>> Implement something like NETCONF to distribute prefix information to policy devices like firewalls or SD-WAN controllers. I think a separate document describing this application of NETCONF would make sense.
>> 
>> If the prefix is written to nv men, wouldn’t it also be possible for implementers to send rapid deprecation RAs for any prefix not renewed?
>> 
>> In other words, after reboot, try to reacquire same prefix. If that doesn’t work, when you advertise the new prefix, you could also include the old prefix with a very short preferred and valid lifetime (e.g. 1 second) in the first RA, which should be sent to the all nodes on link multicast?
>> 
>> It doesn’t eliminate the problem, but 1 second additional duration would be barley noticeable amid the minute or so it takes most home gateways to reboot. 
> 
> That's similar in spirit to RAmond, which we used to use when seeing rogue RAs on our campus network.  It would auto-deprecate any prefixes that shouldn't be there. (http://ramond.sourceforge.net/ <http://ramond.sourceforge.net/>)
> 
> The snag is that I suspect most OSes would ignore a valid timer of 1 second, given the 7200 second (2 hour) minimum defined in RFC 4862 (unless the RA is authenticated, somehow).  The preferred timer can be zero.  When RAmond was written, if we used a valid timer less than 7200 seconds it seemed that the deprecating RAs were ignored.  That was 10+ years ago though.  Perhaps Tim Winters has data on whether that rule is implemented today in practice; I'd assume the tests he runs might include that.  
> 
> But I like Lee's analysis.
> 
> Tim

Actually, a preferred:0 valid:7200 probably would do the trick as well. It won’t salvage the sessions on the old address since they don’t route any more, but at least it will allow new sessions to use a valid address.

Owen

v2.23.0 | Report a Bug | By Email