Re: [v6ops] Interesting problems with using IPv6

Owen DeLong <owen@delong.com> Sat, 13 September 2014 03:19 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C02091A01AF for <v6ops@ietfa.amsl.com>; Fri, 12 Sep 2014 20:19:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.053
X-Spam-Level:
X-Spam-Status: No, score=-3.053 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_57=0.6, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JbFB3vxLL67S for <v6ops@ietfa.amsl.com>; Fri, 12 Sep 2014 20:19:26 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id 479BE1A0188 for <v6ops@ietf.org>; Fri, 12 Sep 2014 20:19:26 -0700 (PDT)
Received: from [10.5.16.184] ([209.63.144.18]) (authenticated bits=0) by owen.delong.com (8.14.2/8.14.2) with ESMTP id s8D3IMJp000597 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 12 Sep 2014 20:18:33 -0700
X-DKIM: Sendmail DKIM Filter v2.8.3 owen.delong.com s8D3IMJp000597
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=delong.com; s=mail; t=1410578313; bh=XTVdLPqOtlPOQMCWgnFcZhC66jE=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; b=3CPXq+mERWFEd2e+XVd8I64007MHLcw8HiHkqROd6fDICNZ1ZLSEkhjepmZ/NyLeh PMxpnAqSA15bZ/fi/cscIif1XJjQZ8QHNh1Btnc/HK0LU+20RxbjCXk6H0LZlY1xCl OLX7/IRIaydX4Kh0ZNv8GshZ1A0Yx1ICETWNTcOw=
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20140912231254.GO31944@angus.ind.WPI.EDU>
Date: Fri, 12 Sep 2014 20:17:56 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <D357896A-09DC-43D4-BB21-A7F07672BF6B@delong.com>
References: <1410082125488.85722@surrey.ac.uk> <540CB702.3000605@gmail.com> <20140908183339.GB98785@ricotta.doit.wisc.edu> <540E26D9.3070907@gmail.com> <1410227735.13436.YahooMailNeo@web162204.mail.bf1.yahoo.com> <540ECB9E.9000102@foobar.org> <CAKD1Yr1_sCLHv=D3MeCe47Fa0dxXTXH5B+=wOKpvmEDFkJFiZw@mail.gmail.com> <75B6FA9F576969419E42BECB86CB1B89155AF364@xmb-rcd-x06.cisco.com> <20140909142226.GP15839@angus.ind.WPI.EDU> <101C89B1-019B-4E51-B869-FABC534E6D3D@delong.com> <20140912231254.GO31944@angus.ind.WPI.EDU>
To: Chuck Anderson <cra@WPI.EDU>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/X2kvHfXVXw1ekQE63ld3cgrOpA8
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Interesting problems with using IPv6
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Sep 2014 03:19:29 -0000

On Sep 12, 2014, at 4:12 PM, Chuck Anderson <cra@WPI.EDU> wrote:

> On Fri, Sep 12, 2014 at 03:33:52PM -0700, Owen DeLong wrote:
>>> It is not reasonable to expect a switch to scale to maintaining state
>>> for 300 * (# of hosts connected) Solicited-Node multicast groups.
>> 
>> Nor does any rational use of SLAAC+Privacy addresses result in anything near that.
> 
> Actually deployed networks are encountering 300+ privacy addresses on
> some machines.  Is that a bug or by design of the OS vendor?  I don't
> know.

It’s definitely a bug. I’ve never seen that many, so I’d love to know the specifics where this has occurred.

>>> 15,000 MLD groups for 48 hosts on a 48 port switch is unreasonable.
>> 
>> 25*48 = 1,200, not 15,000. Even if we double that, it’s still 2,400 max.
>> 
>> A potential improvement could be if privacy addressing created a persistent random lower 24 bits and only rehashed the upper 40 bits of the suffix with each address rotation. In that way, you’d only have ~2 ND multicast groups per host.
> 
> Agreed.  Good idea.
> 
>>> 90,000 MLD groups for a 300 port switch stack is also unreasonable.
>>> Most switches cannot handle that many IPv4 multicast groups--expecting
>>> them to handle that many IPv6 multicast groups is unreasonable.
>> 
>> Again, this is not anything close to a real world scale for the situation. Using hyperbole derived numbers to make things sound bad enough that you can blame the protocol for a situation that is much more directly the result of bad network design is absurd.
> 
> It isn't hyperbole.  It has been observed multiple times by different
> people:
> 
> http://blog.bimajority.org/2014/07/16/ipv6-privacy-addresses-windows-just-say-no/
> 
> "it was a Windows machine, [...] I saw that it was responsible for the
> vast majority of those multicast memberships: 350 different multicast
> groups in all, nearly all of which were “solicited node” groups for
> different IPv6 “privacy” addresses"
> 
> http://blog.bimajority.org/2014/09/05/the-network-nightmare-that-ate-my-week/
> 
> "I used Ubuntu as an example, but it is hardly the worst offender. We
> have seen Windows machines with more than 300 IPv6 addresses”

Ah, so the grotesque violations of network etiquette come from windows boxes… What a surprise. Explains why I haven’t seen them. I gave up on Windows over a decade ago.

On most well behaved OS, btw, it’s a maximum of ~7.

> And a thorough description of the problem and possible solutions:
> 
> http://inconcepts.biz/~jsw/ipv6_nd_problems_with_l2_mcast.pdf

Right… Again, it seems like large layer 2 zones+mld snooping+privacy addressing are the “fire triangle” here and that if you remove any leg, you eliminate the problem.

>>> Having designed a ubiquitous protocol 16 years ago that can't be
>>> implemented reasonably cheaply on current hardware is an operational
>>> problem that can and should be dealt with by tweaking the protocol in
>>> some cases.  I think the protocol change proposals put forward in the
>>> article are a quite reasonable starting point for discussing how to
>>> mitigate this issue and shouldn't be dismissed out of hand.
>> 
>> I think that the protocol can be implemented reasonably cheaply on current hardware if you don’t design your network so poorly that the fact it hasn’t collapsed in on itself in IPv4 is a minor miracle. Lots of people have very large IPv6 networks running just fine on a  pretty wide variety of commodity hardware at this point.
> 
> The only reasonable way to avoid this problem today via network
> design, is to design you network to use DHCPv6 instead of SLAAC or
> turn off privacy addressing on all hosts.  Unfortunately for less
> managed networks (the exact use case that SLAAC is designed for--hands
> off) it isn't feasible to go to every host and manually turn off
> privacy addressing.  That means the only practical way to solve this
> problem is to only ever use DHCPv6.  This is a somewhat surprising
> result, perhaps unanticipated by those who worked on ND & MLD, and
> probably not desireable for those who champion SLAAC.

No, you can also avoid it by network design by limiting the size of your link local domains. If your switch has a 1000 multicast group limit, then you shouldn’t have more than about 120 hosts on that network. If you’re running Windows, turn off privacy addressing in group policy or demand that Micr0$0ft fix their broken shit.

> 
>> Smaller layer 2 zones would greatly improve his situation. Turning off privacy addressing would also help. (This is, as has been pointed out, under the control of the network operator as he can set the M bit, turn off the A bit, and give out DHCP addresses as an example.)
> 
> He doesn't have large Layer 2 zones.

Yes he does… He stated that he had a campus wide L2 zone.

> 
>> I suspect there are a number of other viable solutions.  OTOH, modifying ipv6 to support such an environment seems a fools errand to me.
> 
> Modifying ND is not without precedent.

Sure, and I’d welcome modifying ND for legitimate need, such as RFC6106.

In this case, ND doesn’t strike me as the place where ire is best targeted. MLD snooping could be improved to ignore solicited node addresses. This wouldn’t affect anything else and would clearly solve the problem. Micr0$0ft could fix their broken shit and not generate so many extra addresses for no reason.

Owen