Re: [v6ops] [dhcwg] SLAAC renum: Problem Statement & Operational workarounds

Owen DeLong <owen@delong.com> Thu, 31 October 2019 01:40 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFF0112008B; Wed, 30 Oct 2019 18:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.998
X-Spam-Level:
X-Spam-Status: No, score=-6.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=delong.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HVzxHcRqcdYL; Wed, 30 Oct 2019 18:40:14 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id EDB5F12006B; Wed, 30 Oct 2019 18:40:09 -0700 (PDT)
Received: from [172.20.0.85] (rrcs-97-79-186-2.sw.biz.rr.com [97.79.186.2]) (authenticated bits=0) by owen.delong.com (8.15.2/8.15.2) with ESMTPSA id x9V1cfOS004481 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 30 Oct 2019 18:38:42 -0700
DKIM-Filter: OpenDKIM Filter v2.11.0 owen.delong.com x9V1cfOS004481
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delong.com; s=mail; t=1572485923; bh=w0TJ2XGkkP1+qQAtqMApZ1MVm+I9hWUT78aoux/lAqI=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=znXsju/GsTlnk5tm3XYnc4KhnKy9+KC7W/DNqLTwmd3kqYu7Ib9RWadwOC1qge7jn +dGBQ0Zt3KtakyNBOe5bXYs1LFTmnW5U6KoPddjTxA3un3l9r18ycX2AMmwhktsRCT CjQlQmyb/hyDaiF0w3kPthCDusBmF4C/sPzqtmx4=
From: Owen DeLong <owen@delong.com>
Message-Id: <F2F145F7-E678-48C9-A765-BD2D22F793EE@delong.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7AF93E5E-9C49-4AD9-BB83-89C83D9D7FEC"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Wed, 30 Oct 2019 18:38:41 -0700
In-Reply-To: <A72A93B2-B947-4365-A811-50D8908B01EA@cisco.com>
Cc: Ted Lemon <mellon@fugue.com>, Bud Millwood <budm@weird-solutions.com>, "dhcwg@ietf.org" <dhcwg@ietf.org>, IPv6 Operations <v6ops@ietf.org>
To: "Bernie Volz (volz)" <volz@cisco.com>
References: <MWHPR1101MB2288616D545F3DAD1D1734A1CF600@MWHPR1101MB2288.namprd11.prod.outlook.com> <CAOpJ=k06SRAHR7S+UmvFu=zvyk8j_uica2gdbBij+5pr+Jykww@mail.gmail.com> <C0A66DA1-29DE-456A-934D-7ECC07575336@cisco.com> <8755B40E-4075-4AAC-BF59-19B6DF9BA6D1@cisco.com> <B23EE439-1509-43FB-9813-F330117DBF42@fugue.com> <CAOpJ=k25ML8Z0_QRN8yoYdXut=tsZBwtBZEstceT45csb1Aunw@mail.gmail.com> <E8D9F8C2-C4C1-44CC-AB06-87A3461B704A@fugue.com> <A72A93B2-B947-4365-A811-50D8908B01EA@cisco.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (owen.delong.com [192.159.10.2]); Wed, 30 Oct 2019 18:38:43 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ZPK4vuIv3fTh7CmkMHbxZwethuw>
Subject: Re: [v6ops] [dhcwg] SLAAC renum: Problem Statement & Operational workarounds
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 01:40:17 -0000


> On Oct 30, 2019, at 5:53 PM, Bernie Volz (volz) <volz@cisco.com>; wrote:
> 
> Mark Smith on v6ops ml wrote:
> 
> “I think Ole observed that this is contrary to what the PD prefix's Valid Lifetime said would be the case. The ISP supplied a PD Prefix with a Valid Lifetime of X seconds, and then broke that promise by abruptly changing addressing before X seconds. ISPs should be expected to live up to their Valid Lifetime promises.”

Sure, but in the real world, there is an entire class of ISPs that have repeatedly demonstrated utter and near complete disregard for such niceties as promises to customers (e.g. most major eyeball ISPs in the US at a minimum), so having CPE behavior that accommodates this fact in favor of the user will likely lead to a better user experience than stomping or feet and insisting that ISPs behave properly.

> And it would be worth better understanding exactly what happens in these situations (perhaps it was covered earlier but I missed or lost that)  ... if the Prefix configuration really is radically changed, even the SP dhcp server may be unable to assist.

With what is being proposed, the SP DHCP server doesn’t need to assist. The CPU should write the set of received prefixes and their expected expiration times (preferred, valid) to persistent storage. The CPU should update this when a packet making a change to these timers is received. It should make every effort to deprecate prefixes it cannot renew from the links where it previously advertised them.

This doesn’t require anything special on the SP side.

Owen

> 
> - Bernie
> 
> On Oct 30, 2019, at 7:32 PM, Ted Lemon <mellon@fugue.com <mailto:mellon@fugue.com>> wrote:
> 
>> On Oct 30, 2019, at 7:18 PM, Bud Millwood <budm@weird-solutions.com <mailto:budm@weird-solutions.com>> wrote:
>>> It's not so much about the lifetime of the prefix as about putting two
>>> prefixes in a reply to a request, right? And any CPE that can't handle
>>> that gracefully gets hosed. I agree that providers of course need to
>>> test this feature, and a server side configuration makes that
>>> possible. Also, I'm all for firmware upgrades, but requiring it to fix
>>> a hosed CPE is could be a big issue.
>> 
>> The thing is, if they can’t handle a two-PD response, they are out of spec.  This is already allowed in the RFC.
>> 
>> Granted, there may be plenty of CPEs that won’t handle this correctly.   If they can be bricked by a message with two PDs, then bricking them is the right thing to do, because that’s a zero-day vulnerability wide open on the customer network.
>> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops