Re: [v6ops] Interesting problems with using IPv6

"Hemant Singh (shemant)" <shemant@cisco.com> Tue, 09 September 2014 15:59 UTC

Return-Path: <shemant@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C64771A7001 for <v6ops@ietfa.amsl.com>; Tue, 9 Sep 2014 08:59:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.853
X-Spam-Level:
X-Spam-Status: No, score=-15.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5gs5kBzluPTN for <v6ops@ietfa.amsl.com>; Tue, 9 Sep 2014 08:59:01 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 700541A6FFF for <v6ops@ietf.org>; Tue, 9 Sep 2014 08:59:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7596; q=dns/txt; s=iport; t=1410278341; x=1411487941; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=75dUCQqkNsNxnN2cNy86DnfVo3Oqooi2w29DHqjOga8=; b=VlWAq2sjmPfJyvdXeoMcyLmkKZlrl12iXmu+meDcvYdpt4oUlwZzAzfr CN/6kGyIaRiwJRY4ahJ1bH+oQU0/snUNDbXl2SQ98v7lkIcobhh4fz2LW dBsnrTFRKRvokRlPSVxlGIbhC2EMBHhHpHUX5oAgnEDrZeJVoTIm7nkQ9 s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiwFAHcjD1StJV2c/2dsb2JhbABZDoJ/U1cEgnjHJQqHTAEZdBZ4hAMBAQEEAQEBIBE4AgsMBAIBCBEEAQEDAgYdAwICAiULFAEICAIEAQ0FCIg6DacXlWYBF4EsiFSEdiYWGwcGgnM2gR0FjxmCKIQwgjyGJYZrjGSDH0JsAYEFAR8EHoEHAQEB
X-IronPort-AV: E=Sophos;i="5.04,492,1406592000"; d="scan'208";a="76330168"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-8.cisco.com with ESMTP; 09 Sep 2014 15:58:43 +0000
Received: from xhc-aln-x01.cisco.com (xhc-aln-x01.cisco.com [173.36.12.75]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id s89Fwh7b018588 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 9 Sep 2014 15:58:43 GMT
Received: from xmb-rcd-x06.cisco.com ([169.254.6.218]) by xhc-aln-x01.cisco.com ([173.36.12.75]) with mapi id 14.03.0195.001; Tue, 9 Sep 2014 10:58:42 -0500
From: "Hemant Singh (shemant)" <shemant@cisco.com>
To: =?utf-8?B?QW5kcmV3IPCfkb0gIFlvdXJ0Y2hlbmtv?= <ayourtch@gmail.com>, "Chuck Anderson" <cra@wpi.edu>
Thread-Topic: [v6ops] Interesting problems with using IPv6
Thread-Index: AQHPy7BYcufcLcCSE0CP+QdxqYnKUZv4XruAgACCkQCAAAzxgP//rUdQgACT44CAABYhgP//ryjQ
Date: Tue, 9 Sep 2014 15:58:42 +0000
Message-ID: <75B6FA9F576969419E42BECB86CB1B89155AF84D@xmb-rcd-x06.cisco.com>
References: <1410082125488.85722@surrey.ac.uk> <540CB702.3000605@gmail.com> <20140908183339.GB98785@ricotta.doit.wisc.edu> <540E26D9.3070907@gmail.com> <1410227735.13436.YahooMailNeo@web162204.mail.bf1.yahoo.com> <540ECB9E.9000102@foobar.org> <CAKD1Yr1_sCLHv=D3MeCe47Fa0dxXTXH5B+=wOKpvmEDFkJFiZw@mail.gmail.com> <75B6FA9F576969419E42BECB86CB1B89155AF364@xmb-rcd-x06.cisco.com> <20140909142226.GP15839@angus.ind.WPI.EDU> <CAPi140Nwzjh-f_kj9tWmcmcjqh55nUdyr6EjHbQySom+SvX_fQ@mail.gmail.com>
In-Reply-To: <CAPi140Nwzjh-f_kj9tWmcmcjqh55nUdyr6EjHbQySom+SvX_fQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.131.71.117]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/aq5N2eGLKJZBNWSeCAQDZ1mBqjM
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Interesting problems with using IPv6
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 15:59:04 -0000

Andrew,

Great input from you.   However, there is one catch.  A basic switch works at layer-2 and may not have its implementation communicate with upper transport layers such as TCP and UDP.  The switch is merely snooping MLD.  Then the switch should just support never letting its cpu go higher than 40% and rate limit processing in the switch punt path.

Hemant

-----Original Message-----
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Andrew ?? Yourtchenko
Sent: Tuesday, September 09, 2014 11:42 AM
To: Chuck Anderson
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Interesting problems with using IPv6


Not delving into the whole "why in today-scale network we need to maintain separate groups per each solicited multicast" argument, let's just assume there are some noticeable gains there and focus on the number of groups.

1) http://tools.ietf.org/html/rfc4941#section-3.3 says:

   1.  Process the Prefix Information Option as defined in [ADDRCONF],
       either creating a new public address or adjusting the lifetimes
       of existing addresses, both public and temporary.  If a received
       option will extend the lifetime of a public address, the
       lifetimes of temporary addresses should be extended, subject to
       the overall constraint that no temporary addresses should ever
       remain "valid" or "preferred" for a time longer than
       (TEMP_VALID_LIFETIME) or (TEMP_PREFERRED_LIFETIME -
       DESYNC_FACTOR), respectively.  The configuration variables
       TEMP_VALID_LIFETIME and TEMP_PREFERRED_LIFETIME correspond to
       approximate target lifetimes for temporary addresses.

One way to interpret this text is that with the defaults, a host with SLAAC and temporary addresses will have: 1 LL + 1 SLAAC + 7 temp addresses = 9.

This gives 1.5 order of magnitude less groups than in the example you cite - a not terribly unreasonable number, though it's still a 9x amount.

The TEMP_VALID_LIFETIME and TEMP_PREFERRED_LIFETIME are host-coded, the network (for better or worse) appears to have not much say about them.

2) The "300 addresses" situation might look like either the defaults were changed, or the stack is being "helpful" as described in
http://tools.ietf.org/html/rfc4941#section-6:

   An implementation might want to keep track of which addresses are
   being used by upper layers so as to be able to remove a deprecated
   temporary address from internal data structures once no upper layer
   protocols are using it (but not before).  This is in contrast to
   current approaches where addresses are removed from an interface when
   they become invalid [ADDRCONF], independent of whether or not upper
   layer protocols are still using them.  For TCP connections, such
   information is available in control blocks.  For UDP-based
   applications, it may be the case that only the applications have
   knowledge about what addresses are actually in use.  Consequently, an
   implementation generally will need to use heuristics in deciding when
   an address is no longer in use.

Would this mean the host has a connection that is lasting 300 days and is using the same temporary address ? This does not look too temporary, so arguably that application should not be using temporary addresses (Also: interesting that e.g. Linux limits the default # to
16 - cf.: http://oss.sgi.com/archives/netdev/2004-01/msg01002.html
which is still true in the Ubuntu 14.04.)

BTW, talking about the applications, they should be able to select whether they need the temporary addresses or not: rfc5014. Do they intentionally select the temporary addresses on the long-lasting connections ?

Now, let me argue with myself:

1) IPv6 requiring 9x time the IPv4 addresses is still quite a stretch.
If someone needs a long-lasting session, they should use a stable address.

2) Does application have a way to say "I do not want temporary addresses" ?
(cf: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756)
Seems not today ?

3) Also, http://tools.ietf.org/html/rfc4941#section-3.6 clearly says:

" In addition, some applications may not behave
   robustly if temporary addresses are used and an address expires
   before the application has terminated, or if it opens multiple
   sessions, but expects them to all use the same addresses.
   Consequently, the use of temporary addresses SHOULD be disabled by
   default in order to minimize potential disruptions.  Individual
   applications, which have specific knowledge about the normal duration
   of connections, MAY override this as appropriate."


So, if the hosts were gentle with the number of addresses they try to use, apps with long-lasting connections were to disable the temporary addresses and the server fleet had the temporary addresses disabled altogether, SLAAC (and, where appropriate, temporary addresses) would not be so bad at all.

Of course, the amount of manual work this requires today means that the A-bit is turned off and the DHCPv6 is being used. Which may be perfectly okay - but if it is not, and we do assert that "An RA with prefix having an A-bit set and default settings, should not cause the 10x expansion to the resource requirements compared to Legacy IP", seems like some sort of a correction in default stacks/apps behavior with respect to temporary addresses could be useful.

--a

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops