IETF Logo Mail Archive

Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios

j h woodyatt <jhw@conjury.org> Thu, 21 February 2019 03:03 UTC

Return-Path: <jhw@conjury.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 731921286D8; Wed, 20 Feb 2019 19:03:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0pLj93Nk01Ty; Wed, 20 Feb 2019 19:03:21 -0800 (PST)
Received: from mail.conjury.org (prime.conjury.org [174.136.98.234]) by ietfa.amsl.com (Postfix) with ESMTP id BFB38126D00; Wed, 20 Feb 2019 19:03:20 -0800 (PST)
Received: from [IPv6:2607:f598:b0b2:cf00:d4fb:b027:be5d:c37d] (unknown [IPv6:2607:f598:b0b2:cf00:d4fb:b027:be5d:c37d]) by mail.conjury.org (Postfix) with ESMTPSA id D9D3BE600D; Wed, 20 Feb 2019 18:26:06 -0800 (PST)
From: j h woodyatt <jhw@conjury.org>
Message-Id: <0B67644D-7A35-4884-9D0D-1DEE4E80A2B6@conjury.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_832DA5C2-97F1-4D6F-9408-A2ADEEB084E9"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Wed, 20 Feb 2019 19:03:18 -0800
In-Reply-To: <a3854d79-f661-4363-c910-31e6a08179a1@si6networks.com>
Cc: Fernando Gont <fgont@si6networks.com>
To: 6man@ietf.org, IPv6 Operations <v6ops@ietf.org>
References: <60fabe4b-fd76-4b35-08d3-09adce43dd71@si6networks.com> <8CE7A0CD-97D9-46A0-814D-CAF8788F9964@consulintel.es> <e3e0bf2273e04f15b792665d0f66dfe5@boeing.com> <4c5fab33-2bff-e5b5-fc1d-8f60a01a146d@go6.si> <b4525832-9151-20bf-7136-31d87ba6c88d@huitema.net> <463f15cf-2754-e2e8-609d-dc0f33448c6c@go6.si> <ff649810-7242-7bc2-d36f-3f998f7bdd71@asgard.org> <9CDF41CA-83B4-4FC4-B995-EF79727C5458@steffann.nl> <CAO42Z2wA+vLmU7+sU6xLK7TO6pWfNQA5shs9zp=PqANCihLmBQ@mail.gmail.com> <BAB3061A-1808-4C0E-AA1B-2D7DD5BA63FC@employees.org> <bbd8b761-403a-5b3f-3f04-dc3bfdea116e@foobar.org> <6F3036C6-50A1-43C6-B554-31293B69E59D@employees.org> <433607c1-dbc6-a42e-cb17-dc209e33bdaa@si6networks.com> <12EA4FAE-BE3D-4CFE-9837-DF052F79A998@employees.org> <5bc3eaf0-3ef0-d954-b228-00a7faac7f4c@si6networks.com> <CAO42Z2wa9gWoB_bWrYt79urHF8ihmMAbjDSZCBoZa8dn8SCNFw@mail.gmail.com> <cfe8d901-b1db-78fc-2a80-ae85ccf0c0d3@si6networks.com> <CAO42Z2yAXnFRViCZ7Wf27twUAanuSLA30jcHZZPa30HJsg7adQ@mail.gmail.com> <a3854d79-f661-4363-c910-31e6a08179a1@si6networks.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/l46CCZiS68CzJzmRKyeabc8uHeo>
Subject: Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 03:03:25 -0000

Hi Fernando,

It matters a lot what “unsolicited” means, c.f. the final prepositional phrase in this explanation from Section 2.3:

   The general operating principle is that transport layer traffic is
   not forwarded into the interior network of a residential IPv6 gateway
   unless it has been solicited explicitly by interior transport
   endpoints, e.g., by matching the reverse path for previously
   forwarded outbound traffic, or by matching configured exceptions set
   by the network administrator.

The use of a PCP server or the selection of the “transparent mode” configuration option *is* a solicitation of inbound flows to passive listeners. There is no recommendation for the default configuration of either a PCP server or the transparent mode. Under a strict interpretation of only RFC 6092 (without attempting to reference RFC 4864 normatively as one hopes external bodies would not do), it MAY be the case that inbound flows to passive listeners are solicited by DEFAULT until explicitly configured otherwise.

It’s RFC 4864 that recommends denying all inbound flows to passive listeners, and RFC 6092 was carefully written to remain neutral on that point. Precisely because we expected RFC 6092 to be input to external standards, and we expected that some bodies would require transparent mode by default.


--james woodyatt <jhw@conjury.org>



> On Feb 20, 2019, at 01:59, Fernando Gont <fgont@si6networks.com> wrote:
> 
> On 20/2/19 06:32, Mark Smith wrote:
> [....]
>>>> - As Ole implied, TCP uses addresses as identifiers, so TCP expects
>>>> that the address will persist for the entire duration of the TCP
>>>> connection, regardless of how long that duration is.
>>> 
>>> Your are turning a kludge into a design principle.
>> 
>> It's been a design assumption and expectation rather than a principle,
>> and an expectation TCP has had since 1974 (see RFC675, 2.2  "Sockets
>> and Addressing"  (That's TCPv1, before IP was split off)).
>> 
>> <snip>
>> 
>>> 
>>> Clearly, with your model of TCP connections surviving interface up/downs
>>> and the default lifetimes, you really have a host that is unusable,
>>> except in very specific network conditions -- such as: the host never
>>> moves (quite unlikely these days)
>> 
>> A 2013 presentation that makes that observation and some others.
>> 
>> "The Rapid Rise of the Mobile Multihomed Host, and What It Might Mean
>> to the Network"
>> http://www.ausnog.net/sites/default/files/ausnog-2013/presentations/D01%20P06-the%20rapid%20rise%20of%20the%20mobile%20multihomed%20host.pdf
>> 
>> 
>>> and nothing (including the CPE) fails
>>> (quite unlikely).
>>> 
>> 
>> I'm not saying these behaviours and expectations are necessarily correct today.
> 
> Besides "mobile" nodes, we have had RFC4941 for quite a long time now.
> Temporary addresses are preferred over stable addresses in RFC6724. --
> so short-lived addresses are more the norm than the exception for IPv6,
> I'd say.
> 
> 
> 
>> What I am saying is that they are and have been foundation design and
>> implementation assumptions that have been in place for multiple
>> decades. I think the longer a foundation assumption has been in place,
>> the more care and consideration you need to give to changing it,
>> because there can be unexpected impacts. Given those impacts, it may
>> be better to preserve them and design around them, compared to trying
>> to change them ("boiling the ocean"). The Mobile IP people, for
>> example, took this approach.
> 
> Based on the deployment level of Mobile IP, I'm not sure we want to
> follow that road ;-)
> 
> 
> 
>> People have said moving to multi-path transport layer protocols is
>> trying to boil the ocean.
>> 
>> Compared to providing stable PD prefixes within the BNG
>> infrastructure, I consider upgrading CPE to be boiling the ocean -
>> waiting on a CPE vendor to develop that firmware (depending on their
>> development priorities you may be waiting 3 to 6 months or possibly
>> longer), testing, and then deploying 100s of 1000s of CPE software
>> upgrades during many middles' of the night, with a risk of a
>> percentage of upgrades failing.
> 
> Note: me, I think that many CPEs will never store prefixes on stable
> storage. So, as far as *I* am concerned, the CPE advice is "this is what
> you should do if you want to be nice".
> 
> As noted before, a host cannot rely on the ISP to do stable prefixes,
> nor on CPEs to be nice. So if you want to be robust, the best place to
> improve such robustness is at the host.
> 
> 
> 
>> That's if you have managed CPE. If you
>> support BYO CPE (very common in Australia), then the time frame for
>> CPE functionality changes through upgrades is in the order of 5 years
>> or more, because people don't replace BYO CPE unless it stops working,
>> and they don't upgrade firmware either if it subjectively seems to
>> them to be working.
> 
> I agree with you in this respect. That's why I said you cannot rely on
> the CPE doing "the right thing" to get this problem solved.
> 
> 
> 
>> Upgrading ISP network infrastructure and back-end systems isn't easy
>> either, however it is within house so runs to your schedule and
>> resource availability, and all customers using that
>> infrastructure/system gain the benefit without having any changes made
>> to their equipment or configuration.
> 
> An ISP may have its own reasons for doing dynamic prefixes. A poll made
> by Jordi indicates that 37% of surveyed ISPs employ dynamic prefixes.
> That's a significant percentage... and you want host to be robust in
> such scenarios, too.
> 
> 
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> 
> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email