Re: [v6ops] privacy point re. unsolicited NA / router neighbor cache
David Lamparter <equinox@diac24.net> Tue, 23 July 2019 14:31 UTC
Return-Path: <equinox@diac24.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F03112011F for <v6ops@ietfa.amsl.com>; Tue, 23 Jul 2019 07:31:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4_ldvDPcKuNT for <v6ops@ietfa.amsl.com>; Tue, 23 Jul 2019 07:31:01 -0700 (PDT)
Received: from eidolon.nox.tf (eidolon.nox.tf [IPv6:2a07:2ec0:2185::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0694E120226 for <v6ops@ietf.org>; Tue, 23 Jul 2019 07:31:01 -0700 (PDT)
Received: from equinox by eidolon.nox.tf with local (Exim 4.92) (envelope-from <equinox@diac24.net>) id 1hpvof-001nCS-IC; Tue, 23 Jul 2019 16:30:57 +0200
Date: Tue, 23 Jul 2019 16:30:57 +0200
From: David Lamparter <equinox@diac24.net>
To: Gert Doering <gert@space.net>
Cc: David Lamparter <equinox@diac24.net>, Mark Smith <markzzzsmith@gmail.com>, v6ops list <v6ops@ietf.org>
Message-ID: <20190723143057.GC258193@eidolon.nox.tf>
References: <20190722213727.GI34551@eidolon.nox.tf> <CAO42Z2zn-V9HrKGDC_api7BE4Sy6jmcrfKR7nbnSrHA5NpxYjQ@mail.gmail.com> <20190723000049.GJ34551@eidolon.nox.tf> <20190723070141.GG60824@Space.Net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190723070141.GG60824@Space.Net>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/qY6WuviNyekAHYFLs6tWXkbBb6I>
Subject: Re: [v6ops] privacy point re. unsolicited NA / router neighbor cache
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 14:31:05 -0000
On Tue, Jul 23, 2019 at 09:01:41AM +0200, Gert Doering wrote: > On Tue, Jul 23, 2019 at 02:00:49AM +0200, David Lamparter wrote: > > => Yes: it seems someone configured multicast. (You don't get this > > without config, it's a bit of a PITA honestly.) Proceed to 2. > > > > 2. is whoever configured multicast competent? > > The general assumption for on-link multicast should be "it's broadcast > or it is getting lost". > > Switch vendor track record shows that this is a constantly recurring > problem, and the *best* you can hope for operational robustness is > "on-link multicast is handled like broadcast". All the other snooping > things just cause more work in figuring out this week's bugs and how > to turn off the snopping bits. > > The general idea that on-link multicast is a positive aspect of IPv6 > is nice, but wrong. I'm happy to agree that in most cases multicast will be broadcast, and gleaning DAD on the router(s) to prime a neighbor cache entry works perfectly fine for that situation. I also think that we shouldn't break things by design, and the address-dependent DAD multicast groups are a feature both in terms of limiting flooding as well as improving privacy, even if neither of these two materializes in common setups. Which of these matters more is of no impact for DAD gleaning since it happens to work out to a good solution for both. It *does* break for networks with badly configured multicast, but I believe this is an acceptable caveat -- what we're trying to fix here is a delay in establishing communication, so the failure case is that this delay remains. I'd argue this is an acceptable result of an incompatible multicast configuration made out of either ignorance or error. I'm also confident enough in saying I don't believe any relevant switch or router default configurations include such broken multicast snooping config. If it's broken, it's something the operator broke. I'd even agree with you that operators are well-advised to not enable multicast snooping in most cases, so it keeps being broadcast. Exceptions prove the rule. Cheers, -David
- [v6ops] privacy point re. unsolicited NA / router… David Lamparter
- Re: [v6ops] privacy point re. unsolicited NA / ro… Mark Smith
- Re: [v6ops] privacy point re. unsolicited NA / ro… David Lamparter
- Re: [v6ops] privacy point re. unsolicited NA / ro… Mark Smith
- Re: [v6ops] privacy point re. unsolicited NA / ro… Gert Doering
- Re: [v6ops] privacy point re. unsolicited NA / ro… Sander Steffann
- Re: [v6ops] privacy point re. unsolicited NA / ro… Gert Doering
- Re: [v6ops] privacy point re. unsolicited NA / ro… Sander Steffann
- Re: [v6ops] privacy point re. unsolicited NA / ro… David Lamparter
- Re: [v6ops] privacy point re. unsolicited NA / ro… Gert Doering
- Re: [v6ops] privacy point re. unsolicited NA / ro… Nick Hilliard
- Re: [v6ops] privacy point re. unsolicited NA / ro… Fred Baker
- Re: [v6ops] privacy point re. unsolicited NA / ro… Mark Smith
- Re: [v6ops] privacy point re. unsolicited NA / ro… Jen Linkova
- Re: [v6ops] privacy point re. unsolicited NA / ro… Gert Doering
- Re: [v6ops] privacy point re. unsolicited NA / ro… Pascal Thubert (pthubert)