IETF Logo Mail Archive

Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes

"Ackermann, Michael" <MAckermann@bcbsm.com> Fri, 19 September 2014 20:56 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9704C1A8035 for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 13:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.89
X-Spam-Level:
X-Spam-Status: No, score=-3.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, T_FSL_HELO_BARE_IP_2=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wj8K7EkLQD79 for <v6ops@ietfa.amsl.com>; Fri, 19 Sep 2014 13:56:10 -0700 (PDT)
Received: from mx.z120.zixworks.com (mx.z120.zixworks.com [199.30.235.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4C8D1A88AD for <v6ops@ietf.org>; Fri, 19 Sep 2014 13:56:09 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id 021CB1020DF for <v6ops@ietf.org>; Fri, 19 Sep 2014 15:56:09 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [12.107.172.80]) by mx.z120.zixworks.com (Proprietary) with SMTP id 557C51291FA; Fri, 19 Sep 2014 15:56:08 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA80 (Postfix) with ESMTP id 73F834F8053; Fri, 19 Sep 2014 16:53:46 -0400 (EDT)
Received: from PWN401EA110.ent.corp.bcbsm.com (unknown [10.64.80.218]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by imsva1.bcbsm.com (Postfix) with ESMTP id 7180E4F804F; Fri, 19 Sep 2014 16:53:46 -0400 (EDT)
Received: from PWN401EA160.ent.corp.bcbsm.com ([fe80::fdcb:603d:469e:b1db]) by PWN401EA110.ent.corp.bcbsm.com ([::1]) with mapi id 14.01.0438.000; Fri, 19 Sep 2014 16:55:38 -0400
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Andrew 👽 Yourtchenko <ayourtch@gmail.com>, Nalini Elkins <nalini.elkins@insidethestack.com>
Thread-Topic: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes
Thread-Index: AQHP0/9nr2GOGmtz+E6bwFtua+J9j5wI9ViAgAAkY4CAABGGAP//wkeQ
Date: Fri, 19 Sep 2014 20:55:37 +0000
Message-ID: <4FC37E442D05A748896589E468752CAA0CCCABFB@PWN401EA160.ent.corp.bcbsm.com>
References: <201409191147.s8JBl1Fe016458@irp-lnx1.cisco.com> <CAPi140O_WkcS9uFCSK0+tVDF3Z1sB4_UF5Zv9kpNEMh7m94Vww@mail.gmail.com> <1411154671.21942.YahooMailNeo@web125102.mail.ne1.yahoo.com> <CAPi140Ob+TeDyYfw_1A2Q55gEF5-rNrLynQ1LkGHOVnGcNcpLA@mail.gmail.com>
In-Reply-To: <CAPi140Ob+TeDyYfw_1A2Q55gEF5-rNrLynQ1LkGHOVnGcNcpLA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.10.35]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-VPM-HOST: vmvpm01.z120.zixworks.com
X-VPM-GROUP-ID: 6861e22b-9032-4df9-8c92-648f0939b921
X-VPM-MSG-ID: 3e98d435-73f1-4f4e-9780-845fc250b7df
X-VPM-ENC-REGIME: Plaintext
X-VPM-CERT-FLAG: 0
X-VPM-IS-HYBRID: 0
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/wT62BZioDvER7_vtKBjnu45zKPc
Cc: "draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org" <draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2014 20:56:13 -0000

HI Andrew

Thanks for the great responses and related information.   

My comment on the inclusion of MLD,  is that we talked a lot about MLD during the creation of this draft and it certainly is consistent with the theme and adds to the issues.   However, we chose to leave MLD out of this draft, in an effort to keep the draft smaller and more focused.   We do mention MLD as being a related factor but state it is outside of the scope of the draft.     Given that, a question for you is if you feel this draft SHOULD include MLD?    

One other comment is that although there is education and information about these types of IPv6 subjects/issues, most large enterprises are unaware of any of this.   Our hope was to spare them from having an unpleasant initial experience with IPv6, by pointing out some issues  and pitfalls we have run into.   There is enough reluctance to pursue IPv6, in the corporate and large enterprise environments today and we want to eliminate as many negatives from that decision process as possible.  

Hope that makes sense. 

Thanks again

Mike



-----Original Message-----
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Andrew ?? Yourtchenko
Sent: Friday, September 19, 2014 4:27 PM
To: Nalini Elkins
Cc: draft-elkins-v6ops-multicast-virtual-nodes@tools.ietf.org; v6ops@ietf.org
Subject: Re: [v6ops] new draft: draft-elkins-v6ops-multicast-virtual-nodes

On 9/19/14, Nalini Elkins <nalini.elkins@insidethestack.com> wrote:
>
>>A directed broadcast ping on IPv4 gives pretty much the same result.
>>Did you test the effects of that ?
>
> I had not.  But, since you mentioned it, I did it on two different 
> Windows machines.  The one that is the server in question had the following results:
>
> C:\Users\Administrator>ping x.x.x.255
>
> Pinging x.x.x.255 with 32 bytes of data:
> Request timed out.
> Request timed out.
> Request timed out.
> Request timed out.
>
> Ping statistics for x.x.x.255:
>     Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
>
> Arp cache was not updated.   I did a packet trace in the background and
> indeed no ICMP replies were seen.
>
> I did the same ping x.x.x.255 on one of my client PCs and saw:
>
> Pinging x.x.x.255 with 32 bytes of data:
> Request timed out.
> Request timed out.
> Request timed out.
> Request timed out.
>
> But this time the packet trace showed that actually ICMP replies were sent.
>

So, besides this cosmetic difference the behavior is identical for the case of IPv4 ping ?

>>Of course, private VLANs or (if we are talking VMs) or just using p2p 
>>links with /128s would help this in the environments where the hosts 
>>can not be trusted - and this of course is not virtual/physical 
>>specific.
>
> Yes.  We wanted to bring up the topic of isolation of nodes for discussion.

This is a useful topic in general - especially in light of the MLD-related thread, but the draft seems to focus on a very corner case
- there are many much better reasons not to do large L2 networks.

>
>>If we're talking specifically virtual environment, here's an approach 
>>on how to use ebtables to isolate the hosts:
>
>>ebtables -P FORWARD DROP
>>ebtables -F FORWARD
>>ebtables -A FORWARD -i $uplinkPort -j ACCEPT # let the traffic flow 
>>from uplink to any ports ebtables -A FORWARD -o $uplinkPort -j ACCEPT 
>># let the traffic flow from any ports to uplink
>
>>(source:http://serverfault.com/questions/388544/is-it-possible-to-enab
>>le-port-isolation-on-linux-bridges)
>
> I think this is very good.  But, unfortunately not very well known.   Also,
> is this possible for all platforms or just Linux?

This was just my first google.com search result when searching for "private vlans linux".

The first google.com search result on "private vlans windows" brings up http://blogs.technet.com/b/scvmm/archive/2013/06/04/logical-networks-part-iv-pvlan-isolation.aspx
which seems to document similar technique.

"private vlan vmware" results in
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010691
as its first hit.

Would an IETF publication be easier to find than the above ?

>
>>So looks like the question at hand is:
>
>>"Should IPv6 nodes respond to Ping to FF0x::1?"
>
>>Which can be rephrased differently to ease the start of the discussion:
>
>>"What are the legitimate uses of a ping to ff0x::1 ?"
>
>>Right ?
>
> Yes.

Allright, so I'll mention my use of ping6 ff0x::1:

* quick check to find "a few hosts that are alive on this link"
(obviously not to be done on large segments).

* A way to trigger the remote side's ND process without having to do one myself (I know the multicast packet to all-hosts *will* usually get received regardless of the underlying issues with the L2.5 infrastructure (snooping, etc.)

* A way to further debug malfunctioning L2.5 infra, by comparing the reaction to pings to ff02::1, solicited node multicast, other multicast groups, etc.

Summary: the ff02::1 current ping behavior does help in a non-trivial amount of cases.

The security aspects the draft mentions indeed do exist, but in a properly configured network can be easily mitigated as I've shown above. So I'd be against changing the functionality in the existing stacks.

On the education side: the existing search results
https://www.google.com/?gws_rd=ssl#q=ping6+ff02::1 show 8000-something results - so indeed probably this behavior may be highlighted more during the IPv6 education. However: every IPv6 course I've heard says "there is no broadcast in IPv6, but there is all-hosts multicast" which should not make the behavior the draft describes a major surprise.

--a

>
> --a
>
>
> On 9/19/14, fred@cisco.com <fred@cisco.com> wrote:
>> A new draft has been posted, at
>> http://tools.ietf.org/html/draft-elkins-v6ops-multicast-virtual-nodes.
>> Please take a look at it and comment.
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops


The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.

v2.23.0 | Report a Bug | By Email