Re: [v6ops] RFC7217 and flash renumbering and IID change

Fernando Gont <fgont@si6networks.com> Fri, 11 December 2020 12:05 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08C603A0B25 for <v6ops@ietfa.amsl.com>; Fri, 11 Dec 2020 04:05:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2_8-yPhxMdL for <v6ops@ietfa.amsl.com>; Fri, 11 Dec 2020 04:05:44 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B6D53A0B1F for <v6ops@ietf.org>; Fri, 11 Dec 2020 04:05:38 -0800 (PST)
Received: from [IPv6:2800:810:464:8164:2564:6883:7d0c:efbb] (unknown [IPv6:2800:810:464:8164:2564:6883:7d0c:efbb]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 91A9F283A2F; Fri, 11 Dec 2020 12:05:32 +0000 (UTC)
To: Mikael Abrahamsson <swmike=40swm.pp.se@dmarc.ietf.org>, v6ops@ietf.org
References: <alpine.DEB.2.20.2012111147020.10335@uplift.swm.pp.se>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <28ec97ca-355b-e4d8-200d-1c14160b51c0@si6networks.com>
Date: Fri, 11 Dec 2020 09:05:06 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.20.2012111147020.10335@uplift.swm.pp.se>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/wxxSiMo1mRajWZ4gXV0w9sZiWqs>
Subject: Re: [v6ops] RFC7217 and flash renumbering and IID change
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 12:05:48 -0000

On 11/12/20 07:58, Mikael Abrahamsson wrote:
> 
> Hi,
> 
> just wanted to share my experience.
> 
> My home has a /56 PD from my ISP. For some (unknown to me) reason my 
> home was flash renumbered little over 24 hours ago.

FWIW, same happens at home, albeit for the /64 I get delegated from my 
ISP.  -- still trying to debug the reason with my ISP.



> I didn't notice, 
> generally everything worked. What made me discover that this happened 
> was when I tried to access something that had a static entry in my 
> /etc/hosts file. This is understandable, and has happened to me before 
> in my 10+ years of running IPv6 in my home.
> 
> I proceeded to change the first 64 bits of the address in /etc/hosts, 
> and tried again. Still nothing. Investigated further, and then I 
> discovered that the last 64 bits had changed as well.
> 
> This seems to be because ubuntu 20.04 machines (and others) are using 
> RFC7217 to generate the last 64 bits, and reading RFC7217 in the light 
> of this, it says to generate a unique IID when it "moves". Now, my 
> machine certainly didn't "move" (for some definition of move), its NIC 
> always had link, default gateway was the same etc, but RFC7217 says to 
> generate unique IID per Prefix, so that's what it did.

If the prefix changed, the your node changed it's location in the 
network topology. -- note that while the default router didn't change, 
that could simply be the result of connecting the same router to a 
different ISP/upstream. So the behavior you got is a feature, indeed. :-)




> There are HGWs where the firewall allows you to configure rules that 
> take the PIO Prefix first 64 bits and then a static IID, so that if the 
> Prefix changes, the firewall rule but not IID changes, it'll still be 
> correct.
> 
> With the current behavior of IID change when PIO Prefix changes, above 
> functionality doesn't work.
> 
> So I guess my question is, how do we want these things to work? What's 
> the guidance we want to give? I'd like people to be able to configure 
> their HGW with firewall rules that keep working across renumbering, so 
> what should these firewall rules be based on?

What I'd say is: Any of:

1) Manually configure the address -- e.g., IIRC some systems allow you 
to use a "token" that will be employed along the prefix. Similar to what 
you mention for the HGW. (i.e., override RFC7217)

2) Filter based on the MAC address (may or may not be of use depending 
on the set up)

3) Use something ala UPnP -- although unfortunately many HGWs do not 
include the relevant support for the IPv6 case.

4) Have the node update its e.g. DNS record, and have the FW build the 
rules from the domain -> IPv6 addresses


Note: I assume that your HGW FW rules are for incoming connections -- 
since otherwise for outgoing connections you'd run into the same problem 
due to IPv6 temporary addresses.



> If we augment RFC7217 and say that new IID should not be generated in a 
> flash renumbering event (for instance, if default gw is the same, a new 
> Prefix being announced, keep the IID) that would work.

The problem here is that when a prefix changes, that means the system 
has moved. Think, e.g. a user that employs a portable 4G router -- the 
default gw will always be the same, but you certainly want the IID to 
change as the user travels around.



> Another way might be to suggest some more advanced logic for the HGW in 
> handling these firewall rules, perhaps based on MAC address or 
> something?

Yep, that's one of the possibilities.


> However, I don't know how the HGW would figure out what 
> addresses are which from temporary privacy addresses, stable RFC7217 etc.

It certainly can't (both temporary and stable addresses look the same). 
So it should be the host talking to the firewall and telling what to do 
with which address.  -- with e.g. something like UPnP.

Thanks!

Regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492