Re: ping-pong phenomenon with p2p links & /127 prefixes
Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org> Mon, 23 August 2010 11:52 UTC
Return-Path: <ipng@69706e6720323030352d30312d31340a.nosense.org>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1542C3A69FB for <ipv6@core3.amsl.com>; Mon, 23 Aug 2010 04:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.351
X-Spam-Level:
X-Spam-Status: No, score=-1.351 tagged_above=-999 required=5 tests=[AWL=0.229, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id og-bz4E8zRll for <ipv6@core3.amsl.com>; Mon, 23 Aug 2010 04:52:30 -0700 (PDT)
Received: from smtp2.adam.net.au (smtp2.adam.net.au [202.136.110.251]) by core3.amsl.com (Postfix) with ESMTP id B8A0D3A69F3 for <ipv6@ietf.org>; Mon, 23 Aug 2010 04:52:26 -0700 (PDT)
Received: from 182-239-154-130.ip.adam.com.au ([182.239.154.130] helo=opy.nosense.org) by smtp2.adam.net.au with esmtp (Exim 4.63) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1OnVaE-0008Sn-9x; Mon, 23 Aug 2010 21:22:58 +0930
Received: from opy.nosense.org (localhost.localdomain [IPv6:::1]) by opy.nosense.org (Postfix) with ESMTP id E9DA03B325; Mon, 23 Aug 2010 21:19:09 +0930 (CST)
Date: Mon, 23 Aug 2010 21:19:09 +0930
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
To: Randy Bush <randy@psg.com>
Subject: Re: ping-pong phenomenon with p2p links & /127 prefixes
Message-ID: <20100823211909.279cd620@opy.nosense.org>
In-Reply-To: <m2k4nichut.wl%randy@psg.com>
References: <4C68FD84.80905@unfix.org> <20100816.111224.41652855.sthaug@nethelp.no> <4C690673.1040400@unfix.org> <20100816.114110.71111142.sthaug@nethelp.no> <4C69085A.1040706@unfix.org> <m2ocd2j3f9.wl%randy@psg.com> <20100816230806.629c633a@opy.nosense.org> <C282AE46CA180649B16227A97F76C6D40DDC9BFF@EMAILHK2.jnpr.net> <20100822093056.3bd9710b@opy.nosense.org> <C282AE46CA180649B16227A97F76C6D40DDC9FBB@EMAILHK2.jnpr.net> <AANLkTikqcOZLhkYbd6+hvke9CkxJimvzOFR8tvsfX4Lp@mail.gmail.com> <20100823063817.3de93c5f@opy.nosense.org> <m2k4nichut.wl%randy@psg.com>
X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; x86_64-unknown-linux-gnu)
X-Location: Lower Mitcham, South Australia, 5062
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Cc: v6ops@ops.ietf.org, ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Aug 2010 11:52:31 -0000
On Mon, 23 Aug 2010 09:06:50 +0900 Randy Bush <randy@psg.com> wrote: > > If the /127 draft is a rebuttal of RFC3627 > > and if it isn't? maybe it's just a bug report on one bit? > Well, firstly, this is the text in the /127 draft which seems to suggest to me it is: "This document provides rationale for using 127-bit prefix lengths, reevaluates the reasons why doing so was considered harmful, and specifies that /127 prefixes MUST be supported on inter-router links configured for use as point-to-point links." The MUST in capitals is the key word. The Interface ID has been 64 bits in length since RFC2373 (July 1998) for global prefixes. Many RFCs rely on that. This draft is setting itself up to be the new authoritative statement on an exception to all the prior RFCs that have followed the 64 IID specification. I think therefore it is obligated to address all the issues that an exception creates. Alternatively, if it was published as an Informational RFC, I think the threshold of detail required could be lower. IMHO, where the real problem lies isn't the /64 prefix length, it's in the neighbor discovery neighbor solicitation/neighbor advertisement mechanism, and even more specifically, it's caused by these two requirements in the Neighbor Discovery RFC, "7.2.2. Sending Neighbor Solicitations" - " While waiting for address resolution to complete, the sender MUST, for each neighbor, retain a small queue of packets waiting for address resolution to complete. The queue MUST hold at least one packet, and MAY contain more. However, the number of queued packets per neighbor SHOULD be limited to some small value. When a queue overflows, the new arrival SHOULD replace the oldest entry. Once address resolution completes, the node transmits any queued packets." and "If no Neighbor Advertisement is received after MAX_MULTICAST_SOLICIT solicitations, address resolution has failed. The sender MUST return ICMP destination unreachable indications with code 3 (Address Unreachable) for each packet queued awaiting address resolution." The MUST of holding a queue of NS triggering packets, and the MUST of returning an ICMP destination unreachable create remotely exploitable state on a router's interface. Switching off NS/NA on links where it could be (i.e. point-to-point links), mitigates that, however it then creates the ping-pong problem. /127s is a mitigation for that, however it isn't a solution for links containing end-nodes i.e. LANs. There'll still be millions of them that are remotely exploitable from offlink sources. So /127s are very much a partial rather than full solution. Lengthening the prefix length/shortening the IID is always a mitigation, not a solution to the remote exploitable state. I think there are two realities which reduce the usefulness of these MUST implement mechanisms - o the Internet is best effort, so if a source node wants to be confident that the packet arrived, it needs to be prepared to re-transmit it. Queueing it on a router while NS/NA takes place helps but doesn't avoid a node having to be prepared to retransmit. o Also due to the best effort nature of the Internet, there is a possibility that the ICMP destination unreachable won't make it back to the original packet's source, with perimeter firewalls being one of the causes. If those MUSTs were loosened to SHOULDs or MAYs, then it would be acceptable to avoid having a router maintain state while the ND NS/NA transaction takes place. Once that state requirement is removed, I think there are a number of ways to solve the layer 3 to layer 2 address mapping function on a link - o have nodes periodically announce themselves via unsolicited multicasts - the ES-IS model. o have nodes register there presence via a two way transaction - the 6lowpan ND optimisation mechanism might be a candidate. o use an NS/NA transaction, with the NS containing a magic cookie in the flow label field or maybe an ND option that is copied into the NA, and verified by the NS originator. The number of NSes per second might be rate limited to avoid creating a CPU DoS because of cookie generation. Source nodes will eventually retransmit their packets if the NS doesn't occur because the cookie generation rate limit was exceeded. o use an NS/NA transaction, and just accept NAs when ever they arrive. There are more trust issues here because on the onlink nodes could DoS the router with NAs - however they have far more of an incentive to not do it because they're likely to be DoSing the router that provides them with offlink connectivity. This is essentially a passive/solicited version of the ES-IS model. It could also be considered a "loose" or existing ND NS/NA "compatibility" mode of the more "strict" NS/NA cookie transaction mode. These mechanisms are applicable to any type of link, would preserve the simplicity of universal 64 bit IIDs and the other benefits of them e.g. CGAs, as well as avoiding the ping-pong problem. > > Other examples - there are probably more - of things I think that should > > be discussed, beyond what is in RFC3627 - > > where is that darned immersion heater? > No sure what they do. Can I buy one that runs IPv6? Regards, Mark.
- Re: ping-pong phenomenon with p2p links & /127 pr… sthaug
- Re: ping-pong phenomenon with p2p links & /127 pr… Jeroen Massar
- Re: ping-pong phenomenon with p2p links & /127 pr… Christopher Morrow
- ping-pong phenomenon with p2p links & /127 prefix… Fernando Gont
- Re: ping-pong phenomenon with p2p links & /127 pr… Jeroen Massar
- Re: ping-pong phenomenon with p2p links & /127 pr… sthaug
- Re: ping-pong phenomenon with p2p links & /127 pr… Jeroen Massar
- Re: ping-pong phenomenon with p2p links & /127 pr… Randy Bush
- Re: ping-pong phenomenon with p2p links & /127 pr… Ole Troan
- Re: ping-pong phenomenon with p2p links & /127 pr… Jeroen Massar
- Re: ping-pong phenomenon with p2p links & /127 pr… Randy Bush
- Re: ping-pong phenomenon with p2p links & /127 pr… Fernando Gont
- Re: ping-pong phenomenon with p2p links & /127 pr… Ole Troan
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Gert Doering
- Re: ping-pong phenomenon with p2p links & /127 pr… Fernando Gont
- Re: ping-pong phenomenon with p2p links & /127 pr… Roger Jørgensen
- Re: ping-pong phenomenon with p2p links & /127 pr… Christopher Morrow
- Re: ping-pong phenomenon with p2p links & /127 pr… Ole Troan
- Re: ping-pong phenomenon with p2p links & /127 pr… Jared Mauch
- Re: ping-pong phenomenon with p2p links & /127 pr… Ole Troan
- Re: ping-pong phenomenon with p2p links & /127 pr… Ole Troan
- Re: ping-pong phenomenon with p2p links & /127 pr… sthaug
- Re: ping-pong phenomenon with p2p links & /127 pr… Ole Troan
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Randy Bush
- Re: ping-pong phenomenon with p2p links & /127 pr… Jared Mauch
- RE: ping-pong phenomenon with p2p links & /127 pr… Olivier Vautrin
- Re: ping-pong phenomenon with p2p links & /127 pr… Seiichi Kawamura
- Re: ping-pong phenomenon with p2p links & /127 pr… Ole Troan
- Re: ping-pong phenomenon with p2p links & /127 pr… James Joyce
- Re: ping-pong phenomenon with p2p links & /127 pr… Seiichi Kawamura
- Re: ping-pong phenomenon with p2p links & /127 pr… Christopher Morrow
- Re: ping-pong phenomenon with p2p links & /127 pr… Jared Mauch
- Re: ping-pong phenomenon with p2p links & /127 pr… Randy Bush
- draft-ietf-ipngwg-p2p-pingpong-00.txt vs RFC4443 Pekka Savola
- Re: ping-pong phenomenon with p2p links & /127 pr… Ole Troan
- Re: ping-pong phenomenon with p2p links & /127 pr… sthaug
- Re: ping-pong phenomenon with p2p links & /127 pr… Seiichi Kawamura
- Re: ping-pong phenomenon with p2p links & /127 pr… Randy Bush
- Re: draft-ietf-ipngwg-p2p-pingpong-00.txt vs RFC4… Fernando Gont
- Re: ping-pong phenomenon with p2p links & /127 pr… Truman Boyes
- Re: ping-pong phenomenon with p2p links & /127 pr… sthaug
- Re: ping-pong phenomenon with p2p links & /127 pr… Ole Troan
- Re: draft-ietf-ipngwg-p2p-pingpong-00.txt vs RFC4… JINMEI Tatuya / 神明達哉
- RE: ping-pong phenomenon with p2p links & /127 pr… Christian Huitema
- Re: ping-pong phenomenon with p2p links & /127 pr… Jared Mauch
- RE: draft-ietf-ipngwg-p2p-pingpong-00.txt vs RFC4… Olivier Vautrin
- Re: draft-ietf-ipngwg-p2p-pingpong-00.txt vs RFC4… Pekka Savola
- Re: draft-ietf-ipngwg-p2p-pingpong-00.txt vs RFC4… Mark Smith
- RE: draft-ietf-ipngwg-p2p-pingpong-00.txt vs RFC4… Miya Kohno
- RE: ping-pong phenomenon with p2p links & /127 pr… Miya Kohno
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- RE: ping-pong phenomenon with p2p links & /127 pr… Miya Kohno
- Re: ping-pong phenomenon with p2p links & /127 pr… Christopher Morrow
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Randy Bush
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… sthaug
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Randy Bush
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… sthaug
- RE: ping-pong phenomenon with p2p links & /127 pr… Miya Kohno
- RE: ping-pong phenomenon with p2p links & /127 pr… Miya Kohno
- Re: ping-pong phenomenon with p2p links & /127 pr… Fred Baker
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Jared Mauch
- Re: ping-pong phenomenon with p2p links & /127 pr… Jared Mauch
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Joel Jaeggli
- RE: ping-pong phenomenon with p2p links & /127 pr… Manfredi, Albert E
- Re: ping-pong phenomenon with p2p links & /127 pr… Randy Bush
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- RE: ping-pong phenomenon with p2p links & /127 pr… Manfredi, Albert E
- Re: ping-pong phenomenon with p2p links & /127 pr… Fred Baker
- RE: ping-pong phenomenon with p2p links & /127 pr… Hemant Singh (shemant)
- Re: ping-pong phenomenon with p2p links & /127 pr… Christopher Morrow
- Re: ping-pong phenomenon with p2p links & /127 pr… Christopher Morrow
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- RE: ping-pong phenomenon with p2p links & /127 pr… Manfredi, Albert E
- Re: ping-pong phenomenon with p2p links & /127 pr… Christopher Morrow
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Christopher Morrow
- Re: ping-pong phenomenon with p2p links & /127 pr… Mark Smith
- Re: ping-pong phenomenon with p2p links & /127 pr… Fernando Gont
- RE: ping-pong phenomenon with p2p links & /127 pr… Olivier Vautrin