[prev in list] [next in list] [prev in thread] [next in thread]
List: ipng
Subject: Re: Errata for RFC4862
From: Tim Chown <Tim.Chown () jisc ! ac ! uk>
Date: 2017-01-12 14:29:33
Message-ID: 9F634A38-468F-46B6-81D5-17D96223F163 () jisc ! ac ! uk
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi Mark,
On 10 Jan 2017, at 21:45, Mark Smith \
<markzzzsmith@gmail.com<mailto:markzzzsmith@gmail.com>> wrote:
On 11 Jan. 2017 6:32 am, "神明達哉" <jinmei@wide.ad.jp<mailto:jinmei@wide.ad.jp>> \
wrote: At Tue, 10 Jan 2017 12:45:27 +0000,
Tim Chown <Tim.Chown@jisc.ac.uk<mailto:Tim.Chown@jisc.ac.uk>> wrote:
> My recollection of running renumbering experiments is that it's the
> Preferred Lifetime that matters, i.e. when that is set to zero for a
> prefix, the prefix is marked as deprecated. So when renumbering,
> you run with two prefixes advertised, old and new, setting the
> Preferred Lifetime to 0 on the old prefix (even though the Valid
> Lifetime is set to 2+ hours), so that the address with the new
> prefix is used for newly initiated communications (as per RFC 6724,
> Rule 3).
Yes, but I guess what Ole tried to point out (which I agree with) is
that the valid lifetime will also have to decrease to 0 eventually,
and this original text of RFC4862 allows such decrease operation
without requiring explicit authentication if done by gradually:
If that is the case (and I don't think it is, it creates the DoS opportunity that all \
other >2 hr checks attempt to defeat), then I think it needs to be far better and \
more explicitly explained, including the sequence of events.
What is the use case that can't be achieved by setting the preferred lifetime to \
zero, immediately deprecating the addresses (and a VL of 2 hours to cause them to \
disappear shortly).
If it is to remove addresses immediately from a host by setting the RA PIO VL to zero \
- actually that's not going to work, because seeing VL to zero will fail the greater \
than remaining time check.
It would be very laborious to try to remove an address by only being able to send a \
VL greater than the address's remaining time. Letting the address age out/expire \
naturally by itself by stopping sending the RA PIO for the prefix wolf be easier and \
I think quicker.
Yes, the process you describe is exactly what RFC 4192 recommends for renumbering, \
and which was tested on common OSes at the time that RFC was written. To begin the \
renumbering process, you run with PL 0 and VL 2hrs on the "old" prefix, and with \
normal values on the "new" prefix. To transition to just the new prefix in use, you \
stop advertising the old prefix, such that addresses formed from it will become \
invalid and be removed, and during which time the address generated from the new \
prefix will be used due to RFC 6724 Rule 3.
So from that perspective, there's no need to change RFC 4862 to allow an \
unauthenticated VL < 2hrs.
Tim
Regards,
Mark.
> > > 1. If the received Valid Lifetime is greater than 2 hours or
> > > greater than RemainingLifetime, set the valid lifetime of the
> > > corresponding address to the advertised Valid Lifetime.
--
JINMEI, Tatuya
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org<mailto:ipv6@ietf.org>
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;" class=""> Hi Mark,<br class="">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 10 Jan 2017, at 21:45, Mark Smith <<a \
href="mailto:markzzzsmith@gmail.com" class="">markzzzsmith@gmail.com</a>> \
wrote:</div> <div class="">
<div dir="auto" class="">
<div class=""><br class="">
<div class="gmail_extra">
<div class="gmail_quote">On 11 Jan. 2017 6:32 am, "神明達哉" <<a \
href="mailto:jinmei@wide.ad.jp" class="">jinmei@wide.ad.jp</a>> wrote:<br \
type="attribution" class=""> <blockquote class="quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> At Tue, 10 Jan 2017 12:45:27 \
+0000,<br class=""> <div class="quoted-text">Tim Chown <<a \
href="mailto:Tim.Chown@jisc.ac.uk" class="">Tim.Chown@jisc.ac.uk</a>> wrote:<br \
class=""> <br class="">
> My recollection of running renumbering experiments is that it's the<br class="">
> Preferred Lifetime that matters, i.e. when that is set to zero for a<br \
class=""> > prefix, the prefix is marked as deprecated. So when \
renumbering,<br class=""> > you run with two prefixes advertised, old and new, \
setting the<br class=""> > Preferred Lifetime to 0 on the old prefix (even though \
the Valid<br class=""> > Lifetime is set to 2+ hours), so that the address \
with the new<br class=""> > prefix is used for newly initiated communications (as \
per RFC 6724,<br class=""> > Rule 3).<br class="">
<br class="">
</div>
Yes, but I guess what Ole tried to point out (which I agree with) is<br class="">
that the valid lifetime will also have to decrease to 0 eventually,<br class="">
and this original text of RFC4862 allows such decrease operation<br class="">
without requiring explicit authentication if done by gradually:<br class="">
<div class="quoted-text"></div>
</blockquote>
</div>
</div>
</div>
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">If that is the case (and I don't think it is, it creates the \
DoS opportunity that all other >2 hr checks attempt to defeat), then I think it \
needs to be far better and more explicitly explained, including the sequence of \
events.</div> <div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">What is the use case that can't be achieved by setting the \
preferred lifetime to zero, immediately deprecating the addresses (and a VL of 2 \
hours to cause them to disappear shortly).</div> <div dir="auto" class=""><br \
class=""> </div>
<div dir="auto" class="">If it is to remove addresses immediately from a host by \
setting the RA PIO VL to zero - actually that's not going to work, because seeing VL \
to zero will fail the greater than remaining time check.</div> <div dir="auto" \
class=""><br class=""> </div>
<div dir="auto" class="">It would be very laborious to try to remove an address by \
only being able to send a VL greater than the address's remaining time. Letting the \
address age out/expire naturally by itself by stopping sending the RA PIO for the \
prefix wolf be easier and I think quicker. </div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
<div>Yes, the process you describe is exactly what RFC 4192 recommends for \
renumbering, and which was tested on common OSes at the time that RFC was written. To \
begin the renumbering process, you run with PL 0 and VL 2hrs on the "old" prefix, and \
with normal values on the "new" prefix. To transition to just the new prefix \
in use, you stop advertising the old prefix, such that addresses formed from it will \
become invalid and be removed, and during which time the address generated from the \
new prefix will be used due to RFC 6724 Rule 3.</div>
<div><br class="">
</div>
<div>So from that perspective, there's no need to change RFC 4862 to allow an \
unauthenticated VL < 2hrs.</div> <div><br class="">
</div>
Tim</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">
<div dir="auto" class="">
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">Regards, </div>
<div dir="auto" class="">Mark.</div>
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <div class="quoted-text"><br class="">
> >> 1. If the received Valid Lifetime is greater \
than 2 hours or<br class=""> > >> greater \
than RemainingLifetime, set the valid lifetime of the<br class=""> > \
>> corresponding address to the advertised \
Valid Lifetime.</div> </blockquote>
</div>
</div>
</div>
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <div class="quoted-text"><br class="">
</div>
--<br class="">
JINMEI, Tatuya<br class="">
<div class="elided-text"><br class="">
------------------------------<wbr class="">------------------------------<wbr \
class="">--------<br class=""> IETF IPv6 working group mailing list<br class="">
<a href="mailto:ipv6@ietf.org" class="">ipv6@ietf.org</a><br class="">
Administrative Requests: <a href="https://www.ietf.org/mailman/listinfo/ipv6" \
rel="noreferrer" target="_blank" class=""> https://www.ietf.org/mailman/<wbr \
class="">listinfo/ipv6</a><br class="">
------------------------------<wbr class="">------------------------------<wbr \
class="">--------<br class=""> </div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</body>
</html>
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
--===============7010885955867808475==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic