Mark Smith | 1 Jun 23:17 2008

Re: DAD problem when a looped interface comes back up

On Tue, 27 May 2008 09:12:43 +0200
"Ole Troan" <otroan <at> employees.org> wrote:

> > FYI,
> >
> > This issue, from cisco-nsp list, might be of interest here.  When an
> > interface is looped, it will fail DAD, and if the condition lasts long
> > enough, you might not recover from it automatically.
> 
> this is a flaw in the way DAD was designed. one solution could be to
> add a nonce option to ND. another would be to turn DAD off.
> 

I'd have expected that administratively disabling and then re-enabling
the interface (after having fixed the looped interface issue) would
restart the DAD process.

Regards,
Mark.

> /ot
> 
> > On Tue, 27 May 2008, Gert Doering wrote:
> >> On Tue, May 27, 2008 at 03:00:26AM +0300, Hank Nussbacher wrote:
> >>> When we did some line testing and did some loop testing on the link we got:
> >>> %IPV6-4-DUPLICATE: Duplicate address FE80::215:2CFF:FE87:B240 on POS11/0/0
> >>>
> >>> petach-tikva-gp# sho ipv6 int pos11/0/0
> >>> POS11/0/0 is up, line protocol is up
> >>>    IPv6 is stalled, link-local address is FE80::215:2CFF:FE87:B240 [DUP]
(Continue reading)

Hemant Singh (shemant | 3 Jun 22:50 2008
Picon

RE: I-D Action:draft-ietf-6man-ipv6-subnet-model-00.txt

Folks,

Could you please review this draft now that it's a 6man WG work item. So
far this version has taken care of comments on an earlier version that
the following folks reviewed. 

Suresh Krishnan
Jinmei Tatuya
Thomas Narten
Ralph Droms

Brian Carpenter sent us a private email on his review of this version.
We have taken care of his review as follows. 

At the end of section 2, the following paragraph has been changed from

[This case is analogous to the behavior
specified in the last paragraph of section 7.2.2 of
[RFC4861]: when address resolution fails, the host SHOULD
send an ICMPv6 Destination Unreachable indication as
specified in [RFC4861].  The specified behavior MAY be
extended to cover this case where address resolution cannot
be performed.]

to

[This case is specified in the last paragraph of section 4 of
[RFC4943]: when there is no route to destination, the host 
should send an ICMPv6 Destination Unreachable indication 
(for example, a locally delivered error message) as
(Continue reading)

Arifumi Matsumoto | 5 Jun 10:28 2008
Picon

Re: Your comment on the minutes for 6man <at> IETF71

Rémi,

thank you for clarification.

Regarding IPv4 private address scope issue, in ietf <at> ietf.org ML,
it was discussed a lot recently and some people suggested to
make IPv4 private address scope global.

As you mentioned, I agree that application specific address
selection behavior should be implemented by using RFC 5014 or
its extension.

Anyway, these issues should be fixed by revising RFC 3484 itself
I believe.

Kindest regards,

Arifumi Matsumoto

On 2008/06/03, at 20:20, Rémi Denis-Courmont wrote:

>
> 	Hello,
>
> On Tuesday 03 June 2008 13:44:26 ext Ruri Hiromi wrote :
>> Hello, we are just reviewing the minutes for modification of our
>> draft(http://www.ietf.org/internet-drafts/draft-ietf-6man-addr-select-sol-0
>> 0.txt ), we hope you taking your time for clarification of your  
>> comment.
>>
(Continue reading)

Silviu VLASCEANU | 6 Jun 14:28 2008
Picon

[NDP] Router autoconfiguration with RS/RA

Hello,

I have been trying to figure out a response for the following questions, but I have only suppositions and I haven't found (yet) a document that accurately talks about. So I am asking here.

Why wouldn't a router be authorized to send Router Sollicitation messages?
Moreover, why couldn't a router autoconfigure its egress interface based on Router Advertisements received on this interface? The same question for autoconfiguring the prefix it advertises on its subnets.

The only answer that comes in my mind is because an attack over these messages could render not only a host unreachable, but maybe a whole subnet. But apart this, is there really any other reason for not allowing this?

Thank you in advance for the answers.

Best regards,
--
Silviu

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 <at> ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
Remi Denis-Courmont | 6 Jun 15:02 2008

Re: [NDP] Router autoconfiguration with RS/RA


On Fri, 6 Jun 2008 14:28:51 +0200, "Silviu VLASCEANU"
<silviu.vlasceanu <at> gmail.com> wrote:
> Why wouldn't a router be authorized to send Router Sollicitation
messages?
> Moreover, why couldn't a router autoconfigure its egress interface based
> on Router Advertisements received on this interface?

That would be useless. Lets ignore security issues. And lets even assume a
hierarchical network.

A router could learn what is "upstream" router is using RS/RA. But what's
the point? It would still not be able to route. Something needs to
configure the downstream prefixes from the downstream router to the
upstream router.
In other words, you need:
 - prefix delegation,
 - static configuration, or
 - a real routing protocol.

Once you have one of these, RS/RA is effectively useless.

> The same question for autoconfiguring the prefix it advertises on its
subnets.

You cannot do that statelessly. That's why.

--

-- 
Rémi Denis-Courmont
http://www.remlab.net

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 <at> ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
Remi Denis-Courmont | 6 Jun 15:02 2008

Re: [NDP] Router autoconfiguration with RS/RA


On Fri, 6 Jun 2008 14:28:51 +0200, "Silviu VLASCEANU"
<silviu.vlasceanu <at> gmail.com> wrote:
> Why wouldn't a router be authorized to send Router Sollicitation
messages?
> Moreover, why couldn't a router autoconfigure its egress interface based
> on Router Advertisements received on this interface?

That would be useless. Lets ignore security issues. And lets even assume a
hierarchical network.

A router could learn what is "upstream" router is using RS/RA. But what's
the point? It would still not be able to route. Something needs to
configure the downstream prefixes from the downstream router to the
upstream router.
In other words, you need:
 - prefix delegation,
 - static configuration, or
 - a real routing protocol.

Once you have one of these, RS/RA is effectively useless.

> The same question for autoconfiguring the prefix it advertises on its
subnets.

You cannot do that statelessly. That's why.

--

-- 
Rémi Denis-Courmont
http://www.remlab.net

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 <at> ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
Hemant Singh (shemant | 6 Jun 15:27 2008
Picon

RE: [NDP] Router autoconfiguration with RS/RA

Silviu,
 
A router can receive an RA on the router's upstream and use this RA to autoconfigure the ipv6 address on interface(s) of the router. Such a router interface configuration is no different from how a host interface statelessly autoconfigures as per ND RFC 4861 and 4862. However, ND RFC's do not mandate what does a router implementation do for sending RA, configuring network prefixes in the router downstream direction - these are conceptual variables that a router vendor is left to do what they want to do.
 
As to answering your question which was:
 
"Why wouldn't a router be authorized to send Router Sollicitation messages?"
 
here is my reply.
 
As far as the interface on the router has no RA configured, and the interface is configuring an IPv6 address using stateless autoconfiguration or even manual configuration, this interface is OK to send an RS in the router downstream. However, soon as any RA configuration for router downstream is configured on the network interface, then ND prohibits a router to send any RS.
 
Furthermore, I totally agree with Remi on his reply to this question of yours:
 
"The same question for autoconfiguring the prefix it advertises on its subnets."
 
You cannot mix router upstream and downstream operations in random fashion. IPv6 stateless autoconfiguration does not support prefix and router configuration of an upstream router. One should be careful discussing router downstream vs. router upstream directions for address configuration, routing configuration, and IPv6 ND RA configuration.
 
Hemant
From: ipv6-bounces <at> ietf.org [mailto:ipv6-bounces <at> ietf.org] On Behalf Of Silviu VLASCEANU
Sent: Friday, June 06, 2008 8:29 AM
To: ipv6 <at> ietf.org
Subject: [NDP] Router autoconfiguration with RS/RA

Hello,

I have been trying to figure out a response for the following questions, but I have only suppositions and I haven't found (yet) a document that accurately talks about. So I am asking here.

Why wouldn't a router be authorized to send Router Sollicitation messages?
Moreover, why couldn't a router autoconfigure its egress interface based on Router Advertisements received on this interface? The same question for autoconfiguring the prefix it advertises on its subnets.

The only answer that comes in my mind is because an attack over these messages could render not only a host unreachable, but maybe a whole subnet. But apart this, is there really any other reason for not allowing this?

Thank you in advance for the answers.

Best regards,
--
Silviu
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 <at> ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
Silviu VLASCEANU | 6 Jun 17:01 2008
Picon

Re: [NDP] Router autoconfiguration with RS/RA

I thank you both for the quick reaction. I generally agree. However, I have some inline comments.

2008/6/6 Hemant Singh (shemant) <shemant <at> cisco.com>:

Silviu,
 
A router can receive an RA on the router's upstream and use this RA to autoconfigure the ipv6 address on interface(s) of the router. Such a router interface configuration is no different from how a host interface statelessly autoconfigures as per ND RFC 4861 and 4862.

I agree and I also thought that this should be possible.
 
However, ND RFC's do not mandate what does a router implementation do for sending RA, configuring network prefixes in the router downstream direction - these are conceptual variables that a router vendor is left to do what they want to do.

Noticed that too :)
 
 
As to answering your question which was:
 
"Why wouldn't a router be authorized to send Router Sollicitation messages?"

My question was related to sending Router Sollicitations on the upstream interface.
 
 
here is my reply.
 
As far as the interface on the router has no RA configured, and the interface is configuring an IPv6 address using stateless autoconfiguration or even manual configuration, this interface is OK to send an RS in the router downstream.

As I understand, a router could configure its "downstream" interfaces by RAs received from other routers in the "downstream". Is it correct?
This way, the notion of up/downstream would loose its sense.


 
However, soon as any RA configuration for router downstream is configured on the network interface, then ND prohibits a router to send any RS.

But if the downstream interface would have already been configured as discussed previously, where is the interest of having a prefix delegated for this downstream interface to advertise?
 
 
Furthermore, I totally agree with Remi on his reply to this question of yours:
 
"The same question for autoconfiguring the prefix it advertises on its subnets."
 
You cannot mix router upstream and downstream operations in random fashion. IPv6 stateless autoconfiguration does not support prefix and router configuration of an upstream router. One should be careful discussing router downstream vs. router upstream directions for address configuration, routing configuration, and IPv6 ND RA configuration.
 

Sorry for my English, probably not the best these days.
I try not to mess things up. The reason I wrote here is that I have seen a solution (ICMPv6 Based Prefix Delegation, expired) for delegating prefixes with (modified) NDP. In one of the reactions at this draft, it was mentioned that routers do not send RS messages but it wasn't mentioned why wouldn't they.

I think that the approach is interesting. I don't know if you already have an opinion on it.
 
 
Hemant

Thanks.

--
Silviu

 

From: ipv6-bounces <at> ietf.org [mailto:ipv6-bounces <at> ietf.org] On Behalf Of Silviu VLASCEANU
Sent: Friday, June 06, 2008 8:29 AM
To: ipv6 <at> ietf.org
Subject: [NDP] Router autoconfiguration with RS/RA

Hello,

I have been trying to figure out a response for the following questions, but I have only suppositions and I haven't found (yet) a document that accurately talks about. So I am asking here.

Why wouldn't a router be authorized to send Router Sollicitation messages?
Moreover, why couldn't a router autoconfigure its egress interface based on Router Advertisements received on this interface? The same question for autoconfiguring the prefix it advertises on its subnets.

The only answer that comes in my mind is because an attack over these messages could render not only a host unreachable, but maybe a whole subnet. But apart this, is there really any other reason for not allowing this?

Thank you in advance for the answers.

Best regards,
--
Silviu
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 <at> ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
Alexandru Petrescu | 6 Jun 23:16 2008
Picon

Re: [NDP] Router autoconfiguration with RS/RA

Hemant Singh (shemant) wrote:
> Silviu,
> 
> A router can receive an RA on the router's upstream

Yes it can.  It uses it to report whether some things went wrong, log 
stuff, but don't act.

> and use this RA to autoconfigure the ipv6 address on interface(s) of
>  the router.

Usually no, it can not.  A particular case of a Mobile Router away from
home can auto-configure an address on its egress interface with
stateless autoconf.  But a non-mobile router (not implementing rfc3963)
can't and it shouldn't.

A router is something that forwards packets.  A linux router can't
auto-configure an address once one sets the forwarding=1.  A Cisco
router I have doubts, but it doesn't mean it follows rfc.

> Such a router interface configuration is no different from how a host
>  interface statelessly autoconfigures as per ND RFC 4861 and 4862. 
> However, ND RFC's do not mandate what does a router implementation do
>  for sending RA, configuring network prefixes in the router
> downstream direction - these are conceptual variables that a router
> vendor is left to do what they want to do.

Not sure what you mean left to vendors? there are some precisely defined
corner cases for configuring routers downstreams like DHCPv6-PD followed
eventually by Router Renumbering.

And, in most cases, assigning addresses to routers is part of a network
planning procedure performed by humans on paper, designed and
redesigned before being deployed; some call it architecting the
network.  That's a good reason for manually (or via SNMP, or other
proprietary tool) to configure addresses on routers, and not with
stateless autoconf.
> 
> As to answering your question which was:
> 
> "Why wouldn't a router be authorized to send Router Sollicitation 
> messages?"
> 
> here is my reply.
> 
> As far as the interface on the router has no RA configured, and the 
> interface is configuring an IPv6 address using stateless 
> autoconfiguration or even manual configuration, this interface is OK
>  to send an RS in the router downstream. However, soon as any RA 
> configuration for router downstream is configured on the network 
> interface, then ND prohibits a router to send any RS.
> 
> Furthermore, I totally agree with Remi on his reply to this question
>  of yours:
> 
> "The same question for autoconfiguring the prefix it advertises on 
> its subnets."
> 
> You cannot mix router upstream and downstream operations in random 
> fashion. IPv6 stateless autoconfiguration does not support prefix and
>  router configuration of an upstream router. One should be careful 
> discussing router downstream vs. router upstream directions for 
> address configuration, routing configuration, and IPv6 ND RA 
> configuration.

Well I wouldn't even talk upstream/downstream, just routers and maybe 
default-free routers are very special.

Alex

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 <at> ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Alexandru Petrescu | 6 Jun 23:20 2008
Picon

Re: [NDP] Router autoconfiguration with RS/RA

Silviu VLASCEANU wrote:
> I thank you both for the quick reaction. I generally agree. However, I 
> have some inline comments.
> 
> 2008/6/6 Hemant Singh (shemant) <shemant <at> cisco.com 
> <mailto:shemant <at> cisco.com>>:
> 
>     Silviu,
>      
>     A router can receive an RA on the router's upstream and use this RA
>     to autoconfigure the ipv6 address on interface(s) of the router.
>     Such a router interface configuration is no different from how a
>     host interface statelessly autoconfigures as per ND RFC 4861 and 4862. 
> 
> 
> I agree and I also thought that this should be possible.

What do you mean it _should_?  Do you want to write an implementation 
that should do it?  DO you want to modify the rfc?

>     However, ND RFC's do not mandate what does a router implementation
>     do for sending RA, configuring network prefixes in the router
>     downstream direction - these are conceptual variables that a router
>     vendor is left to do what they want to do.
> 
> 
> Noticed that too :)

Well I think RFCs tell very well how a router should send RAs, and they 
also say clearly a router shouldn't use the received RA to 
auto-configure a global address bases on the prefix in it.

Or has this changed recently?

>     As to answering your question which was:
>      
>     "Why wouldn't a router be authorized to send Router Sollicitation
>     messages?"
> 
> 
> My question was related to sending Router Sollicitations on the upstream 
> interface.

What does the RFC say?  Can a router send an RS?

>     here is my reply.
>      
>     As far as the interface on the router has no RA configured, and the
>     interface is configuring an IPv6 address using stateless
>     autoconfiguration or even manual configuration, this interface is OK
>     to send an RS in the router downstream. 
> 
> 
> As I understand, a router could configure its "downstream" interfaces by 
> RAs received from other routers in the "downstream". Is it correct?

I don't think it's correct.

> This way, the notion of up/downstream would loose its sense.

I think RFCs don't use the terms up/downstream at all, no distinguishing 
between them usually.

Alex

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 <at> ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------


Gmane