Movatterモバイル変換

[0]ホーム
URL:

RFC 8978Reaction to Renumbering EventsMarch 2021
Gont, et al.Informational[Page]
Stream:
Internet Engineering Task Force (IETF)
RFC:
8978
Category:
Informational
Published:
ISSN:
2070-1721
Authors:
F. Gont
SI6 Networks
J. Žorž
6connect
R. Patterson
Sky UK

RFC 8978

Reaction of IPv6 Stateless Address Autoconfiguration (SLAAC) to Flash-Renumbering Events

Abstract

In scenarios where network configuration informationrelated to IPv6 prefixes becomes invalid without any explicit and reliablesignaling of that condition (such as when a Customer Edge router crashes andreboots without knowledge of the previously employed prefixes), hosts on thelocal network may continue using stale prefixes for an unacceptably long time(on the order of several days), thus resulting in connectivity problems. Thisdocument describes this issue and discusses operational workarounds that mayhelp to improve network robustness. Additionally, it highlights areas wherefurther work may be needed.

Status of This Memo

This document is not an Internet Standards Track specification; it is published for informational purposes.

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841.

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc8978.

Copyright Notice

Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

1.Introduction

IPv6 Stateless Address Autoconfiguration (SLAAC)[RFC4862] conveys information about prefixes to beemployed for address configuration via Prefix Information Options (PIOs) sentin Router Advertisement (RA) messages. IPv6 largely assumes prefix stability,with network renumbering only taking place in a planned manner: oldprefixes are deprecated (and eventually invalidated) via reduced prefix lifetimes and new prefixes are introduced (withlonger lifetimes) at the same time. However, there are severalscenarios that may lead to the so-called "flash-renumbering" events, where aprefix employed by a network suddenly becomes invalid and replaced by a newprefix. In some of these scenarios, the local router producing the networkrenumbering event may try to deprecate (and eventually invalidate) the currently employed prefix (byexplicitly signaling the network about the renumbering event), whereas in otherscenarios, it may be unable to do so.

In scenarios where network configuration information related to IPv6prefixes becomes invalid without any explicit and reliable signaling of thatcondition, hosts on the local network may continue using stale prefixes for anunacceptably long period of time, thus resulting in connectivity problems.

Scenarios where this problem may arise include, but are not limited to, the following:

Lacking any explicit and reliable signaling to deprecate (and eventually invalidate) the stale prefixes, hosts may continue to employ the previously configured addresses, which will typically result in packets being filtered or blackholed either on the CE router or within the ISP network.

The default values for the Preferred Lifetime and Valid Lifetime ofPIOs specified in[RFC4861] mean that, in theaforementioned scenarios, the stale addresses would be retained and could beactively employed for new communication instances for an unacceptably longperiod of time (one month and one week, respectively). This could lead tointeroperability problems, instead of hosts transitioning to thenewly advertised prefix(es) in a more timely manner.

Some devices have implemented ad hoc mechanisms to address thisproblem, such as sending RAs to deprecate (and eventually invalidate) apparently stale prefixes when thedevice receives any packets employing a source address from a prefix notcurrently advertised for address configuration on the local network[FRITZ]. However, this may introduce otherinteroperability problems, particularly in multihomed/multi-prefixscenarios. This is a clear indication that advice in this area iswarranted.

Unresponsiveness to these flash-renumbering events is caused by theinability of the network to deprecate (and eventually invalidate) stale information as well as by theinability of hosts to react to network configuration changes in a more timelymanner. Clearly, it would be desirable that these flash-renumbering eventsdo not occur and that, when they do occur, hosts are explicitly andreliably notified of their occurrence. However, for robustness reasons, it isparamount for hosts to be able to recover from stale configuration informationeven when these flash-renumbering events occur and the network is unable toexplicitly and reliably notify hosts about such conditions.

Section 2 analyzes this problem inmore detail.Section 3 describes possibleoperational mitigations.Section 4 describespossible future work to mitigate the aforementioned problem.

2.Analysis of the Problem

As noted inSection 1, the problem discussed in this document is exacerbated by the default values of some protocol parameters and other factors. The following sections analyze each of them in detail.

2.1.Use of Dynamic Prefixes

In network scenarios where dynamic prefixes are employed, renumbering events lead to updated network configuration information being propagated through the network, such that the renumbering events are gracefully handled. However, if the renumbering event happens along with, e.g., loss of configuration state by some of the devices involved in the renumbering procedure (e.g., a router crashes, reboots, and gets leased a new prefix), this may result in a flash-renumbering event, where new prefixes are introduced without properly phasing out the old ones.

In simple residential or small office scenarios, the problem discussed in this document would be avoided if DHCPv6-PD leased "stable" prefixes. However, a recent survey[UK-NOF] indicates that 37% of the responding ISPs employ dynamic IPv6 prefixes. That is, dynamic IPv6 prefixes are an operational reality.

Deployment reality aside, there are a number of possible issues associated with stable prefixes:

  • Provisioning systems may be unable to deliver stable IPv6 prefixes.
  • While an ISP might lease stable prefixes to the home or smalloffice, the Customer Edge router might in turn lease sub-prefixes of theseprefixes to other internal network devices. Unless the associated leasedatabases are stored on non-volatile memory, these internal devices might getleased dynamic sub-prefixes of the stable prefix leased by the ISP. In otherwords, every time a prefix is leased, there is the potential for the resultingprefixes to become dynamic, even if the device leasing sub-prefixes has beenleased a stable prefix by its upstream router.
  • While there is a range of information that may be employed tocorrelate network activity[RFC7721], the useof stable prefixes clearly simplifies network activity correlation and may reduce the effectiveness of "temporary addresses"[RFC8981].
  • There might be existing advice for ISPs to deliver dynamic IPv6prefixesby default (e.g., see[GERMAN-DP]) over privacy concerns associated with stable prefixes.
  • There might be scalability and performance drawbacks of either a disaggregated distributed routing topology or a centralized topology, which are often required to provide stable prefixes, i.e., distributing more-specific routes or summarizing routes at centralized locations.

For a number of reasons (such as the ones stated above), IPv6 deployments might employ dynamic prefixes (even at the expense of the issues discussed in this document), and there might be scenarios in which the dynamics of a network are such that the network exhibits the behavior of dynamic prefixes. Rather than trying to regulate how operators may run their networks, this document aims at improving network robustness in the deployed Internet.

2.2.Default PIO Lifetime Values in IPv6 Stateless Address Autoconfiguration (SLAAC)

The impact of the issue discussed in this document is a function of the lifetime values employed for PIOs, since these values determine for how long the corresponding addresses will be preferred and considered valid. Thus, when the problem discussed in this document is experienced, the longer the PIO lifetimes, the higher the impact.

[RFC4861] specifies the following default PIO lifetime values:

  • Preferred Lifetime (AdvPreferredLifetime): 604800 seconds (7 days)
  • Valid Lifetime (AdvValidLifetime): 2592000 seconds (30 days)

Under problematic circumstances, such as when the corresponding network information has become stale without any explicit and reliable signal from the network (as described inSection 1), it could take hosts up to 7 days (one week) to deprecate the corresponding addresses and up to 30 days (one month) to eventually invalidate and remove any addresses configured for the stale prefix. This means that it will typically take hosts an unacceptably long period of time (on the order of several days) to recover from these scenarios.

2.3.Recovering from Stale Network Configuration Information

SLAAC hosts are unable to recover from stale network configuration information, since:

  • In scenarios where SLAAC routers explicitly signal the renumbering event, hosts will typically deprecate, but not invalidate, the stale addresses, since item "e)" ofSection 5.5.3 of [RFC4862] specifies that an unauthenticated RA may never reduce the valid lifetime of an address to less than two hours. Communication with the new "users" of the stale prefix will not be possible, since the stale prefix will still be considered "on-link" by the local hosts.
  • In the absence of explicit signaling from SLAAC routers, SLAAC hosts will typically fail to recover from stale configuration information in a timely manner, since hosts would need to rely on the last Preferred Lifetime and Valid Lifetime advertised for the stale prefix, for the corresponding addresses to become deprecated and subsequently invalidated. Please seeSection 2.2 of this document for a discussion of the default PIO lifetime values.

2.4.Lack of Explicit Signaling about Stale Information

Whenever prefix information has changed, a SLAAC router should advertise not only the new information but also the stale information with appropriate lifetime values (both the Preferred Lifetime and the Valid Lifetime set to 0). This would provide explicit signaling to SLAAC hosts to remove the stale information (including configured addresses and routes). However, in certain scenarios, such as when a CE router crashes and reboots, the CErouter may have no knowledge about the previously advertised prefixes and thusmight be unable to advertise them with appropriate lifetimes (in order todeprecate and eventually invalidate them).

In any case, we note that, as discussed inSection 2.3, PIOs with small Valid Lifetimes in unauthenticated RAs willnot lower the Valid Lifetime to any value shorter than two hours (as per[RFC4862]). Therefore, even if a SLAAC router triedto explicitly signal the network about the stale configuration information viaunauthenticated RAs, implementations compliant with[RFC4862] would deprecate the corresponding prefixes but would failto invalidate them.

NOTE:

Some implementations have been updated to honor small PIO lifetimesvalues, as proposed in[RENUM-RXN]. For example, please see[Linux-update].

2.5.Interaction between DHCPv6-PD and SLAAC

While DHCPv6-PD is normally employed along with SLAAC, the interaction between the two protocols is largely unspecified. Not unusually, the two protocols are implemented in two different software components, with the interface between the two implemented by means of some sort of script that feeds the SLAAC implementation with values learned from DHCPv6-PD.

At times, the prefix lease time is fed as a constant value to theSLAAC router implementation, meaning that, eventually, the prefix lifetimesadvertised on the LAN side will spanpast the DHCPv6-PD leasetime. This is clearly incorrect, since the SLAAC router implementation would beallowing the use of such prefixes for a period of time that is longer than the one they have been leased for via DHCPv6-PD.

3.Operational Mitigations

The following subsections discuss possible operational workaroundsfor the aforementioned problems.

3.1.Stable Prefixes

As noted inSection 2.1, the use ofstable prefixes would eliminate the issue insome of thescenarios discussed inSection 1 of thisdocument, such as the typical home network deployment. However, as noted inSection 2.1, there might be reasons for which an administrator may want or mayneed to employ dynamic prefixes.

3.2.SLAAC Parameter Tweaking

An operator may wish to override some SLAAC parameters such that,under normal circumstances, the associated timers will be refreshed/reset, but in thepresence of network faults (such as the one discussed in this document), theassociated timers go off and trigger some fault recovering action (e.g., deprecate andeventually invalidate stale addresses).

The following router configuration variables from[RFC4861] (corresponding to the "lifetime" parametersof PIOs) could be overridden as follows:

  • AdvPreferredLifetime: 2700 seconds (45 minutes)
  • AdvValidLifetime: 5400 seconds (90 minutes)

NOTES:

The aforementioned values for AdvPreferredLifetime and AdvValidLifetime areexpected to be appropriate for most networks. In some networks, particularlythose where the operator has complete control of prefix allocation and where hosts onthe network may spend long periods of time sleeping (e.g., sensors with limitedbattery), longer values may be appropriate.

A CE router advertising a sub-prefix of a prefix leased via DHCPv6-PD willperiodically refresh the Preferred Lifetime and the Valid Lifetime of anadvertised prefix to AdvPreferredLifetime and AdvValidLifetime, respectively,as long as the resulting lifetimes of the corresponding prefixes do not extendpast the DHCPv6-PD lease time[RENUM-CPE].

RATIONALE:

  • In the context of[RFC8028],where it is clear that use of addresses configured for a given prefix is tiedto using the next-hop router that advertised the prefix, it does not make sensefor the Preferred Lifetime of a PIO to be larger than the Router Lifetime(AdvDefaultLifetime) of the corresponding Router Advertisement messages. TheValid Lifetime is set to a larger value to cope with transient networkproblems.
  • Lacking RAs that refresh information, addresses configured for advertisedprefixes become deprecated in a more timely manner; therefore, Rule 3 of[RFC6724] causes other configured addresses (ifavailable) to be used instead.
  • Reducing the Valid Lifetime of PIOs helps reduce the amount of time a host may maintain stale information and the amount of time an advertising router would need to advertise stale prefixes to invalidate them. Reducing the Preferred Lifetime of PIOs helps reduce the amount of time it takes for a host to prefer other working prefixes (seeSection 12 of [RFC4861]). However, we note that while the values suggested in this section are an improvement over the default values specified in[RFC4861], they represent a trade-off among a number of factors, including responsiveness, possible impact on the battery life of connected devices[RFC7772], etc. Thus, they may or may not provide sufficient mitigation to the problem discussed in this document.

4.Future Work

Improvements in Customer Edge routers[RFC7084], such that they can signal hosts about stale prefixesto deprecate (and eventually invalidate) them accordingly, can help mitigate the problem discussed in thisdocument for the "home network" scenario. Such work is currently being pursuedin[RENUM-CPE].

Improvements in the SLAAC protocol[RFC4862] and some IPv6-related algorithms, such as "Default Address Selection forInternet Protocol Version 6 (IPv6)"[RFC6724], would help improve networkrobustness. Such work is currently being pursued in[RENUM-RXN].

The aforementioned work is considered out of the scope of thispresent document, which only focuses on documenting the problem and discussingoperational mitigations.

5.IANA Considerations

This document has no IANA actions.

6.Security Considerations

This document discusses a problem that may arise in scenarios whereflash-renumbering events occur and proposes workarounds to mitigate theaforementioned problem. This document does not introduce any new securityissues; therefore, the same security considerations as for[RFC4861] and[RFC4862] apply.

7.References

7.1.Normative References

[RFC4861]
Narten, T., Nordmark, E., Simpson, W., and H. Soliman,"Neighbor Discovery for IP version 6 (IPv6)",RFC 4861,DOI 10.17487/RFC4861,,<https://www.rfc-editor.org/info/rfc4861>.
[RFC4862]
Thomson, S., Narten, T., and T. Jinmei,"IPv6 Stateless Address Autoconfiguration",RFC 4862,DOI 10.17487/RFC4862,,<https://www.rfc-editor.org/info/rfc4862>.
[RFC6724]
Thaler, D., Ed., Draves, R., Matsumoto, A., and T. Chown,"Default Address Selection for Internet Protocol Version 6 (IPv6)",RFC 6724,DOI 10.17487/RFC6724,,<https://www.rfc-editor.org/info/rfc6724>.
[RFC8028]
Baker, F. and B. Carpenter,"First-Hop Router Selection by Hosts in a Multi-Prefix Network",RFC 8028,DOI 10.17487/RFC8028,,<https://www.rfc-editor.org/info/rfc8028>.
[RFC8415]
Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., Richardson, M., Jiang, S., Lemon, T., and T. Winters,"Dynamic Host Configuration Protocol for IPv6 (DHCPv6)",RFC 8415,DOI 10.17487/RFC8415,,<https://www.rfc-editor.org/info/rfc8415>.

7.2.Informative References

[DEFAULT-ADDR]
Linkova, J.,"Default Address Selection and Subnet Renumbering",Work in Progress,Internet-Draft, draft-linkova-6man-default-addr-selection-update-00,,<https://tools.ietf.org/html/draft-linkova-6man-default-addr-selection-update-00>.
[FRITZ]
Gont, F.,"Quiz: Weird IPv6 Traffic on the Local Network (updated with solution)",SI6 Networks,,<https://www.si6networks.com/2016/02/16/quiz-weird-ipv6-traffic-on-the-local-network-updated-with-solution/>.
[GERMAN-DP]
BFDI,"Einführung von IPv6: Hinweise für Provider im Privatkundengeschäft und Hersteller" [Introduction of IPv6: Notes for providers in the consumer market and manufacturers],Entschliessung der 84. Konferenz der Datenschutzbeauftragten des Bundes und der Lander [Resolution of the 84th Conference of the Federal and State Commissioners for Data Protection],,<http://www.bfdi.bund.de/SharedDocs/Publikationen/Entschliessungssammlung/DSBundLaender/84DSK_EinfuehrungIPv6.pdf?__blob=publicationFile>.
[Linux-update]
Gont, F.,"Subject: [net-next] ipv6: Honor all IPv6 PIO Valid Lifetime values",message to the netdev mailing list,,<https://patchwork.ozlabs.org/project/netdev/patch/20200419122457.GA971@archlinux-current.localdomain/>.
[RENUM-CPE]
Gont, F., Zorz, J., Patterson, R., and B. Volz,"Improving the Reaction of Customer Edge Routers to IPv6 Renumbering Events",Work in Progress,Internet-Draft, draft-ietf-v6ops-cpe-slaac-renum-07,,<https://tools.ietf.org/html/draft-ietf-v6ops-cpe-slaac-renum-07>.
[RENUM-RXN]
Gont, F., Zorz, J., and R. Patterson,"Improving the Robustness of Stateless Address Autoconfiguration (SLAAC) to Flash Renumbering Events",Work in Progress,Internet-Draft, draft-ietf-6man-slaac-renum-02,,<https://tools.ietf.org/html/draft-ietf-6man-slaac-renum-02>.
[RFC7084]
Singh, H., Beebee, W., Donley, C., and B. Stark,"Basic Requirements for IPv6 Customer Edge Routers",RFC 7084,DOI 10.17487/RFC7084,,<https://www.rfc-editor.org/info/rfc7084>.
[RFC7721]
Cooper, A., Gont, F., and D. Thaler,"Security and Privacy Considerations for IPv6 Address Generation Mechanisms",RFC 7721,DOI 10.17487/RFC7721,,<https://www.rfc-editor.org/info/rfc7721>.
[RFC7772]
Yourtchenko, A. and L. Colitti,"Reducing Energy Consumption of Router Advertisements",BCP 202,RFC 7772,DOI 10.17487/RFC7772,,<https://www.rfc-editor.org/info/rfc7772>.
[RFC8981]
Gont, F., Krishnan, S., Narten, T., and R. Draves,"Temporary Address Extensions for Stateless Address Autoconfiguration in IPv6",RFC 8981,DOI 10.17487/RFC8981,,<https://www.rfc-editor.org/info/rfc8981>.
[RIPE-690]
Žorž, J., Steffann, S., Dražumerič, P., Townsley, M., Alston, A., Doering, G., Palet Martinez, J., Linkova, J., Balbinot, L., Meynell, K., and L. Howard,"Best Current Operational Practice for Operators: IPv6 prefix assignment for end-users - persistent vs non-persistent, and what size to choose",RIPE 690,,<https://www.ripe.net/publications/docs/ripe-690>.
[UK-NOF]
Palet Martinez, J.,"IPv6 Deployment Survey and BCOP",UK NOF 39,,<https://indico.uknof.org.uk/event/41/contributions/542/>.

Acknowledgments

The authors would like to thank (in alphabetical order)Brian Carpenter,Alissa Cooper,Roman Danyliw,Owen DeLong,Martin Duke,Guillermo Gont,Philip Homburg,Sheng Jiang,Benjamin Kaduk,Erik Kline,Murray Kucherawy,Warren Kumari,Ted Lemon,Juergen Schoenwaelder,Éric Vyncke,Klaas Wierenga,Robert Wilton, andDale Worley for providing valuable comments on earlier draft versions of this document.

The authors would like to thank (in alphabetical order)Mikael Abrahamsson,Luis Balbinot,Brian Carpenter,Tassos Chatzithomaoglou,Uesley Correa,Owen DeLong,Gert Doering,Martin Duke,Fernando Frediani,Steinar Haug,Nick Hilliard,Philip Homburg,Lee Howard,Christian Huitema,Ted Lemon,Albert Manfredi,Jordi Palet Martinez,Michael Richardson,Mark Smith,Tarko Tikan, andOle Troan for providing valuable comments on a previous document on which this document is based.

Fernando would like to thankAlejandro D'Egidio andSander Steffann for a discussion of these issues. Fernando would also like to thankBrian Carpenter who, over the years, has answered many questions and provided valuable comments that have benefited his protocol-related work.

The problem discussed in this document has been previously documented byJen Linkova in[DEFAULT-ADDR] and also in[RIPE-690].Section 1 borrows text from[DEFAULT-ADDR], authored byJen Linkova.

Authors' Addresses

Fernando Gont
SI6 Networks
Segurola y Habana 4310, 7mo Piso
Villa Devoto
Ciudad Autónoma de Buenos Aires
Argentina
Email:fgont@si6networks.com
URI:https://www.si6networks.com
Jan Žorž
6connect, Inc.
Email:jan@6connect.com
Richard Patterson
Sky UK
Email:richard.patterson@sky.uk
[8]ページ先頭
©2009-2025 Movatter.jp