draft-ietf-v6ops-nd-cache-init-00.txt   draft-ietf-v6ops-nd-cache-init-01.txt 
v6ops J. Linkova v6ops J. Linkova
Internet-Draft Google Internet-Draft Google
Intended status: Informational October 27, 2019 Intended status: Informational December 10, 2019
Expires: April 29, 2020 Expires: June 12, 2020
Neighbor Cache Entries on First-Hop Routers: Operational Considerations Neighbor Cache Entries on First-Hop Routers: Operational Considerations
draft-ietf-v6ops-nd-cache-init-00 draft-ietf-v6ops-nd-cache-init-01
Abstract Abstract
Neighbor Discovery (RFC4861) is used by IPv6 nodes to determine the Neighbor Discovery (RFC4861) is used by IPv6 nodes to determine the
link-layer addresses of neighboring nodes as well as to discover and link-layer addresses of neighboring nodes as well as to discover and
maintain reachability information. This document discusses how the maintain reachability information. This document discusses how the
neighbor discovery state machine on a first-hop router is causing neighbor discovery state machine on a first-hop router is causing
user-visible connectivity issues when a new (not being seen on the user-visible connectivity issues when a new (not being seen on the
network before) IPv6 address is being used. network before) IPv6 address is being used.
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 29, 2020. This Internet-Draft will expire on June 12, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Potential Solutions . . . . . . . . . . . . . . . . . . . . . 5 2. Proposed Solution . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Do Nothing . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Solution Requirements . . . . . . . . . . . . . . . . . . 4
2.1.1. Pros . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Solution Overview . . . . . . . . . . . . . . . . . . . . 5
2.1.2. Cons . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Solutions Considered but Discarded . . . . . . . . . . . . . 6
2.2. Change to the Registration-Based Neighbor Discovery . . . 6 3.1. Do Nothing . . . . . . . . . . . . . . . . . . . . . . . 6
2.3. Hosts Explicitly Advertizing Their GUAs Using Existing ND 3.2. Change to the Registration-Based Neighbor Discovery . . . 7
Mechanisms . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. Host Sending NS to the Router Address from Its GUA . . . 7
2.3.1. Host Sending Unsolicited NA . . . . . . . . . . . . . 6 3.4. Host Sending Router Solicitation from its GUA . . . . . . 7
2.3.1.1. Pros . . . . . . . . . . . . . . . . . . . . . . 7 3.5. Routers Populating Their Caches by Gleaning From Neighbor
2.3.1.2. Cons . . . . . . . . . . . . . . . . . . . . . . 7 Discovery Packets . . . . . . . . . . . . . . . . . . . . 8
2.3.2. Host Sending NS to the Router Address from Its GUA . 7 3.6. Initiating Hosts2Routers Communication . . . . . . . . . 9
2.3.2.1. Pros . . . . . . . . . . . . . . . . . . . . . . 8 3.7. Transit Dataplane Traffic From a New Address Triggering
2.3.2.2. Cons . . . . . . . . . . . . . . . . . . . . . . 8 Address Resolution . . . . . . . . . . . . . . . . . . . 9
2.3.3. Host Sending Router Solicitation from its GUA . . . . 8 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
2.3.3.1. Pros . . . . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
2.3.3.2. Cons . . . . . . . . . . . . . . . . . . . . . . 8 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10
2.4. Routers Populating Their Caches by Gleaning From Neighbor 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
Discovery Packets . . . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
2.4.1. Pros . . . . . . . . . . . . . . . . . . . . . . . . 9 7.2. Informative References . . . . . . . . . . . . . . . . . 11
2.4.2. Cons . . . . . . . . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11
2.5. Initiating Hosts2Routers Communication . . . . . . . . . 9
2.5.1. Pros . . . . . . . . . . . . . . . . . . . . . . . . 10
2.5.2. Cons . . . . . . . . . . . . . . . . . . . . . . . . 10
2.6. Tweaking Probing Algorithms . . . . . . . . . . . . . . . 10
2.7. Routers Buffering More Packets . . . . . . . . . . . . . 10
2.7.1. Pros . . . . . . . . . . . . . . . . . . . . . . . . 10
2.7.2. Cons . . . . . . . . . . . . . . . . . . . . . . . . 11
3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 11
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
7.1. Normative References . . . . . . . . . . . . . . . . . . 12
7.2. Informative References . . . . . . . . . . . . . . . . . 13
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
The section 7.2.5 of [RFC4861] states: "When a valid Neighbor The section 7.2.5 of [RFC4861] states: "When a valid Neighbor
Advertisement is received (either solicited or unsolicited), the Advertisement is received (either solicited or unsolicited), the
Neighbor Cache is searched for the target's entry. If no entry Neighbor Cache is searched for the target's entry. If no entry
exists, the advertisement SHOULD be silently discarded. There is no exists, the advertisement SHOULD be silently discarded. There is no
need to create an entry if none exists, since the recipient has need to create an entry if none exists, since the recipient has
apparently not initiated any communication with the target." apparently not initiated any communication with the target."
This approach is perfectly suitable for host2host communications This approach is perfectly suitable for host2host communications
which are in most cases bi-directional and it could be expected that which are in most cases bi-directional and it could be expected that
if a host A has an ND cache entry for the host B IPv6 address, the if a host A has an ND cache entry for the host B IPv6 address, the
host B also has the corresponding ND entry for the host A address in host B also has the corresponding ND entry for the host A address in
its cache. However when a host communicates to off-link destinations its cache. However when a host communicates to off-link destinations
via its first-hop router that logic does not apply. Here is the most via its first-hop router that logic does not apply. The most typical
typical scenario when the problem may arise: scenario when the problem may arise is a host joining the network,
forming a new address and using that address for accessing the
Internet:
1. When a host joins the network it receives an RA packet from the 1. A host joins the network and receives a Router Advertisement
first-hop router (either a periodic unsolicited RA or a response packet from the first-hop router (either a periodic unsolicited
to an RS sent by the host). The RA contains information the host RA or a response to an RS sent by the host). The RA contains
needs to perform SLAAC and to configure its network stack. Among information the host needs to perform SLAAC and to configure its
other things the host populates its ND cache with the router network stack. As in most cases the RA also contains the Source
link-local address and potentially link-layer address (if link-layer address of the router, the host can populate its
included in the RA Source Link-Layer Address option). Neighbor Cache with the router link-local and link-layer
addresses.
2. The host starts opening connections to off-link destinations. 2. The host starts opening connections to off-link destinations.
Very common use case is a mobile device sending probes to detect Very common use case is a mobile device sending probes to detect
the Internet connectivity and/or the captive portals presence on the Internet connectivity and/or the captive portals presence on
the network. To speed up that process many implementations are the network. To speed up that process many implementations use
using the Optimistic Duplicate Address Detection ([RFC4429]) the Optimistic Duplicate Address Detection [RFC4429] which allows
which allows them to send probes from their GUA before the DAD them to send probes from their GUA before the DAD process is
process is completed. Imprortant point here is that at that completed. At that moment the device ND cache contains all
moment the device ND cache contains all information required to information required to send those probes (such as the default
send those probes (such as the default gateway LLA and the link- gateway LLA and the link-layer address). The router ND cache,
layer address). The router ND cache, however, might contain an however, might contain an entry for the device link-local address
entry for the device link-local address (if the device has been (if the device has been performing the ND process for the roiter
performing the ND process for the roiter LLA) but there are no LLA) but there are no entries for the device GUA.
entries for the device GUA.
3. Response packets for the probes (or any other traffic sent by the 3. Return traffic is received by the first-hop router. As the
host) are received by the first-hop router. As the router does router does not have any ND cache entry for the host GUA yet, the
not have any ND cache entry for the host GUA, the router starts router starts the neighbor discovery process by creating an
the neighbor discovery process by creating an INCOMPLETE cache INCOMPLETE cache entry and then sending an NS to the Solicited
entry and then sending an NS to the Solicited Node Multicast Node Multicast Address. Most router implementations buffer only
Address. Apparently most of the router implementations buffer one data packet while performing the neighbor discovery for the
only one data packet while performing the ND process for its packet destination address, so it would drop all subsequent
destination. Therefore all packets for the host GUA, except for packets for the host GUA, until the address resolution process is
the very first one are dropped until the address resolution completed.
process is completed.
4. As many implementations send multiple probes in parallel it's 4. If the host sends multiple probes in parallel it would considered
very likely that all probes ex. the first one would be considered all but one of them failed. It leads to user-visible delay in
failed. If the host implements an exponential backoff for connecting to the network, especially if the host implements some
probing it leads to user-noticeable delay in detecting network form of backoff mechanism and does not retransmit the porbes as
connectivity/reporting the network as usable. soon as possible.
The above-mentioned scenario illustrates the problem happening when This scenario illustrates the problem happening when the device
the device connects to the network for the first time/after a long connects to the network for the first time or after a timeout long
timeout. However the same sequence of events happen when the host enough for the device address to be removed from the router neighbor
starts using the new (previously unseen by the router or ) GUA (e.g. cache. However the same sequence of events happen when the host
a new privacy address [RFC4941]) or if the router Neighbor Cache has starts using the new GUA previously unseen by the router, such as a
new privacy address [RFC4941] or if the router Neighbor Cache has
been flushed. been flushed.
While in dual-stack networks this problem might hidden by Happy While in dual-stack networks this problem might hidden by Happy
Eyeballs ([RFC8305]) it manifests itself quite clearly in IPv6-only Eyeballs [RFC8305] it manifest quite clearly in IPv6-only
networks, especially wireless ones, leading to poor user experience environments, especially wireless ones, leading to poor user
and contributing to negative perception of IPv6-only solutions as experience and contributing to negative perception of IPv6-only
unstable and non-deployable. solutions as unstable and non-deployable.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
1.2. Terminology 1.2. Terminology
skipping to change at page 4, line 46 skipping to change at page 4, line 28
ND: Neighbor Discovery, [RFC4861]. ND: Neighbor Discovery, [RFC4861].
SLAAC: IPv6 Stateless Address Autoconfiguration, [RFC4862]. SLAAC: IPv6 Stateless Address Autoconfiguration, [RFC4862].
NS: Neighbor Solicitation, [RFC4861]. NS: Neighbor Solicitation, [RFC4861].
NA: Neighbor Advertisement, [RFC4861]. NA: Neighbor Advertisement, [RFC4861].
RS: Router Solicitation, [RFC4861]. RS: Router Solicitation, [RFC4861].
RA: Router Advertisement, [RFC4861]. RA: outer Advertisement, [RFC4861].
SLLA: Source link-layer Address, an option in the ND packets SLLA: Source link-layer Address, an option in the ND packets
containing the link-layer address of the sender of the packet containing the link-layer address of the sender of the packet,
([RFC4861]). [RFC4861].
TLLA: Target link-layer Address, an option in the ND packets TLLA: Target link-layer Address, an option in the ND packets
containing the link-layer address of the target ([RFC4861]). containing the link-layer address of the target, [RFC4861].
GUA: Global Unicast Address ([RFC4291]). GUA: Global Unicast Address, [RFC4291].
DAD: Duplicate Address Detection, [RFC4862]. DAD: Duplicate Address Detection, [RFC4862].
Optimistic DAD: a modification of DAD, [RFC4429]. Optimistic DAD: a modification of DAD, [RFC4429].
2. Potential Solutions 2. Proposed Solution
2.1. Solution Requirements
It would be highly desirable to improve the Neighbor Discovery
mechanics so routers have a usable cache entry for a host address by
the time the first packet for that address is received by the router.
In particular,
o If the router does not have a Neighbor Cache entry for the
address, a STALE entry needs to be created.
o The solution needs to work for Optimistic addresses as well.
Devices implementing the Optimistic DAD usually attempt to
minimize the delay in connecting to the network and therefore are
more likely to be affected by the problem described in this
document.
o In case of duplicate addresses present in the network the proposed
solution MUST NOT override the existing entry.
o In topologies with multiple first hop routers the cache needs to
be updated on all of them, as traffic might be asymmetric:
outgoing flows leaving the network via one router while the return
traffic enters the segment via another one.
2.2. Solution Overview
The Neighbor Discovery is designed to allow IPv6 nodes to discover
neighboring nodes reachability and learn IPv6 to link-layer addresses
mapping. Therefore ND seems to be the most appropriate tool to
inform the first-hop routers about addresses the host is going to
use.
Section 4.4 of [RFC4861] says:
"A node sends Neighbor Advertisements in response to Neighbor
Solicitations and sends unsolicited Neighbor Advertisements in order
to (unreliably) propagate new information quickly."
Propagating information about new GUA as quickly as possible is
exactly what is required to solve the problem outlined in this
document. Therefore the host might send an unsolicited NA with the
target link-layer address option to advertize its GUA as soon as the
said address enters Optimistic or Preferred state.
The proposed solution is discussed in [I-D.linkova-6man-grand]. In
summary the follwing changes to [RFC4861] are suggested:
o Hosts SHOULD send at least one unsolicited NA packet to all-
routers multicast address (ff02::2) as soon as one of the
following events happens:
* (if Optimistic DAD is used): a new Optimistic GUA is assigned
to the host interface.
* (if Optimistic DAD is not used): a GUA changes the state from
tentative to preferred.
o Routers SHOULD create a new ND cache entry upon receiving
unsolicited NAs.
It should be noted that some routing and switching platforms have
implemented such behaviour already. Administrators could enable
creating neighbor discovery cache entries based on unsolicited NA
packets sent from the previously unknown neighbors on that interface.
3. Solutions Considered but Discarded
The problem could be addressed from different angles. Possible The problem could be addressed from different angles. Possible
approaches are: approaches are:
o Just do nothing. o Just do nothing.
o Migrate from the "reactive" Neighbor Discovery ([RFC4861]) to the o Migrate from the "reactive" Neighbor Discovery ([RFC4861]) to the
registration-based mechanisms ([RFC8505]). registration-based mechanisms ([RFC8505]).
o The host explicitly advertizes its GUAs using Neighbor Discovery
mechanisms.
o The router creates new entries in its Neighbor Cache by gleaning o The router creates new entries in its Neighbor Cache by gleaning
from Neighbor Discovery DAD messages. from Neighbor Discovery DAD messages.
o The host initiates bidirectional communication to the router using o The host initiates bidirectional communication to the router using
the host GUA. the host GUA.
o Making the probing logic on hosts more robust. o Making the probing logic on hosts more robust.
o Increasing the buffer size on routers. o Increasing the buffer size on routers.
o Transit dataplane traffic from an unknown address (an address w/o
the corresponding neighbor cache entry) triggers an address
resolution process on the router.
The following sections discuss those approaches in more detail. The following sections discuss those approaches in more detail.
2.1. Do Nothing 3.1. Do Nothing
One of the possible approaches might be to declare that everything is One of the possible approaches might be to declare that everything is
working as intended. working as intended and let the upper-layer protocols to deal with
packet loss. The obvious drawbacks include:
2.1.1. Pros
o No work required.
2.1.2. Cons
o Unhappy users. o Unhappy users.
o Many support tickets. o Many support tickets.
o More resistance to deploy IPv6 and IPv6-Only networks. o More resistance to deploy IPv6 and IPv6-Only networks.
2.2. Change to the Registration-Based Neighbor Discovery 3.2. Change to the Registration-Based Neighbor Discovery
The most radical approach would be to move away from the reactive ND The most radical approach would be to move away from the reactive ND
as defined in [RFC4861] and expand the registration-based ND as defined in [RFC4861] and expand the registration-based ND
([RFC6775], [RFC8505]) used in Low-Power Wireless Personal Area ([RFC6775], [RFC8505]) used in Low-Power Wireless Personal Area
Networks (6LoWPANs) to the rest of IPv6 deployments. Networks (6LoWPANs) to the rest of IPv6 deployments. This option
required some investigation and discussions and seems to be an
This option required some investigation and discussions and seems to overkill for the problem described in this document.
be an overkill for the problem described in this document..
2.3. Hosts Explicitly Advertizing Their GUAs Using Existing ND
Mechanisms
The Neighbor Discovery is designed to allow IPv6 nodes to discover
neighboring nodes reachability and learn IPv6 to link-layer addresses
mapping. Therefore ND seems to be the most appropriate tool to
inform the first-hop routers about addresses the host is going to
use. The following sections discuss potential apptoaches in more
detail.
2.3.1. Host Sending Unsolicited NA
Section 4.4 of [RFC4861] says:
"A node sends Neighbor Advertisements in response to Neighbor
Solicitations and sends unsolicited Neighbor Advertisements in order
to (unreliably) propagate new information quickly."
Propagating information about new GUA as quickly as possible is
exactly what is required to solve the problem outlined in this
document. Therefore the host might send an unsolicited NA to
advertize its GUA as soon as the said address enters Optimistic or
Preferred state. The NA should include the target link-layer address
option. To ensure that all first-hop routers receive the
advertisement it could be sent to all-routers multicast address
(ff02::2).
As it's been mentioned, [RFC4861] explicitly states that receiving a
NA should not create a new NC entry. However the justification for
that requirement ("There is no need to create an entry if none
exists, since the recipient has apparently not initiated any
communication with the target.") clearly does not apply for the case
discussed. As per [RFC2119] "there may exist valid reasons in
particular circumstances to ignore a particular item, but the full
implications must be understood and carefully weighed before choosing
a different course.". Therefore routers creating a new NC entry upon
receiving an unsolicited NA would still be compliant with [RFC4861].
It should be noted that some routing and switching platforms have
implemented such behaviour already. Administrators could enable
creating neighbor discovery cache entries based on unsolicited NA
packets sent from the previously unknown neighbors on that interface.
2.3.1.1. Pros
o Already implemented on some platforms.
o In accordance with [RFC4861].
2.3.1.2. Cons
o Allows a malicious host to execute an ND cache exhaustion attack.
It's recommended that this functionality is configurable and
recommendations from [RFC6583] are taken into account.
o Requires hosts to send unsolicited NA (changes to the hosts).
o Some wireless devices are known to fiddle with ND packets and
perform various non-obvious forms of ND proxy actions. In some
cases unsolicited NAs might not even reach the routers.
2.3.2. Host Sending NS to the Router Address from Its GUA 3.3. Host Sending NS to the Router Address from Its GUA
The host could force creating a STALE entry for its GUA in the router The host could force creating a STALE entry for its GUA in the router
ND cache by sending the following Neighbor Solicitation message: ND cache by sending the following Neighbor Solicitation message:
o The NS source address is the host GUA. o The NS source address is the host GUA.
o The Source Link-Layer Address option contains the host link-layer o The Source Link-Layer Address option contains the host link-layer
address. address.
o The target address is the host default gateway address (the o The target address is the host default gateway address (the
default router address the host received in the RA). default router address the host received in the RA).
The main disadvantage of this approach is that it would not work if The main disadvantages of this approach are:
the GUA the host needs to advertise is still in the Optimistic state.
The section 2.2 of [RFC4429] explicitly prohibits sending Neighbor
Solicitations from an Optimistic Address.
2.3.2.1. Pros
o Router implementations which follow recommendations made in
[RFC6583] might prioritize responding to NS packets to own
addresses.
2.3.2.2. Cons
o Does not work for Optimistic addresses (see section 2.2 of o Would not work for Optimistic addresses as section 2.2 of
[RFC4429]). [RFC4429] explicitly prohibits sending Neighbor Solicitations from
an Optimistic Address.
o If first-hop redundancy is deployed in the network, the NS would o If first-hop redundancy is deployed in the network, the NS would
reach the active router only, so all backup routers (or all active reach the active router only, so all backup routers (or all active
routers ex. one) would not get their neighbor cache updated. routers ex. one) would not get their neighbor cache updated.
o Some wireless devices are known to fiddle with ND packets and o Some wireless devices are known to fiddle with ND packets and
perform various non-obvious forms of ND proxy actions. In some perform various non-obvious forms of ND proxy actions. In some
cases unsolicited NAs might not even reach the routers. cases unsolicited NAs might not even reach the routers.
2.3.3. Host Sending Router Solicitation from its GUA 3.4. Host Sending Router Solicitation from its GUA
The host could send a router solicitation message to 'all routers' The host could send a router solicitation message to 'all routers'
multicast address, using its GUA as a source. If the host link-layer multicast address, using its GUA as a source. If the host link-layer
address is included in the Source Link-Layer Address option, the address is included in the Source Link-Layer Address option, the
router would create a STALE entry for the host GUA (see the section router would create a STALE entry for the host GUA as per the section
6.2.6 of [RFC4861]). However this approach can not be used if the 6.2.6 of [RFC4861]. However this approach can not be used if the GUA
GUA is in optimistic state: the section 2.2 of [RFC4429] explicitly is in optimistic state: the section 2.2 of [RFC4429] explicitly
prohibits using an Optimistic Address as the source address of a prohibits using an Optimistic Address as the source address of a
Router Solicitation with a SLLAO as it might disrupt the rightful Router Solicitation with a SLLAO as it might disrupt the rightful
owner of the address in the case of a collision. So for the owner of the address in the case of a collision. So for the
optimistic addresses the host can send an RS without SLLAO included. optimistic addresses the host can send an RS without SLLAO included.
In that case the router may respond with either a multicast or a In that case the router may respond with either a multicast or a
unicast RA (only the latter would create a cache entry). unicast RA (only the latter would create a cache entry).
2.3.3.1. Pros This approach has the following drawbacks:
o Unlike NS packets, RS packets would reach all routers on link,
allowing all routers to update their neighbor caches and
preventing packet loss in case of asymmetric routing.
2.3.3.2. Cons o If the address is in the Optimistic state the RS can not contain
SLLAO. As a result the router would only create a cache entry if
the solicited RAs is sent as as a unicast. Routers sending
solicited RAs as multicast would not create a new cache entry as
they do not need to send a unicast packet back to the host.
o As for the Optimistic addresses SLLAO can not be included into RS o There might be a random delay between receiving an RS and sending
packets, the cache entry for the optimistic address would be a unicast RA back (and creating a cache entry) which might
created only if the router sends solicited RAs as unicast. In undermine the idea of creating the cache entry proactively.
addition, there might be a random delay between receiving an RS
and sending a unicast RA back (and creating a cache entry) which
might undermine the idea of creating the cache entry proactively.
o Some wireless devices are known to fiddle with ND packets and o Some wireless devices are known to fiddle with ND packets and
perform various non-obvious forms of ND proxy actions. In some perform various non-obvious forms of ND proxy actions. In some
cases RSes might not even reach the routers. cases RSes might not even reach the routers.
2.4. Routers Populating Their Caches by Gleaning From Neighbor 3.5. Routers Populating Their Caches by Gleaning From Neighbor
Discovery Packets Discovery Packets
If hosts do not send unsolicited NAs upon configuring new addresses Routers may be able to learn about new addresses by gleaning from the
as described above the routers may be able to learn about new address DAD Neighbor Solicitation messages. The router could listen to all
by gleaning from the DAD Neighbor Solicitation messages. The router solicited node multicast address groups and upon receiving a Neighbor
could listen to all solicited node multicast address groups and upon Solicitation from the unspecified address search its Neighbor Cache
receiving a Neighbor Solicitation from the unspecified address search for the solicitation's Target Address. If no entry exists the router
its Neighbor Cache for the solicitation's Target Address. If no may create an entry, set its reachability state to 'INCOMPLETE' and
entry exists the router may create an entry for and set it's start the address resolution for that entry.
reachability state to 'INCOMPLETE'. Then the router can start the
address resolution for the new entry.
2.4.1. Pros
o No changes required on hosts.
2.4.2. Cons The same solution was proposed in
[I-D.halpern-6man-nd-pre-resolve-addr]. Some routing vendors support
such optimization already. However this approach has a number of
drawbacks and therefore should not be used as the only solution:
o Routers would receive all multicast Neighbor Discovery packets o Routers need to receive all multicast Neighbor Discovery packets
which might negatively impact the routers CPU. which might negatively impact the routers CPU.
o If the router starts the address resolution as soon as it receives o If the router starts the address resolution as soon as it receives
the DAD Neighbor Solicitation the host might be still performing the DAD Neighbor Solicitation the host might be still performing
the DAD and the target address might be tentative. In that case the DAD and the target address might be tentative. In that case
the host SHOULD silently ignore the received Neighbor Solicitation the host SHOULD silently ignore the received Neighbor Solicitation
from the router as per the Section 5.4.3 of [RFC4862]. Such race from the router as per the Section 5.4.3 of [RFC4862]. As a
condition scenario would prevent the router to learn the new result the router might not be able to complete the address
address. resolution before the return traffic arrives.
2.5. Initiating Hosts2Routers Communication
Every time the host configures a new GUA (when the address enters the
Optimistic state or, if the optimistic DAD is not used, as soon as it
changes the state from tentative to preferred) the host can a ping or
traceroute packet to the default gateway LLA. As the RTT to the
default gateway is lower than RTT to any off-link destinations it's
quite likely that the router would start the neighbor discovery
process for the host GUA before the first packet of the returning
traffic arrives. There are pretty good chances that the process
would be completed before the actual data traffic reaches the router.
2.5.1. Pros
o As data packets are involved, there is no potential impact caused 3.6. Initiating Hosts2Routers Communication
by smart wireless infrastructure performing ND proxy.
o Full compliance with existing standards. The host may trigger the router to start the address resolution by
sending a data packet such as ping or traceroute to its default
router link-local address, using the GUA as a source address. As the
RTT to the default gateway is lower than RTT to any off-link
destinations it's quite likely that the router would start the
neighbor discovery process for the host GUA before the first packet
of the returning traffic arrives.
2.5.2. Cons The downside of this approach includes:
o Data packets to the router LLA could be blocked by security policy o Data packets to the router LLA could be blocked by security policy
or control plane protection mechanism. or control plane protection mechanism.
o Maximum overhead for routers control plane (in addition to o Additional overhead for routers control plane (in addition to
processing ND packets, the data packet needs to be processed as processing ND packets, the data packet needs to be processed as
well). well).
o If the first hop redundancy is implemented in the network the host o Unless the data packet is sent to 'all routers' ff02::2 multicast
ping/traceroute packet would reach the active router only. All address, if the network provides a first-hop redundancy then only
backup routers would not receive it and therefore would not start the active router would create a new cache entry.
populating the cache. So in the case of asymmetric traffic flow
(packets leave the network via one router while the return flow is
going via another) the backup router(s) still would not have the
cache entry. (A hacky way to overcome this limitation would be
sending ping/traceroute packet to 'all routers' ff02::2 multicast
address).
2.6. Tweaking Probing Algorithms
While tweaking the probing logic on devices might make the problem
less visible it would be still desirable to avoid packet loss
everytime the new GUA is used by a host. It would be quite tricky to
adjust every probing algorithm to find the right balance between
prompt detection of network connectivity and false positives in
IPv6-only mode.
2.7. Routers Buffering More Packets
Another way to mitigate the issue, at least partially, would be
increasing the number of packets the router could buffer while
performing the neighbor discovery process for the INCOMPLETE cache
entry. However it would be against recommendations made in the
section 7.2.2 of [RFC4861] and [RFC6583].
2.7.1. Pros
o Does not require changes on hosts.
2.7.2. Cons
o This approach makes the routers even more vulnerable to attack
vectors described in [RFC6583]. In particular, it would amplify
the impact of any scanning attack.
o Against the recommendations from the section 7 of [RFC6583].
o Requires router vendors support.
3. Recommendations
o Hosts SHOULD send at least one unsolicited NA packet to all-
routers multicast address (ff02::2) as soon as one of the
following events happens:
* (if Optimistic DAD is used): a new Optimistic GUA is assigned
to the host interface.
* (if Optimistic DAD is not used): a GUA changes the state from
tentative to preferred.
o Routers SHOULD have a configuration knob to enable creating ND 3.7. Transit Dataplane Traffic From a New Address Triggering Address
cache entry upon receiving unsolicited NAs on a specific Resolution
interface. This document does not change the behavior if the ND
cache entry already exists when receiving an unsolicited NA.
As the recommendations include modification to Neighbor Discovery When a router receives a transit packet it might check the presence
state machine defined in [RFC4861] and hosts behaviour, they are of the neighbor cache entry for the packet source address and if the
discussed in a separate Standart track document draft-linkova-6man- entry does not exist start address resolution process. This approach
grand. does ensure that a Neighbor Cache entry is proactively created every
time a new, previously unseen GUA is used for sending offlink
traffic. However this functionality needs to be limited to
explicitly configured networks/interfaces, as the router needs to
distinguish between onlink addresses (ones the router needs to have
Neighbor Cache entries for) and the rest of the address space. In
addition, implementing such functionality is much more complicated
than all other solutions as it would involve complex data-control
planes interaction.
4. IANA Considerations 4. IANA Considerations
This memo asks the IANA for no new parameters. This memo asks the IANA for no new parameters.
5. Security Considerations 5. Security Considerations
See the Security Considerations section of draft-linkova-6man-grand. This memo documents the operational issue and does not introduce any
new security considerations. Security considerations of the proposed
solution are discussed in the corresponding section of
[I-D.linkova-6man-grand].
6. Acknowledgements 6. Acknowledgements
Thanks to the following people (in alphabetical order) for their Thanks to the following people (in alphabetical order) for their
review and feedback: Lorenzo Colitti, Igor Gashinsky, Tatuya Jinmei, review and feedback: Lorenzo Colitti, Igor Gashinsky, Tatuya Jinmei,
Erik Kline, Warren Kumari, Michael Richardson, Pascal Thubert, Erik Kline, Warren Kumari, Michael Richardson, Pascal Thubert,
Loganaden Velvindron, Eric Vyncke. Loganaden Velvindron, Eric Vyncke.
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.linkova-6man-grand]
Linkova, J., "Gratuitous Neighbor Discovery: Creating
Neighbor Cache Entries on First-Hop Routers", draft-
linkova-6man-grand-01 (work in progress), November 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, DOI 10.17487/RFC4291, February Architecture", RFC 4291, DOI 10.17487/RFC4291, February
2006, <https://www.rfc-editor.org/info/rfc4291>. 2006, <https://www.rfc-editor.org/info/rfc4291>.
[RFC4429] Moore, N., "Optimistic Duplicate Address Detection (DAD) [RFC4429] Moore, N., "Optimistic Duplicate Address Detection (DAD)
skipping to change at page 13, line 7 skipping to change at page 11, line 22
<https://www.rfc-editor.org/info/rfc8305>. <https://www.rfc-editor.org/info/rfc8305>.
[RFC8505] Thubert, P., Ed., Nordmark, E., Chakrabarti, S., and C. [RFC8505] Thubert, P., Ed., Nordmark, E., Chakrabarti, S., and C.
Perkins, "Registration Extensions for IPv6 over Low-Power Perkins, "Registration Extensions for IPv6 over Low-Power
Wireless Personal Area Network (6LoWPAN) Neighbor Wireless Personal Area Network (6LoWPAN) Neighbor
Discovery", RFC 8505, DOI 10.17487/RFC8505, November 2018, Discovery", RFC 8505, DOI 10.17487/RFC8505, November 2018,
<https://www.rfc-editor.org/info/rfc8505>. <https://www.rfc-editor.org/info/rfc8505>.
7.2. Informative References 7.2. Informative References
[I-D.halpern-6man-nd-pre-resolve-addr]
Chen, I. and J. Halpern, "Triggering ND Address Resolution
on Receiving DAD-NS", draft-halpern-6man-nd-pre-resolve-
addr-00 (work in progress), January 2014.
[RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy
Extensions for Stateless Address Autoconfiguration in Extensions for Stateless Address Autoconfiguration in
IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007, IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007,
<https://www.rfc-editor.org/info/rfc4941>. <https://www.rfc-editor.org/info/rfc4941>.
[RFC6583] Gashinsky, I., Jaeggli, J., and W. Kumari, "Operational [RFC6583] Gashinsky, I., Jaeggli, J., and W. Kumari, "Operational
Neighbor Discovery Problems", RFC 6583, Neighbor Discovery Problems", RFC 6583,
DOI 10.17487/RFC6583, March 2012, DOI 10.17487/RFC6583, March 2012,
<https://www.rfc-editor.org/info/rfc6583>. <https://www.rfc-editor.org/info/rfc6583>.
 End of changes. 47 change blocks. 
296 lines changed or deleted 229 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/