draft-ietf-v6ops-nd-cache-init-03.txt   draft-ietf-v6ops-nd-cache-init-04.txt 
v6ops J. Linkova v6ops J. Linkova
Internet-Draft Google Internet-Draft Google
Intended status: Informational July 13, 2020 Intended status: Informational August 20, 2020
Expires: January 14, 2021 Expires: February 21, 2021
Neighbor Cache Entries on First-Hop Routers: Operational Considerations Neighbor Cache Entries on First-Hop Routers: Operational Considerations
draft-ietf-v6ops-nd-cache-init-03 draft-ietf-v6ops-nd-cache-init-04
Abstract Abstract
Neighbor Discovery (RFC4861) is used by IPv6 nodes to determine the Neighbor Discovery (RFC4861) is used by IPv6 nodes to determine the
link-layer addresses of neighboring nodes as well as to discover and link-layer addresses of neighboring nodes as well as to discover and
maintain reachability information. This document discusses how the maintain reachability information. This document discusses how the
neighbor discovery state machine on a first-hop router is causing neighbor discovery state machine on a first-hop router is causing
user-visible connectivity issues when a new (not being seen on the user-visible connectivity issues when a new (not being seen on the
network before) IPv6 address is being used. network before) IPv6 address is being used.
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 14, 2021. This Internet-Draft will expire on February 21, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 16 skipping to change at page 3, line 16
packet from the first-hop router (either a periodic unsolicited packet from the first-hop router (either a periodic unsolicited
RA or a response to a Router Solicitation sent by the host). The RA or a response to a Router Solicitation sent by the host). The
RA contains information the host needs to perform SLAAC and to RA contains information the host needs to perform SLAAC and to
configure its network stack. As in most cases the RA also configure its network stack. As in most cases the RA also
contains the Source link-layer address of the router, the host contains the Source link-layer address of the router, the host
can populate its Neighbor Cache with the router's link-local and can populate its Neighbor Cache with the router's link-local and
link-layer addresses. link-layer addresses.
2. The host starts opening connections to off-link destinations. A 2. The host starts opening connections to off-link destinations. A
very common use case is a mobile device sending probes to detect very common use case is a mobile device sending probes to detect
the Internet connectivity and/or the captive portals presence on the Internet connectivity and/or the presence of a captive portal
the network. To speed up that process many implementations use on the network. To speed up that process many implementations
Optimistic Duplicate Address Detection [RFC4429] which allows use Optimistic Duplicate Address Detection [RFC4429] which allows
them to send probes from their GUA before the DAD process is them to send probes from their GUA before the DAD process is
completed. At that moment the device ND cache contains all completed. At that moment the device ND cache contains all
information required to send those probes (such as the default information required to send those probes (such as the default
router link-local the link-layer addresses). The router ND router link-local the link-layer addresses). The router ND
cache, however, might contain an entry for the device link-local cache, however, might contain an entry for the device link-local
address (if the device has been performing the address resolution address (if the device has been performing the address resolution
for the router LLA) but there are no entries for the device GUA. for the router LLA), but there are no entries for the device GUA.
3. Return traffic is received by the first-hop router. As the 3. Return traffic is received by the first-hop router. As the
router does not have any ND cache entry for the host GUA yet, the router does not have any ND cache entry for the host GUA yet, the
router starts the neighbor discovery process by creating an router starts the neighbor discovery process by creating an
INCOMPLETE cache entry and then sending an NS to the Solicited INCOMPLETE cache entry and then sending an NS to the Solicited
Node Multicast Address. Most router implementations buffer only Node Multicast Address. Most router implementations buffer only
one data packet while resolving the packet destination address, one data packet while resolving the packet destination address,
so it would drop all subsequent packets for the host GUA, until so it would drop all subsequent packets for the host GUA, until
the address resolution process is completed. the address resolution process is completed.
4. If the host sends multiple probes in parallel it would consider 4. If the host sends multiple probes in parallel, it would consider
all but one of them failed. It leads to user-visible delay in all but one of them failed. It leads to user-visible delay in
connecting to the network, especially if the host implements some connecting to the network, especially if the host implements some
form of backoff mechanism and does not retransmit the probes as form of backoff mechanism and does not retransmit the probes as
soon as possible. soon as possible.
This scenario illustrates the problem happening when the device This scenario illustrates the problem occurring when the device
connects to the network for the first time or after a timeout long connects to the network for the first time or after a timeout long
enough for the device address to be removed from the router's enough for the device address to be removed from the router's
neighbor cache. However the same sequence of events happen when the neighbor cache. However, the same sequence of events happen when the
host starts using a new GUA previously unseen by the router, such as host starts using a new GUA previously unseen by the router, such as
a new privacy address [RFC4941] or if the router's Neighbor Cache has a new privacy address [RFC4941] or if the router's Neighbor Cache has
been flushed. been flushed.
While in dual-stack networks this problem might be hidden by Happy While in dual-stack networks this problem might be hidden by Happy
Eyeballs [RFC8305] it manifests quite clearly in IPv6-only Eyeballs [RFC8305] it manifests quite clearly in IPv6-only
environments, especially wireless ones, leading to poor user environments, especially wireless ones, leading to poor user
experience and contributing to negative perception of IPv6-only experience and contributing to a negative perception of IPv6-only
solutions as unstable and non-deployable. solutions as unstable and non-deployable.
This document discusses operational implications of not proactively This document discusses the operational implications of not
creating Neighbor Cache entries on first-hop routers and summarizes proactively creating Neighbor Cache entries on first-hop routers and
various approaches to mitigate the problem. summarizes various approaches to mitigate the problem.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
1.2. Terminology 1.2. Terminology
skipping to change at page 4, line 31 skipping to change at page 4, line 31
ND: Neighbor Discovery, [RFC4861]. ND: Neighbor Discovery, [RFC4861].
SLAAC: IPv6 Stateless Address Autoconfiguration, [RFC4862]. SLAAC: IPv6 Stateless Address Autoconfiguration, [RFC4862].
NS: Neighbor Solicitation, [RFC4861]. NS: Neighbor Solicitation, [RFC4861].
NA: Neighbor Advertisement, [RFC4861]. NA: Neighbor Advertisement, [RFC4861].
RS: Router Solicitation, [RFC4861]. RS: Router Solicitation, [RFC4861].
RA: outer Advertisement, [RFC4861]. RA: Router Advertisement, [RFC4861].
SLLA: Source link-layer Address, an option in the ND packets SLLA: Source link-layer Address, an option in the ND packets
containing the link-layer address of the sender of the packet, containing the link-layer address of the sender of the packet,
[RFC4861]. [RFC4861].
TLLA: Target link-layer Address, an option in the ND packets TLLA: Target link-layer Address, an option in the ND packets
containing the link-layer address of the target, [RFC4861]. containing the link-layer address of the target, [RFC4861].
GUA: Global Unicast Address, [RFC4291]. GUA: Global Unicast Address, [RFC4291].
skipping to change at page 5, line 11 skipping to change at page 5, line 11
FCFS SAVI: First-Come, First-Served Source Address Validation, FCFS SAVI: First-Come, First-Served Source Address Validation,
[RFC6620]. [RFC6620].
2. Proposed Solution 2. Proposed Solution
2.1. Solution Requirements 2.1. Solution Requirements
It would be highly desirable to improve the Neighbor Discovery It would be highly desirable to improve the Neighbor Discovery
mechanics so routers have a usable cache entry for a host address by mechanics so routers have a usable cache entry for a host address by
the time the first packet for that address is received by the router. the time the router receives the first packet for that address. In
In particular: particular:
o If the router does not have a Neighbor Cache entry for the o If the router does not have a Neighbor Cache entry for the
address, a STALE entry needs to be created. address, a STALE entry needs to be created.
o The solution needs to work for Optimistic addresses as well. o The solution needs to work for Optimistic addresses as well.
Devices implementing the Optimistic DAD usually attempt to Devices implementing the Optimistic DAD usually attempt to
minimize the delay in connecting to the network and therefore are minimize the delay in connecting to the network and therefore are
more likely to be affected by the problem described in this more likely to be affected by the problem described in this
document. document.
o In case of duplicate addresses present in the network, the o In case of duplicate addresses present in the network, the
proposed solution MUST NOT override the existing entry. proposed solution MUST NOT override the existing entry.
o In topologies with multiple first hop routers the cache needs to o In topologies with multiple first-hop routers the cache needs to
be updated on all of them, as traffic might be asymmetric: be updated on all of them, as traffic might be asymmetric:
outgoing flows leaving the network via one router while the return outgoing flows leaving the network via one router while the return
traffic enters the segment via another one. traffic enters the segment via another one.
In addition the solution MUST NOT exacerbate issues described in In addition the solution MUST NOT exacerbate issues described in
[RFC6583] and MUST be compatible with the recomendations provided in [RFC6583] and MUST be compatible with the recommendations provided in
[RFC6583]. [RFC6583].
2.2. Solution Overview 2.2. Solution Overview
The Neighbor Discovery is designed to allow IPv6 nodes to discover The Neighbor Discovery is designed to allow IPv6 nodes to discover
neighboring nodes reachability and learn IPv6 to link-layer addresses neighboring nodes reachability and learn IPv6 to link-layer addresses
mapping. Therefore ND seems to be the most appropriate tool to mapping. Therefore ND seems to be the most appropriate tool to
inform the first-hop routers about addresses the host is going to inform the first-hop routers about addresses the host is going to
use. use.
skipping to change at page 6, line 8 skipping to change at page 6, line 8
Solicitations and sends unsolicited Neighbor Advertisements in order Solicitations and sends unsolicited Neighbor Advertisements in order
to (unreliably) propagate new information quickly." to (unreliably) propagate new information quickly."
Propagating information about new GUA as quickly as possible is Propagating information about new GUA as quickly as possible is
exactly what is required to solve the problem outlined in this exactly what is required to solve the problem outlined in this
document. Therefore the host might send an unsolicited NA with the document. Therefore the host might send an unsolicited NA with the
target link-layer address option to advertise its GUA as soon as the target link-layer address option to advertise its GUA as soon as the
said address enters Optimistic or Preferred state. said address enters Optimistic or Preferred state.
The proposed solution is discussed in [I-D.ietf-6man-grand]. In The proposed solution is discussed in [I-D.ietf-6man-grand]. In
summary the following changes to [RFC4861] are suggested: summary, the following changes to [RFC4861] are suggested:
o Hosts SHOULD send at least one unsolicited NA packet with the o A node SHOULD send up to MAX_NEIGHBOR_ADVERTISEMENT unsolicited NA
Override flag cleared to all-routers multicast address (ff02::2) packet with the Override flag cleared to all-routers multicast
as soon as one of the following events happens: address (ff02::2) as soon as one of the following events happens:
* (if Optimistic DAD is used): a new Optimistic GUA is assigned * (if Optimistic DAD is used): a new Optimistic address is
to the host interface. assigned to the node interface.
* (if Optimistic DAD is not used): a GUA changes the state from * (if Optimistic DAD is not used): an address changes the state
tentative to preferred. from tentative to preferred.
o Routers SHOULD create a new STALE ND cache entry upon receiving o Routers SHOULD create a new STALE ND cache entry upon receiving
unsolicited NAs. unsolicited NAs.
It should be noted that some routing and switching platforms have It should be noted that some routing and switching platforms have
implemented such behaviour already. Administrators could enable implemented such behaviour already. Administrators could enable the
creating neighbor discovery cache entries based on unsolicited NA creation of neighbor discovery cache entries based on unsolicited NA
packets sent from the previously unknown neighbors on that interface. packets sent from the previously unknown neighbors on that interface.
Network devices implementing FCFS SAVI might drop Neighbor Network devices implementing FCFS SAVI might drop Neighbor
Advertisements received through a Validating Port which is in the Advertisements received through a Validating Port which is in the
TENTATIVE state (see Section 2.3.2 of[RFC6620]). Therefore hosts TENTATIVE state (see Section 2.3.2 of[RFC6620]). Therefore hosts
using Optimistic DAD might not benefit from the proposed solution if using Optimistic DAD might not benefit from the proposed solution if
FCFS SAVI is implemeneted on the network infrastructure. FCFS SAVI is implemented on the network infrastructure.
[I-D.ietf-6man-grand] discusses in more details how the proposed [I-D.ietf-6man-grand] discusses in more details how the proposed
solution interacts with SAVI. solution interacts with SAVI.
3. Solutions Considered but Discarded 3. Solutions Considered but Discarded
The problem could be addressed from different angles. Possible The problem could be addressed from different angles. Possible
approaches are: approaches are:
o Just do nothing. o Just do nothing.
skipping to change at page 8, line 16 skipping to change at page 8, line 16
o Would not work for Optimistic addresses as section 2.2 of o Would not work for Optimistic addresses as section 2.2 of
[RFC4429] explicitly prohibits sending Neighbor Solicitations from [RFC4429] explicitly prohibits sending Neighbor Solicitations from
an Optimistic Address. an Optimistic Address.
o If first-hop redundancy is deployed in the network, the NS would o If first-hop redundancy is deployed in the network, the NS would
reach the active router only, so all backup routers (or all active reach the active router only, so all backup routers (or all active
routers ex. one) would not get their neighbor cache updated. routers ex. one) would not get their neighbor cache updated.
o Some wireless devices are known to alter ND packets and perform o Some wireless devices are known to alter ND packets and perform
various non-obvious forms of ND proxy actions. In some cases various non-obvious forms of ND proxy actions. In some cases,
unsolicited NAs might not even reach the routers. unsolicited NAs might not even reach the routers.
3.4. Host Sending Router Solicitation from its GUA 3.4. Host Sending Router Solicitation from its GUA
The host could send a router solicitation message to 'all routers' The host could send a router solicitation message to 'all routers'
multicast address, using its GUA as a source. If the host link-layer multicast address, using its GUA as a source. If the host link-layer
address is included in the Source Link-Layer Address option, the address is included in the Source Link-Layer Address option, the
router would create a STALE entry for the host GUA as per the section router would create a STALE entry for the host GUA as per the section
6.2.6 of [RFC4861]. However this approach can not be used if the GUA 6.2.6 of [RFC4861]. However, this approach can not be used if the
is in optimistic state: the section 2.2 of [RFC4429] explicitly GUA is in optimistic state: section 2.2 of [RFC4429] explicitly
prohibits using an Optimistic Address as the source address of a prohibits using an Optimistic Address as the source address of a
Router Solicitation with a SLLAO as it might disrupt the rightful Router Solicitation with a SLLAO as it might disrupt the rightful
owner of the address in the case of a collision. So for the owner of the address in the case of a collision. So for the
optimistic addresses the host can send an RS without SLLAO included. optimistic addresses the host can send an RS without SLLAO included.
In that case the router may respond with either a multicast or a In that case the router may respond with either a multicast or a
unicast RA (only the latter would create a cache entry). unicast RA (only the latter would create a cache entry).
This approach has the following drawbacks: This approach has the following drawbacks:
o If the address is in the Optimistic state the RS can not contain o If the address is in the Optimistic state the RS can not contain
skipping to change at page 9, line 12 skipping to change at page 9, line 12
perform various non-obvious forms of ND proxy actions. In some perform various non-obvious forms of ND proxy actions. In some
cases the RS might not even reach the routers. cases the RS might not even reach the routers.
3.5. Routers Populating Their Caches by Gleaning From Neighbor 3.5. Routers Populating Their Caches by Gleaning From Neighbor
Discovery Packets Discovery Packets
Routers may be able to learn about new addresses by gleaning from the Routers may be able to learn about new addresses by gleaning from the
DAD Neighbor Solicitation messages. The router could listen to all DAD Neighbor Solicitation messages. The router could listen to all
solicited node multicast address groups and upon receiving a Neighbor solicited node multicast address groups and upon receiving a Neighbor
Solicitation from the unspecified address search its Neighbor Cache Solicitation from the unspecified address search its Neighbor Cache
for the solicitation's Target Address. If no entry exists the router for the solicitation's Target Address. If no entry exists, the
may create an entry, set its reachability state to 'INCOMPLETE' and router may create an entry, set its reachability state to
start the address resolution for that entry. 'INCOMPLETE' and start the address resolution for that entry.
The same solution was proposed in The same solution was proposed in
[I-D.halpern-6man-nd-pre-resolve-addr]. Some routing vendors support [I-D.halpern-6man-nd-pre-resolve-addr]. Some routing vendors support
such optimization already. However this approach has a number of such optimization already. However, this approach has a number of
drawbacks and therefore should not be used as the only solution: drawbacks and therefore should not be used as the only solution:
o Routers need to receive all multicast Neighbor Discovery packets o Routers need to receive all multicast Neighbor Discovery packets
which might negatively impact the routers CPU. which might negatively impact the routers CPU.
o If the router starts the address resolution as soon as it receives o If the router starts the address resolution as soon as it receives
the DAD Neighbor Solicitation the host might be still performing the DAD Neighbor Solicitation the host might be still performing
DAD and the target address might be tentative. In that case the DAD and the target address might be tentative. In that case, the
host SHOULD silently ignore the received Neighbor Solicitation host SHOULD silently ignore the received Neighbor Solicitation
from the router as per the Section 5.4.3 of [RFC4862]. As a from the router as per the Section 5.4.3 of [RFC4862]. As a
result the router might not be able to complete the address result the router might not be able to complete the address
resolution before the return traffic arrives. resolution before the return traffic arrives.
3.6. Initiating Hosts-to-Routers Communication 3.6. Initiating Hosts-to-Routers Communication
The host may force the router to start address resolution by sending The host may force the router to start address resolution by sending
a data packet such as ping or traceroute to its default router link- a data packet such as ping or traceroute to its default router link-
local address, using the GUA as a source address. As the RTT to the local address, using the GUA as a source address. As the RTT to the
skipping to change at page 10, line 12 skipping to change at page 10, line 12
processing ND packets, the data packet needs to be processed as processing ND packets, the data packet needs to be processed as
well). well).
o Unless the data packet is sent to 'all routers' ff02::2 multicast o Unless the data packet is sent to 'all routers' ff02::2 multicast
address, if the network provides a first-hop redundancy then only address, if the network provides a first-hop redundancy then only
the active router would create a new cache entry. the active router would create a new cache entry.
3.7. Transit Dataplane Traffic From a New Address Triggering Address 3.7. Transit Dataplane Traffic From a New Address Triggering Address
Resolution Resolution
When a router receives a transit packet it might check the presence When a router receives a transit packet, it might check the presence
of the neighbor cache entry for the packet source address and if the of the neighbor cache entry for the packet source address and if the
entry does not exist start address resolution process. This approach entry does not exist start address resolution process. This approach
does ensure that a Neighbor Cache entry is proactively created every does ensure that a Neighbor Cache entry is proactively created every
time a new, previously unseen GUA is used for sending offlink time a new, previously unseen GUA is used for sending offlink
traffic. However this approach has a number of limitations, in traffic. However this approach has a number of limitations, in
particular: particular:
o If traffic flows are asymmetrical the return traffic might not o If traffic flows are asymmetrical the return traffic might not
transit the same router as the original traffic which triggered transit the same router as the original traffic which triggered
the address resolution. So the neighbor cache entry is created on the address resolution. So the neighbor cache entry is created on
skipping to change at page 11, line 12 skipping to change at page 11, line 12
Warren Kumari, Jordi Palet Martinez, Michael Richardson, Dave Thaler, Warren Kumari, Jordi Palet Martinez, Michael Richardson, Dave Thaler,
Pascal Thubert, Loganaden Velvindron, Eric Vyncke. Pascal Thubert, Loganaden Velvindron, Eric Vyncke.
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-6man-grand] [I-D.ietf-6man-grand]
Linkova, J., "Gratuitous Neighbor Discovery: Creating Linkova, J., "Gratuitous Neighbor Discovery: Creating
Neighbor Cache Entries on First-Hop Routers", draft-ietf- Neighbor Cache Entries on First-Hop Routers", draft-ietf-
6man-grand-00 (work in progress), March 2020. 6man-grand-01 (work in progress), July 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, DOI 10.17487/RFC4291, February Architecture", RFC 4291, DOI 10.17487/RFC4291, February
2006, <https://www.rfc-editor.org/info/rfc4291>. 2006, <https://www.rfc-editor.org/info/rfc4291>.
 End of changes. 27 change blocks. 
41 lines changed or deleted 41 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/