draft-ietf-v6ops-nd-cache-init-04.txt   draft-ietf-v6ops-nd-cache-init-05.txt 
v6ops J. Linkova v6ops J. Linkova
Internet-Draft Google Internet-Draft Google
Intended status: Informational August 20, 2020 Intended status: Informational September 6, 2020
Expires: February 21, 2021 Expires: March 10, 2021
Neighbor Cache Entries on First-Hop Routers: Operational Considerations Neighbor Cache Entries on First-Hop Routers: Operational Considerations
draft-ietf-v6ops-nd-cache-init-04 draft-ietf-v6ops-nd-cache-init-05
Abstract Abstract
Neighbor Discovery (RFC4861) is used by IPv6 nodes to determine the Neighbor Discovery (RFC4861) is used by IPv6 nodes to determine the
link-layer addresses of neighboring nodes as well as to discover and link-layer addresses of neighboring nodes as well as to discover and
maintain reachability information. This document discusses how the maintain reachability information. This document discusses how the
neighbor discovery state machine on a first-hop router is causing neighbor discovery state machine on a first-hop router is causing
user-visible connectivity issues when a new (not being seen on the user-visible connectivity issues when a new (not being seen on the
network before) IPv6 address is being used. network before) IPv6 address is being used. The various approaches
to mitigate the problem are described, with the proposed solution
fully documented in I-D.ietf-6man-grand.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 21, 2021. This Internet-Draft will expire on March 10, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 44 skipping to change at page 2, line 45
The section 7.2.5 of [RFC4861] states: "When a valid Neighbor The section 7.2.5 of [RFC4861] states: "When a valid Neighbor
Advertisement is received (either solicited or unsolicited), the Advertisement is received (either solicited or unsolicited), the
Neighbor Cache is searched for the target's entry. If no entry Neighbor Cache is searched for the target's entry. If no entry
exists, the advertisement SHOULD be silently discarded. There is no exists, the advertisement SHOULD be silently discarded. There is no
need to create an entry if none exists, since the recipient has need to create an entry if none exists, since the recipient has
apparently not initiated any communication with the target." apparently not initiated any communication with the target."
This approach is perfectly suitable for host-to-host communications, This approach is perfectly suitable for host-to-host communications,
which are in most cases bi-directional, and it could be expected that which are in most cases bi-directional, and it could be expected that
if a host A has an ND cache entry for the host B IPv6 address, host B if a host A has an neighbor cache entry for the host B IPv6 address,
also has the corresponding ND entry for the host A address in its host B also has the corresponding entry for the host A address in its
cache. However when a host communicates to off-link destinations via cache. However when a host communicates to off-link destinations via
its first-hop router, that logic does not apply. The most typical its first-hop router, that logic does not apply. The most typical
scenario when the problem may arise is a host joining the network, scenario when the problem may arise is a host joining the network,
forming a new address and using that address for accessing the forming a new address and using that address for accessing the
Internet: Internet:
1. A host joins the network and receives a Router Advertisement (RA) 1. A host joins the network and receives a Router Advertisement (RA)
packet from the first-hop router (either a periodic unsolicited packet from the first-hop router (either a periodic unsolicited
RA or a response to a Router Solicitation sent by the host). The RA or a response to a Router Solicitation sent by the host). The
RA contains information the host needs to perform SLAAC and to RA contains information the host needs to perform Stateless
configure its network stack. As in most cases the RA also Address Autoconfiguration ([RFC4862]) and to configure its
contains the Source link-layer address of the router, the host network stack. As in most cases the RA also contains the link-
can populate its Neighbor Cache with the router's link-local and layer address of the router, the host can populate its Neighbor
link-layer addresses. Cache with the router's link-local and link-layer addresses.
2. The host starts opening connections to off-link destinations. A 2. The host starts opening connections to off-link destinations. A
very common use case is a mobile device sending probes to detect very common use case is a mobile device sending probes to detect
the Internet connectivity and/or the presence of a captive portal the Internet connectivity and/or the presence of a captive portal
on the network. To speed up that process many implementations on the network. To speed up that process many implementations
use Optimistic Duplicate Address Detection [RFC4429] which allows use Optimistic Duplicate Address Detection [RFC4429] which allows
them to send probes from their GUA before the DAD process is them to send probes before the Duplicate Address Detection (DAD)
completed. At that moment the device ND cache contains all process is completed. At that moment the device neighbor cache
information required to send those probes (such as the default contains all information required to send those probes (such as
router link-local the link-layer addresses). The router ND the default router link-local the link-layer addresses). The
cache, however, might contain an entry for the device link-local router neighbor cache, however, might contain an entry for the
address (if the device has been performing the address resolution device link-local address (if the device has been performing the
for the router LLA), but there are no entries for the device GUA. address resolution for the router link-local address), but there
are no entries for the device global addresses.
3. Return traffic is received by the first-hop router. As the 3. Return traffic is received by the first-hop router. As the
router does not have any ND cache entry for the host GUA yet, the router does not have any cache entry for the host global address
router starts the neighbor discovery process by creating an yet, the router starts the neighbor discovery process by creating
INCOMPLETE cache entry and then sending an NS to the Solicited an INCOMPLETE cache entry and then sending a Neighbor Solictation
Node Multicast Address. Most router implementations buffer only to the Solicited Node Multicast Address. Most router
one data packet while resolving the packet destination address, implementations buffer only one data packet while resolving the
so it would drop all subsequent packets for the host GUA, until packet destination address, so it would drop all subsequent
the address resolution process is completed. packets for the host global address, until the address resolution
process is completed.
4. If the host sends multiple probes in parallel, it would consider 4. If the host sends multiple probes in parallel, it would consider
all but one of them failed. It leads to user-visible delay in all but one of them failed. That leads to user-visible delay in
connecting to the network, especially if the host implements some connecting to the network, especially if the host implements some
form of backoff mechanism and does not retransmit the probes as form of backoff mechanism and does not retransmit the probes as
soon as possible. soon as possible.
This scenario illustrates the problem occurring when the device This scenario illustrates the problem occurring when the device
connects to the network for the first time or after a timeout long connects to the network for the first time or after a timeout long
enough for the device address to be removed from the router's enough for the device address to be removed from the router's
neighbor cache. However, the same sequence of events happen when the neighbor cache. However, the same sequence of events happen when the
host starts using a new GUA previously unseen by the router, such as host starts using a new global address previously unseen by the
a new privacy address [RFC4941] or if the router's Neighbor Cache has router, such as a new privacy address [RFC4941] or if the router's
been flushed. Neighbor Cache has been flushed.
While in dual-stack networks this problem might be hidden by Happy While in dual-stack networks this problem might be hidden by Happy
Eyeballs [RFC8305] it manifests quite clearly in IPv6-only Eyeballs [RFC8305] it manifests quite clearly in IPv6-only
environments, especially wireless ones, leading to poor user environments, especially wireless ones, leading to poor user
experience and contributing to a negative perception of IPv6-only experience and contributing to a negative perception of IPv6-only
solutions as unstable and non-deployable. solutions as unstable and non-deployable.
This document discusses the operational implications of not This document discusses the operational implications of not
proactively creating Neighbor Cache entries on first-hop routers and proactively creating Neighbor Cache entries on first-hop routers and
summarizes various approaches to mitigate the problem. summarizes various approaches to mitigate the problem. The document
provides an overview of the proposed solution which is fully
described in [I-D.ietf-6man-grand].
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
1.2. Terminology 1.2. Terminology
skipping to change at page 4, line 33 skipping to change at page 4, line 39
SLAAC: IPv6 Stateless Address Autoconfiguration, [RFC4862]. SLAAC: IPv6 Stateless Address Autoconfiguration, [RFC4862].
NS: Neighbor Solicitation, [RFC4861]. NS: Neighbor Solicitation, [RFC4861].
NA: Neighbor Advertisement, [RFC4861]. NA: Neighbor Advertisement, [RFC4861].
RS: Router Solicitation, [RFC4861]. RS: Router Solicitation, [RFC4861].
RA: Router Advertisement, [RFC4861]. RA: Router Advertisement, [RFC4861].
SLLA: Source link-layer Address, an option in the ND packets SLLAO: Source link-layer Address Option, an option in the ND packets
containing the link-layer address of the sender of the packet, containing the link-layer address of the sender of the packet,
[RFC4861]. [RFC4861].
TLLA: Target link-layer Address, an option in the ND packets
containing the link-layer address of the target, [RFC4861].
GUA: Global Unicast Address, [RFC4291]. GUA: Global Unicast Address, [RFC4291].
DAD: Duplicate Address Detection, [RFC4862]. DAD: Duplicate Address Detection, [RFC4862].
Optimistic DAD: a modification of DAD, [RFC4429]. Optimistic DAD: a modification of DAD, [RFC4429].
FCFS SAVI: First-Come, First-Served Source Address Validation, FCFS SAVI: First-Come, First-Served Source Address Validation,
[RFC6620]. [RFC6620].
2. Proposed Solution 2. Proposed Solution
skipping to change at page 5, line 38 skipping to change at page 5, line 38
outgoing flows leaving the network via one router while the return outgoing flows leaving the network via one router while the return
traffic enters the segment via another one. traffic enters the segment via another one.
In addition the solution MUST NOT exacerbate issues described in In addition the solution MUST NOT exacerbate issues described in
[RFC6583] and MUST be compatible with the recommendations provided in [RFC6583] and MUST be compatible with the recommendations provided in
[RFC6583]. [RFC6583].
2.2. Solution Overview 2.2. Solution Overview
The Neighbor Discovery is designed to allow IPv6 nodes to discover The Neighbor Discovery is designed to allow IPv6 nodes to discover
neighboring nodes reachability and learn IPv6 to link-layer addresses neighboring nodes' reachability and learn IPv6 to link-layer
mapping. Therefore ND seems to be the most appropriate tool to addresses mapping. Therefore ND seems to be the most appropriate
inform the first-hop routers about addresses the host is going to tool to inform the first-hop routers about addresses the host is
use. going to use.
Section 4.4 of [RFC4861] says: Section 4.4 of [RFC4861] says:
"A node sends Neighbor Advertisements in response to Neighbor "A node sends Neighbor Advertisements in response to Neighbor
Solicitations and sends unsolicited Neighbor Advertisements in order Solicitations and sends unsolicited Neighbor Advertisements in order
to (unreliably) propagate new information quickly." to (unreliably) propagate new information quickly."
Propagating information about new GUA as quickly as possible is Propagating information about new GUA as quickly as possible is
exactly what is required to solve the problem outlined in this exactly what is required to solve the problem outlined in this
document. Therefore the host might send an unsolicited NA with the document. Therefore the host might send an unsolicited NA with the
target link-layer address option to advertise its GUA as soon as the target link-layer address option to advertise its GUA as soon as the
said address enters Optimistic or Preferred state. said address enters Optimistic or Preferred state.
The proposed solution is discussed in [I-D.ietf-6man-grand]. In The proposed solution is discussed in [I-D.ietf-6man-grand]. In
summary, the following changes to [RFC4861] are suggested: summary, the following changes to [RFC4861] are suggested:
o A node SHOULD send up to MAX_NEIGHBOR_ADVERTISEMENT unsolicited NA o A node SHOULD send up to MAX_NEIGHBOR_ADVERTISEMENT unsolicited NA
packet with the Override flag cleared to all-routers multicast packets with the Override flag cleared to all-routers multicast
address (ff02::2) as soon as one of the following events happens: address (ff02::2) as soon as one of the following events happens:
* (if Optimistic DAD is used): a new Optimistic address is * (if Optimistic DAD is used): a new Optimistic address is
assigned to the node interface. assigned to the node interface.
* (if Optimistic DAD is not used): an address changes the state * (if Optimistic DAD is not used): an address changes the state
from tentative to preferred. from tentative to preferred.
o Routers SHOULD create a new STALE ND cache entry upon receiving o Routers SHOULD create a new STALE ND cache entry upon receiving
unsolicited NAs. unsolicited NAs.
skipping to change at page 7, line 35 skipping to change at page 7, line 35
o Many support tickets. o Many support tickets.
o More resistance to deploy IPv6 and IPv6-Only networks. o More resistance to deploy IPv6 and IPv6-Only networks.
3.2. Change to the Registration-Based Neighbor Discovery 3.2. Change to the Registration-Based Neighbor Discovery
The most radical approach would be to move away from the reactive ND The most radical approach would be to move away from the reactive ND
as defined in [RFC4861] and expand the registration-based ND as defined in [RFC4861] and expand the registration-based ND
([RFC6775], [RFC8505]) used in Low-Power Wireless Personal Area ([RFC6775], [RFC8505]) used in Low-Power Wireless Personal Area
Networks (6LoWPANs) to the rest of IPv6 deployments. This option Networks (6LoWPANs) to the rest of IPv6 deployments. This option
requires some investigation and discussions and seems to be an requires some investigation and discussions and seems to be excessive
overkill for the problem described in this document. for the problem described in this document.
3.3. Host Sending NS to the Router Address from Its GUA 3.3. Host Sending NS to the Router Address from Its GUA
The host could force creating a STALE entry for its GUA in the router The host could force creating a STALE entry for its GUA in the router
ND cache by sending the following Neighbor Solicitation message: ND cache by sending the following Neighbor Solicitation message:
o The NS source address is the host GUA. o The NS source address is the host GUA.
o The destination address is the default router IPv6 address. o The destination address is the default router IPv6 address.
skipping to change at page 8, line 13 skipping to change at page 8, line 13
router address the host received in the RA). router address the host received in the RA).
The main disadvantages of this approach are: The main disadvantages of this approach are:
o Would not work for Optimistic addresses as section 2.2 of o Would not work for Optimistic addresses as section 2.2 of
[RFC4429] explicitly prohibits sending Neighbor Solicitations from [RFC4429] explicitly prohibits sending Neighbor Solicitations from
an Optimistic Address. an Optimistic Address.
o If first-hop redundancy is deployed in the network, the NS would o If first-hop redundancy is deployed in the network, the NS would
reach the active router only, so all backup routers (or all active reach the active router only, so all backup routers (or all active
routers ex. one) would not get their neighbor cache updated. routers except one) would not get their neighbor cache updated.
o Some wireless devices are known to alter ND packets and perform o Some wireless devices are known to alter ND packets and perform
various non-obvious forms of ND proxy actions. In some cases, various non-obvious forms of ND proxy actions. In some cases,
unsolicited NAs might not even reach the routers. unsolicited NAs might not even reach the routers.
3.4. Host Sending Router Solicitation from its GUA 3.4. Host Sending Router Solicitation from its GUA
The host could send a router solicitation message to 'all routers' The host could send a router solicitation message to 'all routers'
multicast address, using its GUA as a source. If the host link-layer multicast address, using its GUA as a source. If the host link-layer
address is included in the Source Link-Layer Address option, the address is included in the Source Link-Layer Address option, the
skipping to change at page 8, line 46 skipping to change at page 8, line 46
o If the address is in the Optimistic state the RS can not contain o If the address is in the Optimistic state the RS can not contain
SLLAO. As a result the router would only create a cache entry if SLLAO. As a result the router would only create a cache entry if
the solicited RAs is sent as as a unicast. Routers sending the solicited RAs is sent as as a unicast. Routers sending
solicited RAs as multicast would not create a new cache entry as solicited RAs as multicast would not create a new cache entry as
they do not need to send a unicast packet back to the host. they do not need to send a unicast packet back to the host.
o There might be a random delay between receiving an RS and sending o There might be a random delay between receiving an RS and sending
a unicast RA back (and creating a cache entry) which might a unicast RA back (and creating a cache entry) which might
undermine the idea of creating the cache entry proactively. undermine the idea of creating the cache entry proactively.
o Some wireless devices are known to fiddle with ND packets and o Some wireless devices are known to intercept ND packets and
perform various non-obvious forms of ND proxy actions. In some perform various non-obvious forms of ND proxy actions. In some
cases the RS might not even reach the routers. cases the RS might not even reach the routers.
3.5. Routers Populating Their Caches by Gleaning From Neighbor 3.5. Routers Populating Their Caches by Gleaning From Neighbor
Discovery Packets Discovery Packets
Routers may be able to learn about new addresses by gleaning from the Routers may be able to learn about new addresses by gleaning from the
DAD Neighbor Solicitation messages. The router could listen to all DAD Neighbor Solicitation messages. The router could listen to all
solicited node multicast address groups and upon receiving a Neighbor solicited node multicast address groups and upon receiving a Neighbor
Solicitation from the unspecified address search its Neighbor Cache Solicitation from the unspecified address search its Neighbor Cache
skipping to change at page 9, line 42 skipping to change at page 9, line 42
3.6. Initiating Hosts-to-Routers Communication 3.6. Initiating Hosts-to-Routers Communication
The host may force the router to start address resolution by sending The host may force the router to start address resolution by sending
a data packet such as ping or traceroute to its default router link- a data packet such as ping or traceroute to its default router link-
local address, using the GUA as a source address. As the RTT to the local address, using the GUA as a source address. As the RTT to the
default router is lower than RTT to any off-link destinations it's default router is lower than RTT to any off-link destinations it's
quite likely that the router would start the neighbor discovery quite likely that the router would start the neighbor discovery
process for the host GUA before the first packet of the returning process for the host GUA before the first packet of the returning
traffic arrives. traffic arrives.
The downside of this approach includes: This approach has the following drawbacks:
o Data packets to the router LLA could be blocked by security policy o Data packets to the router link-local address could be blocked by
or control plane protection mechanism. security policy or control plane protection mechanism.
o Additional overhead for routers control plane (in addition to o It introduces an additional overhead for routers control plane (in
processing ND packets, the data packet needs to be processed as addition to processing ND packets, the data packet needs to be
well). processed as well).
o Unless the data packet is sent to 'all routers' ff02::2 multicast o Unless the data packet is sent to 'all routers' ff02::2 multicast
address, if the network provides a first-hop redundancy then only address, if the network provides a first-hop redundancy then only
the active router would create a new cache entry. the active router would create a new cache entry.
3.7. Transit Dataplane Traffic From a New Address Triggering Address 3.7. Transit Dataplane Traffic From a New Address Triggering Address
Resolution Resolution
When a router receives a transit packet, it might check the presence When a router receives a transit packet, it might check the presence
of the neighbor cache entry for the packet source address and if the of the neighbor cache entry for the packet source address and if the
skipping to change at page 10, line 49 skipping to change at page 10, line 49
5. Security Considerations 5. Security Considerations
This memo documents the operational issue and does not introduce any This memo documents the operational issue and does not introduce any
new security considerations. Security considerations of the proposed new security considerations. Security considerations of the proposed
solution are discussed in the corresponding section of solution are discussed in the corresponding section of
[I-D.ietf-6man-grand]. [I-D.ietf-6man-grand].
6. Acknowledgements 6. Acknowledgements
Thanks to the following people (in alphabetical order) for their Thanks to the following people (in alphabetical order) for their
review and feedback: Mikael Abrahamsson, Lorenzo Colitti, Owen review and feedback: Mikael Abrahamsson, Stewart Bryant, Lorenzo
DeLong, Igor Gashinsky, Fernando Gont, Tatuya Jinmei, Erik Kline, Colitti, Owen DeLong, Igor Gashinsky, Fernando Gont, Tatuya Jinmei,
Warren Kumari, Jordi Palet Martinez, Michael Richardson, Dave Thaler, Erik Kline, Warren Kumari, Barry Leiba, Jordi Palet Martinez, Michael
Pascal Thubert, Loganaden Velvindron, Eric Vyncke. Richardson, Dave Thaler, Pascal Thubert, Loganaden Velvindron, Eric
Vyncke.
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-6man-grand] [I-D.ietf-6man-grand]
Linkova, J., "Gratuitous Neighbor Discovery: Creating Linkova, J., "Gratuitous Neighbor Discovery: Creating
Neighbor Cache Entries on First-Hop Routers", draft-ietf- Neighbor Cache Entries on First-Hop Routers", draft-ietf-
6man-grand-01 (work in progress), July 2020. 6man-grand-01 (work in progress), July 2020.
 End of changes. 22 change blocks. 
54 lines changed or deleted 58 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/