Internet DRAFT - draft-gont-6man-lta
draft-gont-6man-lta
IPv6 Maintenance (6man) Working Group F. Gont
Internet-Draft SI6 Networks
Updates: 4862 (if approved) J. Zorz
Intended status: Standards Track 6connect
Expires: 29 October 2023 R. Patterson
Sky UK
27 April 2023
Lifetime Avoidance Algorithm
draft-gont-6man-lta-00
Abstract
In renumbering scenarios where an IPv6 prefix suddenly becomes
invalid, hosts on the local network will continue using stale
prefixes for an unacceptably long period of time, thus resulting in
connectivity problems. This document specifies an algorithm that
allows host implementations to infer when configuraton information
has changed, such that they can phase stale information out in a
timelier manner.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 29 October 2023.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
Gont, et al. Expires 29 October 2023 [Page 1]
Internet-Draft LTA Algorithm April 2023
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Lifetime Avoidance (LTA) Algorithm . . . . . . . . . . . . . 3
3.1. Target Neighbor Discovery Options . . . . . . . . . . . . 4
3.2. Local State Information and Configuration Variables . . . 4
3.3. Algorithm Specification . . . . . . . . . . . . . . . . . 6
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Normative References . . . . . . . . . . . . . . . . . . 9
7.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
In scenarios where network configuration information becomes invalid
without any explicit signaling of that condition, hosts on the local
network will continue using stale SLAAC [RFC4862] information for an
unacceptably long period of time, thus resulting in connectivity
problems. This problem has been discussed in detail in [RFC8978].
This document specifies and algorithm that allows SLAAC host
implementations to infer when configuraton information has become
stale, such that they can phase out stale information in a timelier
manner.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Gont, et al. Expires 29 October 2023 [Page 2]
Internet-Draft LTA Algorithm April 2023
3. Lifetime Avoidance (LTA) Algorithm
This section specifies an algorithm, "Lifetime Avoidance" (LTA)
algorithm, that allows hosts to infer that previously-advertised
configuration information (such as autoconfiguration prefixes) has
become stale, such that the stale information can be deprecated in a
timelier manner. Most of the value of this algorithm is in being
able to mitigate the problem discussed in [RFC8978] at hosts
themselves, without relying on changes in SLAAC router
implementations.
The algorithm consists of two conceptual building-blocks:
* Detection of possible configuration change
* Validation/Refresh of configuration information
Possible configuration changes can be inferred when a SLAAC router
(as identified by its link-local address) ceases to advertise a
previously-advertised information. Therefore, hosts can record what
configuration information has been advertised by each local router,
and infer a configuration change when a router ceases to advertise
previously-advertises configuration information.
Inscenarios where possible configuration changes have been detected,
hosts should poll the local router via unicasted Router Solicitations
(RS) to verify that the router in question has indeed ceased to
advertise the aforementioned information. If this condition is
confirmed, the corresponding configuration information should be
discarded.
In the context of multi-prefix/multi-router networks [RFC8028]
[RFC8504], SLAAC configuration information should be associated with
each advertising router. Thus, when a router ceases to advertise
some configuration information:
* If this was the only router advertising the aforementioned
information, the information should be discarded.
* If other routers were advertising the aforementioned information,
it should simply be dis-associated with the router that ceased to
advertise it, and the fate of this information (and configured
resources) should depend solely on the routers that continue
advertising it.
Implementation of this kind of heuristic allows a timelier reaction
to network configuration changes even in scenarios where there is no
explicit signaling from the network, thus improving robustness.
Gont, et al. Expires 29 October 2023 [Page 3]
Internet-Draft LTA Algorithm April 2023
[RFC4861] does not require routers to convey all RA options in the
same message. Therefore, the algorithm specified in this section is
designed such that it can cope with this corner case that, while not
found in the deployed Internet, is allowed by [RFC4861].
3.1. Target Neighbor Discovery Options
The LTA algorithm SHOULD be applied to the following Neighbor
Discovery options:
* Prefix Information Option [RFC4861]
* Route Information Option (RIO) [RFC4191]
* DNS Search Options (RDNSSO) [RFC8106]
* DNS Search List Options (DNSSLO) [RFC8106]
3.2. Local State Information and Configuration Variables
In the context of multi-prefix/multi-router networks [RFC8028]
[RFC8504], each option from Section 3.1 is associated with each
advertising SLAAC router. Therefore, hosts should record what
configuration information has been advertised by each local router.
NOTE:
Throughout this specification, each router is identified by its
link-local address.
Additionally, hosts associate with piece of configuration information
received via SLAAC options a timestamp (INFO_LAST variable below)
that records the time at which this information was last advertised
by a particular router.
NOTE:
While not strictly required, we note that existing implementations
may already record a timestamp representing when a piece of
information was advertised by a given router as a possible
implementation approach to be able to compute the remaining
lifetime of that piece of information.
The algorithm specified in this document employs the following
variables:
LTA_MODE:
A boolean variable associated with each SLAAC advertising router
that specifies whether the local host is currently performing the
LTA algorithm for that router. It is initialized to FALSE.
Gont, et al. Expires 29 October 2023 [Page 4]
Internet-Draft LTA Algorithm April 2023
LTA_LAST:
A variable associated with each SLAAC advertising router that
stores the time (in seconds) when the local host last entered the
LTA algorithm for this router. It is initialized to 0.
RS_LAST:
A variable associated with each SLAAC advertising router that
stores the time (in seconds) when the local host last sent a
unicasted Router Solicitation to the router in question. It is
initialized to 0.
RS_COUNT:
A variable associated with each SLAAC advertising router that
stores the number of unicasted Router Solicitations that have been
sent to the corresponding router since the last time the LTA
algorithm was executed. It is initialized to 0.
RS_COUNT_MAX:
A configuration variable specifying the maximum number of
unicasted Router Solicitations that a host will send to a SLAAC
advertising router as part of the LTA algorithm. It defaults to
1.
RS_RNDTIME:
A host-wide variable specifying a random amount of time that the
host should wait before sending the first unicasted Router
Solicitation message to a SLAAC router as part of the LTA
algorithm. It should be initialized to a value in the range from
0 to 5 seconds when the system is bootstrapped.
RS_TIMEOUT:
A host-wide variable specifying the amount of time to wait for a
response to a unicasted Router Solicitation sent as part of the
LTA algorithm. It defaults to 3 seconds.
INFO_LAST:
A timestamp associated with each piece of SLAAC information (from
Section 3.1) received from each SLAAC advertising router.
Gont, et al. Expires 29 October 2023 [Page 5]
Internet-Draft LTA Algorithm April 2023
NOTE:
In most cases (e.g., Prefix Information Options and Route
Information Options) each neighbor discovery option carries one
atomic piece of SLAAC information. In other cases (notably
Recursive DNS Server Option [RFC8106] and DNS Search List
Option [RFC8106]), a single neighbor discovery option carries
multiple atomic pieces of information (i.e., a host might want
to prune some recursive DNS server addresses, but not others).
This is why this document refers to "piece of SLAAC
information" rather than "Negihbor Discovery option" (since one
option might carry multiple pieces of information).
RA_WIN:
A host-wide configuration variable specifying a time window over
which a SLAAC advertising router may convey all SLAAC
configuration information. It is meant to cope with the
theoretical case where a router may spread SLAAC information over
several RA messages. It defaults to 3 seconds.
LTA_CYCLE:
This variable accounts for the maximum time that may elapse for
the entire LTA algorithm to complete. Its value is computed as:
LTA_CYCLE=RA_WIN+RS_RNDTIME+RS_COUNT_MAX*RS_TIMEOUT.
3.3. Algorithm Specification
Initialization when a new SLAAC advertising router is learned:
LTA_MODE=FALSE
LTA_LAST=0
RS_LAST=0
RS_COUNT=0
LTA_CYCLE=RA_WIN+RS_RNDTIME+RS_COUNT_MAX*RS_TIMEOUT
Upon receipt of a Router Advertisement message, and after normal
processing of the message, perform the following actions:
TIME= time()
For each piece of SLAAC configuration information advertised by
this router in the received RA:
INFO_LAST= TIME
IF LTA_MODE==FALSE && TIME > (LTA_LAST+LTA_CYCLE)
IF this RA is missing any previously-advertised information:
LTA_MODE=TRUE
LTA_LAST=TIME
Gont, et al. Expires 29 October 2023 [Page 6]
Internet-Draft LTA Algorithm April 2023
RATIONALE:
The goal of checking "(LTA_LAST+LTA_CYCLE)" is to prevent the host
from re-entering the LTA_mode in a short period of time in the
theoretical corner-case where:
1. The local router spreads information into multiple RA packets,
and one of such packets gets lost, thus triggering the LTA
mode.
2. The host sends a unicasted solicitation to the local router as
part of the LTA mode.
3. The router spreads the response into multiple packets, and
e.g. the first of such packets completes all the missing
information, thus exiting the LTA mode.
4. One of the remaining RAs of this "batch" would otherwise
trigger the LTA mode again.
Thus, the above check only allows the LTA mode to be triggered
once every LTA_CYCLE seconds.
Time-driven events:
IF LTA_MODE==TRUE:
TIME=time()
IF TIME > (LTA_LAST + LTA_CYCLE)
Disaasociate any options for which INFO_LAST < LTA_LAST
LTA_MODE= FALSE
RS_COUNT= 0
ELSE IF TIME > (LTA_LAST + RA_WIN + RS_RNDTIME) && TIME >
(RS_LAST + RS_TIMEOUT) && RS_COUNT < RS_COUNT_MAX:
IF for all options INFO_LAST >= LTA_LAST
LTA_MODE= FALSE
RS_COUNT= 0
ELSE
SendRS()
RS_LAST=TIME
RS_COUNT++
NOTES:
Gont, et al. Expires 29 October 2023 [Page 7]
Internet-Draft LTA Algorithm April 2023
* time() is a monotonically-increasing counter that is incremented
once per second, and is employed in this algorithm to measure
time.
* SendRS() is a function sends a unicasted Router Solicitation
message to the target router (subject to sending rules in
[RFC4861]).
RATIONALE:
After a whole LTA_CYCLE has elapsed (i.e., "TIME > (LTA_LAST +
LTA_CYCLE)"), SLAAC information that has not been refreshed since
the LTA mode was entered should be disassociated with the router
for which the LTA algorithm has been performed.
While in the LTA mode, before probing the local router with a
unicasted RS, we double-check if all the missing information has
been completed/refreshed since the LTA mode was entered. In such
case, the LTA mode is exited and the algorithm finished, thus
avoiding sending unnecessary RS packets to the local router.
Otherwise, a unicasted RS is sent to the local router for which
the LTA algorithm is being performed.
[IETF-6MAN-114] illustrates the most common scenarios.
4. IANA Considerations
This document has no actions for IANA.
5. Security Considerations
An attacker could for Router Advertisement messages wit missing
Neighbor Discovery options (such as PIOs), to trigger the algorithm
specified in this document, with te goal of illegitimatelly causing
valid prefixes to be removed. In any case, and for all practical
purposes, this attack vector does not really represent any greater
risk than other ND attack vectors. In scenarios where RA-based
attacks are of concern, proper mitigations such as RA-Guard [RFC6105]
[RFC7113] or SEND [RFC3971] should be implemented.
6. Acknowledgments
The authors would like to thank (in alphabetical order) [TBD], for
providing valuable comments on earlier versions of this document.
Gont, et al. Expires 29 October 2023 [Page 8]
Internet-Draft LTA Algorithm April 2023
Fernando would like to thank Alejandro D'Egidio and Sander Steffann
for a discussion of these issues, which led to the publication of
[RFC8978], and eventually to this document.
Fernando would also like to thank Brian Carpenter who, over the
years, has answered many questions and provided valuable comments
that has benefited his protocol-related work.
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
DOI 10.17487/RFC4861, September 2007,
<https://www.rfc-editor.org/info/rfc4861>.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862,
DOI 10.17487/RFC4862, September 2007,
<https://www.rfc-editor.org/info/rfc4862>.
[RFC8028] Baker, F. and B. Carpenter, "First-Hop Router Selection by
Hosts in a Multi-Prefix Network", RFC 8028,
DOI 10.17487/RFC8028, November 2016,
<https://www.rfc-editor.org/info/rfc8028>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8504] Chown, T., Loughney, J., and T. Winters, "IPv6 Node
Requirements", BCP 220, RFC 8504, DOI 10.17487/RFC8504,
January 2019, <https://www.rfc-editor.org/info/rfc8504>.
7.2. Informative References
Gont, et al. Expires 29 October 2023 [Page 9]
Internet-Draft LTA Algorithm April 2023
[IETF-6MAN-114]
Gont, F., Zorz, J., and R. Patterson, "Improving the
Robustness of Stateless Address Autoconfiguration (SLAAC)
to Flash Renumbering Events", 6man WG meeting IETF 114,
2022, <https://datatracker.ietf.org/meeting/114/materials/
slides-114-6man-improving-the-robustness-of-stateless-
address-autoconfiguration-slaac-to-flash-renumbering-
events-00>.
[RFC3971] Arkko, J., Ed., Kempf, J., Zill, B., and P. Nikander,
"SEcure Neighbor Discovery (SEND)", RFC 3971,
DOI 10.17487/RFC3971, March 2005,
<https://www.rfc-editor.org/info/rfc3971>.
[RFC4191] Draves, R. and D. Thaler, "Default Router Preferences and
More-Specific Routes", RFC 4191, DOI 10.17487/RFC4191,
November 2005, <https://www.rfc-editor.org/info/rfc4191>.
[RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
DOI 10.17487/RFC6105, February 2011,
<https://www.rfc-editor.org/info/rfc6105>.
[RFC7113] Gont, F., "Implementation Advice for IPv6 Router
Advertisement Guard (RA-Guard)", RFC 7113,
DOI 10.17487/RFC7113, February 2014,
<https://www.rfc-editor.org/info/rfc7113>.
[RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
"IPv6 Router Advertisement Options for DNS Configuration",
RFC 8106, DOI 10.17487/RFC8106, March 2017,
<https://www.rfc-editor.org/info/rfc8106>.
[RFC8978] Gont, F., Žorž, J., and R. Patterson, "Reaction of IPv6
Stateless Address Autoconfiguration (SLAAC) to Flash-
Renumbering Events", RFC 8978, DOI 10.17487/RFC8978, March
2021, <https://www.rfc-editor.org/info/rfc8978>.
Authors' Addresses
Fernando Gont
SI6 Networks
Segurola y Habana 4310, 7mo Piso
Villa Devoto
Ciudad Autonoma de Buenos Aires
Argentina
Email: fgont@si6networks.com
URI: https://www.si6networks.com
Gont, et al. Expires 29 October 2023 [Page 10]
Internet-Draft LTA Algorithm April 2023
Jan Zorz
6connect
Email: jan@connect.com
Richard Patterson
Sky UK
Email: richard.patterson@sky.uk
Gont, et al. Expires 29 October 2023 [Page 11]