Internet-Draft | Reaction to Renumbering Events | March 2023 |
Gont, et al. | Expires 14 September 2023 | [Page] |
In renumbering scenarios where an IPv6 prefix suddenly becomes invalid, hosts on the local network will continue using stale prefixes for an unacceptably long period of time, thus resulting in connectivity problems. This document improves the reaction of IPv6 Stateless Address Autoconfiguration to such renumbering scenarios.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 14 September 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In scenarios where network configuration information becomes invalid without any explicit signaling of that condition, hosts on the local network will continue using stale information for an unacceptably long period of time, thus resulting in connectivity problems. This problem has been discussed in detail in [RFC8978].¶
This document updates the Neighbor Discovery specification [RFC4861], the Stateless Address Autoconfiguration (SLAAC) specification [RFC4862], and other associated specifications ([RFC4191] and [RFC8106]), such that hosts can more gracefully deal with the so-called flush renumbering events, thus improving the robustness of SLAAC.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
In some scenarios, the local router triggering the network renumbering event may try to deprecate the stale information (by explicitly signaling the network about the renumbering event), whereas in other scenarios the renumbering event may happen inadvertently, without the router explicitly signaling the scenario to local hosts. The following subsections analyze specific considerations for each of these scenarios.¶
In the absence of explicit signalling from SLAAC routers (such as sending Prefix Information Options (PIOs) with small lifetimes to deprecate stale prefixes), stale prefixes will remain preferred and valid according to the Preferred Lifetime and Valid Lifetime parameters (respectively) of the last received PIO. [RFC4861] specifies the following default values for PIOs:¶
This means that, in the absence of explicit signaling by a SLAAC router to deprecate a prefix, it will take a host 7 days (one week) to deprecate the corresponding addresses, and 30 days (one month) to eventually remove any addresses configured for the stale prefix. Clearly, employing such long default values is generally unacceptable for most deployment scenarios that may experience flash-renumbering events.¶
Similarly, other Neighbor Discovery optons may employ unnecessarily long lifetimes that may be unacceptable for most deployment scenarios that may experience flash-renumbering events.¶
Use of more appropriate timers in Router Advertisement messages can help limit the amount of time that hosts will maintain stale configuration information. Additionally, hosts may normally in a position to infer network configuration has changed -- for example, if a router ceases to advertise previously-advertised information.¶
Section 4.1 formally specifies the use of more appropriate (i.e., shorter) default lifetimes for Neighbor Discovery options, while Section 4.5 specifies a local policy that SLAAC hosts may implement to infer that network configuration information has changed, such that stale configuration information can be phased out.¶
In scenarios where a local router is aware about the renumbering event, it may try to phase out the stale network configuration information. In these scenarios, there are two aspects to be considered:¶
Since the network could be become partitioned at any arbitrary time and for an arbitrarily long period of time, routers need to contemplate the possible scenario where hosts receive an RA message, and the network subsequently becomes partitioned. This means that in order to reliably deprecate stale information, a router would should try to deprecate it for a period of time equal to the associated Neighbor Discovery option lifetime used when advertising the information.¶
Thus, use of more appropriate default lifetimes for Neighor Discovery options, as specified in Section 4.1, would reduce the amount of time stale options would need to be announced as such by a router in order to ensure that it is deprecated/invalidated.¶
In the case of Prefix Information Options (PIOs), in scenarios where a router has positive knowledge that a prefix has become invalid and thus could signal this condition to local hosts, the current specifications will prevent SLAAC hosts from fully recovering from such stale information: Item "e)" of Section 5.5.3 of [RFC4862] specifies that an RA may never reduce the "RemainingLifetime" to less than two hours. Additionally, if the RemainingLifetime of an address is smaller than 2 hours, then a Valid Lifetime smaller than 2 hours will be ignored. The inability to invalidate a stale prefix may prevent communications with the new "owners" of a prefix, and thus is highly undesirable. On the other hand, the Preferred Lifetime of an address *may* be reduced to any value to avoid the use of a stale prefix for new communications.¶
Section 4.2 formally updates [RFC4862] to remove this restriction, such that hosts may react to the advertised "Valid Lifetime" even if it is smaller than 2 hours. Section 4.3 recommends that routers disseminate network configuration information when a network interface is initialized, such that new configuration information propagates in a timelier manner.¶
The following subsections update [RFC4861] and [RFC4862], such that the problem discussed in this document is mitigated. The updates in the following subsections are mostly orthogonal, and mitigate different aspects of SLAAC that prevent a timely reaction to flash renumbering events.¶
Reduce the default Valid Lifetime and Preferred Lifetime of PIOs (Section 4.1):¶
This helps limit the amount of time a host may employ stale information, and also limits the amount of time a router needs to try to deprecate stale information.¶
Honor PIOs with small Valid Lifetimes (Section 4.2):¶
This allows routers to invalidate stale prefixes, since otherwise [RFC4861] would prevent hosts from honoring PIOs with a Valid Lifetime smaller than two hours.¶
Recommend routers to retransmit configuration information upon interface initialization/reinitialization (Section 4.3):¶
This helps spread the new information in a timelier manner, and also deprecate stale information via host-side heuristics (see Section 4.5).¶
Recommend routers to always send all options (i.e. the complete configuration information) in RA messages, and in the smallest possible number of packets (Section 4.4):¶
This helps propagate the same information to all hosts, and also allows hosts to better infer that information missing in RA messages has become stale (see Section 4.5).¶
Infer stale network configuration information from received RAs (Section 4.5):¶
This allows hosts to deprecate stale network configuration information, even in the absence of explicit signaling.¶
This document defines the following variables to be employed for the default lifetimes of Neighbor Discovery options:¶
where:¶
The expression above computes of maximum among AdvDefaultLifetime and "3 * MaxRtrAdvInterval" (the default value of AdvDefaultLifetime, as per [RFC4861]) to accommodate the case where an operator might simply want to disable one local router for maintenance, while still having the router advertise SLAAC configuration information.¶
[RFC4861] specifies the default value of MaxRtrAdvInterval as 600 seconds, and the default value of AdvDefaultLifetime as 3 * MaxRtrAdvInterval. Therefore, when employing default values for MaxRtrAdvInterval and AdvDefaultLifetime, the default values of ND_DEFAULT_PREFERRED_LIFETIME and ND_DEFAULT_VALID_LIFETIME become 1800 seconds (30 minutes) and 3600 seconds (1 one hour), respectively. We note that when implementing BCP202 [RFC7772], AdvDefaultLifetime will typically be in the range of 45-90 minutes, and therefore the value of ND_DEFAULT_PREFERRED_LIFETIME will be in the range 45-90 minutes, while the value of ND_DEFAULT_VALID_LIFETIME will be in the range of 90-180 minutes.¶
This document formally updates [RFC4861] to modify the default values of the Preferred Lifetime and the Valid Lifetime of PIOs as follows:¶
This document formally updates [RFC4191] to specify the default Route Lifetime of Route Information Options (RIOs) as follows:¶
This document formally updates [RFC8106] to modify the default Lifetime of Recursive DNS Server Options as:¶
Additionally, this document formally updates [RFC8106] to modify the default Lifetime of DNS Search List Options as:¶
The entire item "e)" (pp. 19-20) from Section 5.5.3 of [RFC4862] is replaced with the following text:¶
The behavior described in [RFC4862] had been incorporated during the revision of the original IPv6 Stateless Address Autoconfiguration specification ([RFC1971]). At the time, the IPNG working group decided to mitigate the attack vector represented by Prefix Information Options with very short lifetimes, on the premise that these packets represented a bigger risk than other ND-based attack vectors [IPNG-minutes].¶
While reconsidering the trade-offs represented by such decision, we conclude that the drawbacks of the aforementioned mitigation outweigh the possible benefits.¶
In scenarios where RA-based attacks are of concern, proper mitigations such as RA-Guard [RFC6105] [RFC7113] or SEND [RFC3971] should be implemented.¶
When an interface is initialized, it is paramount that network configuration information is spread on the corresponding network (particularly in scenarios where an interface has been re-initialized, and the conveyed information has changed). Thus, this document replaces the following text from Section 6.2.4 of [RFC4861]:¶
with:¶
Intentionally omitting information in Router Advertisements may prevent the propagation of such information, and may represent a challenge for hosts that need to infer whether they have received a complete set of SLAAC configuration information. As a result, this section recommends that, to the extent that is possible, RA messages contain a complete set of SLAAC information.¶
This document replaces the following text from Section 6.2.3 of [RFC4861]:¶
with:¶
This section specifies an algorithm, "Lifetime Avoidance Algorithm" (LTA), that allows hosts to infer that previously-advertised configuration information (such as autoconfiguration prefixes) has become stale, such that the stale information can be deprecated in a timelier manner. Most of the value of this algorithm is in being able to mitigate the problem discussed in [RFC8978] at hosts themselves, without relying on changes in SLAAC router implementations.¶
The algorithm consists of two conceptual building-blocks:¶
Possible configuration changes can be inferred when a SLAAC router (as identified by its link-local address) ceases to advertise a previously-advertised information. Therefore, hosts can record what configuration information has been advertised by each local router, and infer a configuration change when a router ceases to advertise previously-advertises configuration information.¶
Inscenarios where possible configuration changes have been detected, hosts should poll the local router via unicasted Router Solicitations (RS) to verify that the router in question has indeed ceased to advertise the aforementioned information. If this condition is confirmed, the corresponding configuration information should be discarded.¶
In the context of multi-prefix/multi-router networks [RFC8028] [RFC8504], SLAAC configuration information should be associated with each advertising router. Thus, when a router ceases to advertise some configuration information:¶
Implementation of this kind of heuristic allows a timelier reaction to network configuration changes even in scenarios where there is no explicit signaling from the network, thus improving robustness.¶
As discussed in Section 4.4, [RFC4861] does not require routers to convey all RA options in the same message. Therefore, the algorithm specified in this section is designed such that it can cope with this corner case that, while not found in the deployed Internet, is allowed by [RFC4861].¶
The LTA algorithm SHOULD be applied to the following Neighbor Discovery options:¶
In the context of multi-prefix/multi-router networks [RFC8028] [RFC8504], each option from Section 4.5.1 is associated with each advertising SLAAC router. Therefore, hosts should record what configuration information has been advertised by each local router.¶
Additionally, hosts associate with piece of configuration information received via SLAAC options a timestamp (INFO_LAST variable below) that records the time at which this information was last advertised by a particular router.¶
The algorithm specified in this document employs the following variables:¶
A timestamp associated with each piece of SLAAC information (from Section 4.5.1) received from each SLAAC advertising router.¶
Initialization when a new SLAAC advertising router is learned:¶
LTA_MODE=FALSE LTA_LAST=0 RS_LAST=0 RS_COUNT=0 LTA_CYCLE=RA_WIN+RS_RNDTIME+RS_COUNT_MAX*RS_TIMEOUT¶
Upon receipt of a Router Advertisement message, and after normal processing of the message, perform the following actions:¶
TIME= time() For each piece of SLAAC configuration information advertised by this router in the received RA: INFO_LAST= TIME IF LTA_MODE==FALSE && TIME > (LTA_LAST+LTA_CYCLE) IF this RA is missing any previously-advertised information: LTA_MODE=TRUE LTA_LAST=TIME¶
The goal of checking "(LTA_LAST+LTA_CYCLE)" is to prevent the host from re-entering the LTA_mode in a short period of time in the theoretical corner-case where:¶
Time-driven events:¶
IF LTA_MODE==TRUE: TIME=time() IF TIME > (LTA_LAST + LTA_CYCLE) Disaasociate any options for which INFO_LAST < LTA_LAST LTA_MODE= FALSE RS_COUNT= 0 ELSE IF TIME > (LTA_LAST + RA_WIN + RS_RNDTIME) && TIME > (RS_LAST + RS_TIMEOUT) && RS_COUNT < RS_COUNT_MAX: IF for all options INFO_LAST >= LTA_LAST LTA_MODE= FALSE RS_COUNT= 0 ELSE SendRS() RS_LAST=TIME RS_COUNT++¶
NOTES:¶
This document has no actions for IANA.¶
[NOTE: This section is to be removed by the RFC-Editor before this document is published as an RFC.]¶
This section summarizes the implementation status of the updates proposed in this document. In some cases, they correspond to variants of the mitigations proposed in this document (e.g., use of reduced default lifetimes for PIOs, albeit using different values than those recommended in this document). In such cases, we believe these implementations signal the intent to deal with the problems described in [RFC8978] while lacking any guidance on the best possible approach to do it.¶
We have produced a patch for OpenBSD's rad(8) [rad] that employs the default lifetimes recommended in this document, albeit it has not yet been committed to the tree. The patch is available at: <https://www.gont.com.ar/code/fgont-patch-rad-pio-lifetimes.txt>.¶
The radvd(8) daemon [radvd], normally employed by Linux-based router implementations, currently employs different default lifetimes than those recommended in [RFC4861]. radvd(8) employs the following default values [radvd.conf]:¶
This is not following the specific recommendation in this document, but is already a deviation from the current standards.¶
A Linux kernel implementation of this document has been committed to the net-next tree. The implementation was produced in April 2020 by Fernando Gont <fgont@si6networks.com>. The corresponding patch can be found at: <https://patchwork.ozlabs.org/project/netdev/patch/20200419122457.GA971@archlinux-current.localdomain/>¶
NetworkManager [NetworkManager] processes RA messages with a Valid Lifetime smaller than two hours as recommended in this document.¶
We know of no implementation that splits network configuration information into multiple RA messages.¶
The dhcpcd(8) daemon [dhcpcd], a user-space SLAAC implementation employed by some Linux-based and BSD-derived operating systems, will set the Preferred Lifetime of addresses corresponding to a given prefix to 0 when a single RA from the router that previously advertised the prefix fails to advertise the corresponding prefix. However, it does not affect the corresponding Valid Lifetime. Therefore, it can be considered a partial implementation of this feature.¶
[FRITZ] is a Customer Edge Router that tries to deprecate stale prefixes by advertising stale prefixes with a Preferred Lifetime of 0, and a Valid Lifetime of 2 hours (or less). There are two things to note with respect to this implementation:¶
The protocol update in Section 4.2 could allow an on-link attacker to perform a Denial of Service attack against local hosts, by sending a forged RA with a PIO with a Valid Lifetime of 0. Upon receipt of that packet, local hosts would invalidate the corresponding prefix, and therefore remove any addresses configured for that prefix, possibly terminating e.g. associated TCP connections. However, an attacker may achieve similar effects via a number other Neighbor Discovery (ND) attack vectors, such as directing traffic to a non-existing node until ongoing TCP connections time out, or performing a ND-based man-in-the-middle (MITM) attack and subsequently forging TCP RST segments to cause on-going TCP connections to be reset. Thus, for all practical purposes, this attack vector does not really represent any greater risk than other ND attack vectors. As noted in Section 4.2 , in scenarios where RA-based attacks are of concern, proper mitigations such as RA-Guard [RFC6105] [RFC7113] or SEND [RFC3971] should be implemented.¶
The authors would like to thank (in alphabetical order) Mikael Abrahamsson, Tore Anderson, Luis Balbinot, Brian Carpenter, Lorenzo Colitti, Owen DeLong, Gert Doering, Thomas Haller, Nick Hilliard, Bob Hinden, Philip Homburg, Lee Howard, Christian Huitema, Tatuya Jinmei, Erik Kline, Ted Lemon, Jen Linkova, Albert Manfredi, Roy Marples, Florian Obser, Jordi Palet Martinez, Michael Richardson, Hiroki Sato, Mark Smith, Hannes Frederic Sowa, Dave Thaler, Tarko Tikan, Ole Troan, Eduard Vasilenko, and Loganaden Velvindron, for providing valuable comments on earlier versions of this document.¶
The algorithm specified in Section 4.5 is the result of mailing-list discussions over previous versions of this document with Philip Homburg.¶
Fernando would like to thank Alejandro D'Egidio and Sander Steffann for a discussion of these issues, which led to the publication of [RFC8978], and eventually to this document.¶
Fernando would also like to thank Brian Carpenter who, over the years, has answered many questions and provided valuable comments that has benefited his protocol-related work.¶
[This section is to be removed before publication of this document as an RFC].¶
During the discussion of this document, some alternative workarounds were suggested on the 6man mailing-list. The following subsections analyze these suggested workarounds, in the hopes of avoiding rehashing the same discussions.¶
It has been suggested that if configured addresses become stale, a CPE enforcing ingress/egress filtering (BCP38) ([RFC2827]) could send ICMPv6 Type 1 (Destination Unreachable) Code 5 (Source address failed ingress/egress policy) error messages to the sending node, and that, upon receipt of such error messages, the sending node could perform heuristics that might help to mitigate the problem discussed in this document.¶
The aforementioned proposal has a number of drawbacks and limitations:¶
[RFC6724] specifies source address selection (SAS) for IPv6. Conceptually, it sorts the candidate set of source addresses for a given destination, based on a number of pair-wise comparison rules that must be successively applied until there is a "winning" address.¶
An implementation might improve source address selection, and prefer the most-recently advertised information. In order to incorporate the "freshness" of information in source address selection, an implementation would be updated as follows:¶
[RFC6724] is updated such that this rule is incorporated:¶
A clear benefit of this approach is that a host will normally prefer "fresh" addresses over possibly stale addresses.¶
However, there are a number of drawbacks associated with this approach:¶
This new rule may help to improve the selection of a source address, but it does not help with the housekeeping (garbage collection) of configured information:¶
As a result, updating IPv6 source address selection does not relieve nodes from improving their SLAAC implementations as specified in Section 4, if at all desirable. On the other hand, the algorithm specified in Section 4.5 would result in Rule 3 of [RFC6724] employing fresh addresses, without leading to non-deterministic behaviour.¶