-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdraft-gont-6man-slaac-dns-config-issues-00.xml
369 lines (270 loc) · 20.8 KB
/
draft-gont-6man-slaac-dns-config-issues-00.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc strict="no" ?>
<rfc
ipr="noDerivativesTrust200902"
category="std"
updates="6106"
docName="draft-gont-6man-slaac-dns-config-issues-00">
<front>
<title abbrev="SLAAC DNS Configuration Issues">Current issues with DNS Configuration Options for SLAAC</title>
<area>Internet</area>
<workgroup>IPv6 maintenance Working Group (6man)</workgroup>
<author
fullname="Fernando Gont"
initials="F."
surname="Gont">
<!-- abbrev not needed but can be used for the header
if the full organization name is too long -->
<organization abbrev="SI6 Networks / UTN-FRH">SI6 Networks / UTN-FRH</organization>
<address>
<postal>
<street>Evaristo Carriego 2644</street>
<code>1706</code><city>Haedo</city>
<region>Provincia de Buenos Aires</region>
<country>Argentina</country>
</postal>
<phone>+54 11 4650 8472</phone>
<email>[email protected]</email>
<!-- <email>[email protected]</email> -->
<!--
<uri>http://www.cpni.gov.uk</uri>
<uri>http://www.gont.com.ar</uri>
-->
<uri>http://www.si6networks.com</uri>
<!-- If I had a phone, fax machine, and a URI, I could add the following: --->
</address>
</author>
<author
fullname="Pavel Šimerda"
initials="P."
surname="Šimerda">
<address>
<phone>+420 775 996 256</phone>
<email>[email protected]</email>
</address>
</author>
<date year="2012" />
<abstract>
<t>
RFC 6106 specifies two Neighbor Discovery options that can be included in Router Advertisement messages to convey information about DNS recursive servers and DNS Search Lists. Small lifetime values for the aforementioned options have been found to cause interoperability problems in those network scenarios in which these options are used to convey DNS-related information. This document analyzes the aforementioned problem, and formally updates RFC 6106 such that these issues are mitigated.
</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="intro">
<t>
RFC 6106 <xref target="RFC6106"/> specifies to Neighbor Discovery (ND) <xref target="RFC4861"/> options that can be included in Router Advertisement messages to convey information about DNS recursive servers and DNS Search Lists. Namely, the Recursive DNS Server (RDNSS) Option specifies the IPv6 addresses of recursive DNS servers, while the DNS Search List (DNSSL) Option specifies a "search list" to be used when trying to resolve a name by means of the DNS.
</t>
<t>Each of this options include a "Lifetime" field which specifies the maximum time, in seconds, during which the information included in the option can be used by the receiving system. The aforementioned "Lifetime" value is set as a function of the Neighbor Discovery parameter 'MaxRtrAdvInterval', which specifies the maximum time allowed between sending unsolicited multicast Router Advertisements from an interface. The recommended bounds (MaxRtrAdvInterval <= Lifetime <= 2*MaxRtrAdvInterval) have been found to be too short for scenarios in which some Router Advertisement messages may be lost. In such scenarios, host may fail to receive unsolicited Router Advertisements and therefore fail to refresh the expiration time of the DNS-related information previously learned through the RDNSS and DNSSL options), thus eventually discarding the aforementioned DNS-related information prematurely.
</t>
<t>Some implementations consider the lack of DNS-related information as a hard failure, thus causing configuration restart. This situation is exacerbated in those implementations in which IPv6 connectivity and IPv4 connectivity are bound together, and hence failure in the configuration of one of them causes the whole link to be restarted.
</t>
<t><xref target="solutions"/> proposes a number of ALTERNATIVE solutions to the problem, such that the 6man wg can discuss both of them. It is expected that once the 6man wg converges on a preferred solution, the other ones will be removed from the document.
</t>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
RFC 2119 <xref target="RFC2119"/>.</t>
</section>
<section title="Possible Solutions" anchor="solutions">
<t>This section describes a number of possible ALTERNATIVE solutions to the problem, such that the 6man wg can discuss both of them. It is expected that once the 6man wg converges on a preferred solution, the other one will be removed from the document.
</t>
<section title="Summary of possible solutions" anchor="summary">
<t>
<xref target="change-semantics"/> proposes to change the semantics of the RDNSS/DNSSL 'Lifetime', thus fixing the 'expiration' problem outlined in <xref target="intro"/> and the potential of 'network configuration oscillation'. <xref target="change-defaults"/> proposes to increase the 'Lifetime' value at the sending routers, fixing the "expiration" problem outlined in <xref target="intro"/>, but without addressing the potential of 'network configuration oscillation'. <xref target="active-probing"/> proposes to send Router Solicitations when expiration of RDNSS/DNSSL information is imminent, to elicit Router Advertisement messages. <xref target="sanitize-lifetime"/> proposes to enforce a lower limit on the received RDNSS/DNSSL 'Lifetime' values at the client side.
</t>
</section>
<section title="Changing the Semantics of the 'Lifetime' field of RDNSS and DNSSL options" anchor="change-semantics">
<!--
<t>This document proposes a number of updates to RFC 6106, such that the aforementioned issues can be mitigated.</t>
-->
<t>The semantics of the 'Lifetime' field of the RDNSS and DNSSL options is updated as follows:
<list style="symbols">
<t>The 'Lifetime' field indicates the amount of time during which the aforementioned DNS-related information is expected to be stable.</t>
<t>If the information received in a RDNSS or DNSSL option is already present in the corresponding data structures, the corresponding 'Expiration' time should be updated according to the value in the 'Lifetime' field of the received option. A 'Lifetime' of '0' causes the corresponding information to be discarded, as already specified in <xref target="RFC6106"/>.
</t>
<t>If a host has already gathered a sufficient number of RDNSS addresses (or DNS search domain names), and additional data is received while the existing entries have not yet expired, the received RDNSS addresses (or DNS search domain names) SHOULD be ignored.
</t>
<t>If a host receives new RDNSS addresses (or DNS search domain names), and some of the existing entries have expired, the newly-learned information SHOULD be used to replace the expired entries.
</t>
<t>A host SHOULD flush configured DNS-related information when it has any reason to believe that its network connectivity has changed in some relevant way (e.g., there has been a "link change event"). When that happens, the host MAY send a Router Solicitation message to re-learn the corresponding DNS-related information.
</t>
<t>The most-recently-updated information SHOULD have higher priority over the other DNS-related information already present on the local host.</t>
</list>
</t>
<t>The rationale for the suggested change is as follows:
<list style="symbols">
<t>It is a backwards-compatible local-policy change that solves the problem described in <xref target="intro"/> without requiring changes to router software or router configuration in existing deployments (over which the user is likely to have no control at all).</t>
<!--
<t>The change in the semantics of the 'Lifetime' field of RDNSS and DNSSL options</t>
-->
<t>Since different RDNSS and DNSSL information could be sent by the same router in different Router Advertisement messages, the updated semantics of the 'Lifetime' parameter prevents oscillations in network configuration.
<list style="hanging">
<t>This situation could arise for a number of reasons. For example, if the desire for different 'Lifetime' values warrants the use of different RDNSS or DNSSL options, and because of packet size issues each option must be included in a separate Router Advertisement message, each burst of RAs could cause DNS-related information to be reconfigured.
</t>
<t>Another possible scenario that could lead to the same situation is that in which there is more than one local router, and each of the local routers announces different RDNSS (or DNSSL) information. If the number of RDNSS addresses (or DNS search domain names) that the local host considers "sufficient" prevents the aggregate set of RDNSS (or DNSSL) information, the local RDNSS (or DNSSL) information would oscillate between that advertised by each of the local routers.
</t>
</list>
</t>
<t>The original motivation for enforcing a short expiration timeout value was to allow mobile nodes to prefer local RDNSSes to remote RDNSSes. However, the recommendation in the last bullet above already allows for a timely update of the corresponding DNS-related information. Additionally, since it is already recommended by <xref target="RFC6106"/> to maintain some RDNSS addresses (or DNS search domain names) per source, in the typical scenarios in which a single router (per subnet) advertises configuration information, one of this 'slots' will be free (or have expired information) and readily available to be populated with information learned from the new subnet to which the host has moved.</t>
</list>
</t>
</section>
<section title="Changing the Default Values of the 'Lifetime' field of RDNSS and DNSSL options" anchor="change-defaults">
<t>The default RDNSS/DNSSL "Lifetime" value in current the current router solutions vary between MaxRtrAdvInterval
and 2*MaxRtrAdvInterval. This means that common packet loss rates can lead to the problem described in this document.</t>
<t>One possible approach to mitigate this issue would be to avoid 'Lifetime' values that are on the same order as MaxRtrAdvInterval. This solution would require, of course, changes in router software. </t>
<t>When specifying a better default value, the following aspects should be considered:</t>
<list style="symbols">
<t>IPv6 will be used on many links (including IEEE 802.11) that experience packet loss. Therefore losing a few packets in a short period of time should not invalidate DNS configuration information.</t>
<t>Unsolicited Router Advertisements sent on Ethernet networks result in packets that employ multicast Ethernet Destination Addresses. A number of network elements (including those that perform bridging between wireless networks and wired networks) have problems with multicasted Ethernet frames, thus typically leading to packet loss of some of those frames. Therefore, SLAAC implementations should be able to cope with devices that can lose several multicast packets in a row.</t>
</list>
<t>The default value of AdvRDNSSLifetime and AdvDNSSLLifetime MUST be at least 5*MaxRtrAdvInterval so that the probability of hosts receiving unsolicited Router Advertisements is increased.
<!--
I've commented this out. If this is a "MUST", the imlementation shouldn't allow the admin to behave otherwise.
When the administrator sets a lower value, the router system SHOULD issue a warning.--></t>
<!--
<t>Administrators of implementations not conforming to this
document SHOULD change both configuration options to
at least 5*MaxRtrAdvInterval to mitigate this problem.</t>
-->
<t>This solution leaves out the following situations:</t>
<list style="symbols">
<t>In those scenarios in which the involved routers cannot be updated this solution will not be applicable. This also limitation also applies to nomadic hosts that can connect to many different networks. This case will be discussed later in this document.</t>
<t>The affected network has a huge multicast packet loss. This unfortunately happens in some real networks.
<!---
Pavel,
I have commented this piece out, since this wouldn't "fly" in 6man. Our document would essentially affect basic assumptions made with SLAAC (e.g., that multicast is usable).
This is very hard to mitigate unless unicast Router Solicitation and Router Advertisement are used. Administrators SHOULD avoid using SLAAC with multicast Router Advertisements on such networks.
-->
</t>
<t>This solution does not address the potential 'network configuration oscillation' issue described in <xref target="change-semantics"/>.
</t>
</list>
</section>
<section title="Use Router Solicitations for active Probing" anchor="active-probing">
<t>According to RFC 6106, hosts MAY send Router Solicitations to avoid expiry of RDNSS and DNSSL lifetimes. This technique could be employed as a "last resort" when expiration of the RDNSS and DNSSL information is imminent.</t>
<!--
<t>TODO: We should either specify when and how this
technique should be used or specify that it should not be used at
all. For the rest of this section I will assume that we
want to encourage its use and document the possible problems
with this method.</t>
-->
<t>Hosts SHOULD start sending multicast Router Solicitation when most of the Lifetime of the last RDNSS server is consumed. The precise time should be a randomized value chosen from 70% to 90% of the original Lifetime to avoid bursts of packets from other hosts on the network. Hosts MAY send up to MAX_RTR_SOLICITATIONS Router Solicitation messages, each separated by at least RTR_SOLICITATION_INTERVAL seconds (please see Section 6.3.7 of <xref target="RFC4861"/>.</t>
<!--
Pavel,
The same approach should apply to both options.
<t>TODO: What to do with last DNSSL? Their nature is totally
different from RDNSS.</t>
-->
<!--
Pavel,
I've added text about retransmissions (see above).
<t>TODO: Router Solicitations SHOULD be repeated to avoid
packet loss. At first I
suggested 10-20 seconds but there are other possibilities</t>
-->
<t>Problems of this approach:</t>
<list style="symbols">
<t>If no IPv6 router responds, all previously connected hosts will repeatedly send Router Solicitations and only stop doing so when their RDNSS and DNSSL information finally expires. This could disrupt IPv4 networking in larger networks and that must be avoided.</t>
<t>If IPv6 router responds with unicast Router Advertisement, it may need to respond to many clients.
<!--
Pavel,
This (see below) wouldn't make sense, since we're assuming that multicasted RAs result in packet loss!
Therefore it is advisable to let the router respond in multicast (or maybe both?).
-->
</t>
<t>There is no other SLAAC information that requires or would benefit from this kind of "active probing".</t>
<t>This approach does not mitigate the potential 'network configuration oscillation' problem described in <xref target="change-semantics"/>.</t>
</list>
<t>NOTE: We should either state a very good reason to specialcase DNS timeouts or deprecate Router Solicitations in RFC 6106 entirely. Deprecation is the more favorable option in our opinion.</t>
</section>
<section title="Sanitize the received RDNSS/DNSSL 'Lifetime' Values" anchor="sanitize-lifetime">
<t>Another possible approach would be to enforce a lower limit on the received RDNSS/DNSSL 'Lifetime' values on the client side. The challenge this technique is the selection of a reasonable value. On the router side, it can be derived from MaxRtrAdvInterval but this value is not known to the client side.</t>
<t>Therefore we would have to assume some maximum value of MaxRtrAdvInterval and use it to derive minimum value of lifetimes instead of the actual MaxRtrAdvInterval.</t>
<t>It should be noted that this approach would not address the potential 'network configuration oscillation' issue described in <xref target="change-semantics"/>.
</t>
</section>
</section>
<section title="Security Considerations">
<t>This document does not introduce any additional security considerations to those documented in the "Security Considerations" section of <xref target="RFC6106"/>.</t>
</section>
<section title="Acknowledgements">
<!--
Pavel,
I've commented out te Acks.. since we're co-authoring, it does not make much sense to split hairs on who discovered/proposed what.
<t>The problem discussed in this document was discovered and reported to the 6man wg mailing-list by Pavel Simerda (and also confirmed by Teemu Savolainen thereafter). The solution proposed in <xref target="solution"/> was envisioned by Fernando Gont.</t>
-->
<!--
<t>The author would like to thank (in alphabetical order) XXX for providing valuable comments on earlier versions of this document.</t>
-->
</section>
</middle>
<back>
<references title='Normative References'>
<?rfc include="reference.RFC.2119" ?>
<?rfc include="reference.RFC.2460" ?>
<?rfc include="reference.RFC.4861" ?>
<?rfc include="reference.RFC.6106" ?>
</references>
<references title='Informative References'>
</references>
<!--
This is now included in the main-body.
<section title="Analysis of other possible solutions" anchor="alt-solutions">
<t>As part of the recent discussion on the 6man mailing-list, it has been suggested that recommended 'Lifetime' value of RDNSS and DNSSL options be increased, as one of the possible solutions to the problem described in <xref target="intro"/>. The reasons for which such approach is not recommended in this document are:
<list style="symbols">
<t>It would require an update to router software, something that might be harder to perform (if at all possible) than an update to the corresponding host software.</t>
<t>This 'solution' does not address the potential network configuration oscillation issue discussed in <xref target="solution"/> and <xref target="additional-notes"/>.</t>
</list>
</t>
</section>
-->
<section title="Additional notes regarding RFC 6106" anchor="additional-notes">
<t>Section 5.2 of <xref target="RFC6106"/> states:
<list style="hanging">
<t>
An RDNSS address or a DNSSL domain name MUST be used only as long as both the RA router Lifetime (advertised by a Router Advertisement message [RFC4861]) and the corresponding option Lifetime have not expired.
</t>
</list>
</t>
<t>This requirement could introduce problems in scenarios in which the router advertising the RDNSS or DNSSL options is not expected to be employed as a "default router", and hence the 'Router Lifetime' value of its Router Advertisement messages is set to 0.
<list style="hanging">
<t>As noted in Section 4.2 of <xref target="RFC4861"/>, the Router Lifetime applies only to the router's usefulness as a default router, and it does not apply to information contained in other message fields or options.
</t>
</list>
Therefore, it would be sensible to exclude the 'Router Lifetime information when deciding about the validity or "freshness" of the DNS-related configuration information.
</t>
<t>Section 5.3.1 of <xref target="RFC6106"/> states:
<list style="hanging">
<t>
When the IPv6 host has gathered a sufficient number (e.g., three) of RDNSS addresses (or DNS search domain names), it SHOULD maintain RDNSS addresses (or DNS search domain names) by the sufficient number such that the latest received RDNSS or DNSSL is more preferred to the old ones; that is, when the number of RDNSS addresses (or DNS search domain names) is already the sufficient number, the new one replaces the old one that will expire first in terms of Lifetime.
</t>
</list>
</t>
<t>As noted earlier in this document, this policy could lead (in some scenarios) to network configuration oscillations. Therefore, it would be sensible to enforce some minimum stability of the configured information, such as that resulting from the update in <xref target="change-semantics"/>.
</t>
<t>Section 6.3 of <xref target="RFC6106"/> states:
<list style="hanging">
<t>
Step (d): For each DNSSL domain name, if it does not exist in the
DNS Search List, register the DNSSL domain name and Lifetime with
the DNS Search List and then insert the DNSSL domain name in front
of the Resolver Repository. In the case where the data structure
for the DNS Search List is full of DNSSL domain name entries (that
is, has more DNSSL domain names than the sufficient number
discussed in Section 5.3.1), delete from the DNS Server List the
entry with the shortest Expiration-time (i.e., the entry that will
expire first).
</t>
</list>
This policy could lead to the same network configuration oscillation problems as described above for the RDNSS addresses. Therefore, it would be sensible to enforce some minimum stability of the configured information, such as that resulting from the update in <xref target="change-semantics"/>.
</t>
</section>
</back>
</rfc>