nanog mailing list archives

Re: IPv6 Deployment for the LAN

From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Thu, 22 Oct 2009 11:59:54 +0200

On 21 okt 2009, at 23:34, David W. Hankins wrote:

There is a problem with the "Both RA and DHCPv6 Model" currently
proposed by IETF iconoclasts.  Should RA fail, for any reason from
router, system, software, network path, security, or user error,
then the simplest networks imaginable (where hosts and mail/Intranet/
work servers are all co-located on the same broadcast domain) will
not be able to talk to one another,


Or the rest of the world.

Note however that it is very hard to get false negatives for RAs andeven harder to get false positives. The only way I've had RAs fail inthe real world was with multilayer switches that wouldn't let IPv6multicasts through because they couldn't do IGMP snooping for those.This affected RAs but also all other neighbor discovery, and wouldhave affected DHCPv6, too. So in this situation IPv6 is completelydead in the water.

The good thing is that you don't get any false positives, where a hostthinks there's a router somewhere but there's not actually a routerthere. This is because when a router stops being a router it will alsostop sending RAs.

All of this works extremely well, I can't think of any instance wherethere is any trouble with RAs, except of course the problem of roguerouters advertising themselves. However, this is not really anydifferent from the situation in IPv4 where rogue DHCP serversadvertise stuff they shouldn't advertise.

To work around this problem, some DHCPv6 software implementers have
elected to temporarily apply a fixed /64 bit prefix to all applied
addresses until a prefix length can be made available in-band through
some means.

Why not simply fix the DHCPv6 protocol so it has a prefix lengthattribute?

DHCP'ers can complain about stateless autoconfig and RAs, but thesimple truth is that DHCPv6 has problems that are unrelated toanything outside DHCPv6 that haven't been fixed in the half a decadethat I've been paying attention to it.

But it may complicate your designs if you
are assigning /80's.

RFC 3513 says that all interface identifiers for addresses outside ::/3 must be 64 bits in size. That doesn't work with a /80. So I'm notsure if using DHCPv6 with /80s will work on all systems.

According to the release notes of ISC DHCP 4.1.0, ISC 'dhclient -6'
compiles and runs on Mac OSX.  I don't actually own a Mac, so I have
never used it myself, and our release notes even go into detail about
the limitations of the current 'dhclient-script' for the Darwin
platform (apparently their configuration system is somewhat opaque).

MacOS detects when interface go online and offline and does all kindsof stuff when that happens. For instance, you can't globally enable/disable stateless autoconfig on MacOS, either.

Manually running a script when the interface status changes is arather blunt way to interact with the system.

Does anyone know if Apple has plans to release a DHCPv6 client forMac OS X?

No...but I have heard plans of the exact opposite.


[...]

When people at
the microphone asked why Apple did not include a DHCPv6 client
implementation, even a stateless one, I believe Bernard Aboba
addressed the concern at the microphone saying, and I am paraphrasing
from memory here, "We were told by the IETF that RA was all we would
ever need, implementing DHCPv6 is optional, so RA is all we are
doing."

I don't remember that. What I do remember is that Stuart Cheshire ofApple explained how he was unhappy that it was necessary to run arather involved protocol (DHCPv6) for the relatively simple task ofobtaining DNS resolver addresses.

To summarize, RA+DHCPv6 implementers are posed with problems:

...which apparently some DHCPv6 people want to solve by ALWAYS runningtheir chatty protocol that wastes a lot of bandwidth on wireless LANsuntil people give in and just run a DHCPv6 server just to get rid ofthe constant DHCP retransmissions that can't be stopped any other waybecause actually looking at the O/M bits is of course way too simple.


I hate this crap so much.

Current thread:

Re: IPv6 Deployment for the LAN, (continued)
- - Re: IPv6 Deployment for the LAN Ray Soucy (Oct 18)
    - Re: IPv6 Deployment for the LAN trejrco (Oct 19)
    - Re: IPv6 Deployment for the LAN Ron Broersma (Oct 19)
    - Re: IPv6 Deployment for the LAN Ray Soucy (Oct 19)
- Re: IPv6 Deployment for the LAN David W. Hankins (Oct 21)
  - Re: IPv6 Deployment for the LAN Karl Auer (Oct 21)
    - Re: IPv6 Deployment for the LAN David W. Hankins (Oct 22)
    - Re: IPv6 Deployment for the LAN Karl Auer (Oct 22)
    - Re: IPv6 Deployment for the LAN David W. Hankins (Oct 22)
  - Re: IPv6 Deployment for the LAN Perry Lorier (Oct 21)
  - Re: IPv6 Deployment for the LAN Iljitsch van Beijnum (Oct 22)
    - Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: IPv6 Deployment for the LAN Karl Auer (Oct 17)
  - Re: IPv6 Deployment for the LAN Iljitsch van Beijnum (Oct 21)
    - Re: IPv6 Deployment for the LAN Ray Soucy (Oct 21)
    - Re: IPv6 Deployment for the LAN Cord MacLeod (Oct 21)
    - Re: IPv6 Deployment for the LAN Karl Auer (Oct 21)
- Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
  - Re: IPv6 Deployment for the LAN Joe Maimon (Oct 22)
    - Re: IPv6 Deployment for the LAN Owen DeLong (Oct 22)
    - Re: IPv6 Deployment for the LAN Joe Maimon (Oct 23)