Hi Pascal, Thanks a lot for your review and comments! The IESG asked me to merge this draft and 6man-grand so only the latter will be published. However as most of the text from nd-cache-init has been moved to 6man-grand, your comments still apply - sorry, I missed your email and did not address them in 6man-grand-02. The changes mentioned below will appear in -03. On Fri, Sep 11, 2020 at 12:03 AM Pascal Thubert (pthubert) <pthubert=40cisco.com@xxxxxxxxxxxxxx> wrote: > =========================================================================================================== > Major > =========================================================================================================== > > > Section 3 lists a number of approaches, but that list does not match the sections 3.x coming next. > In particular there is no section that explains why we are not " Making the probing logic on hosts more robust." > It seems that if the host sends just one probe to start with, the problem goes away. There must be a reason why this is not done today. I've added the following text: " 8.7. Making the Probing Logic on Hosts More Robust Theoretically the probing logic on hosts might be modified to deal better with initial packet loss. For example, only one probe can be sent or probes retransmit intervals can be reduced. However, - This approach does not fix the root cause but just provides a work-around for one particular case of probing traffic. Packets are still being lost. - It's rather unlikely that all affected systems could be updated in any reasonable timeframe. - It would not solve the problem if there are multiple applications on the same host sending traffic and return packets arrive simultaneously. - Even if a host sends a single probe, the response might consist of multiple packets and therefore might be still affected by the problem described in this document. 8.8. Increasing the Buffer Size on Routers Increasing the buffer size and buffering more packets would exacerbate issues described in [RFC6583] and make the router more vulnerable to ND-based denial of service attacks." Would it address your comment? > --------------------------------------------------------------------------------------------------------------------------------------------- > " > Implementing such functionality is much more complicated than all > other solutions as it would involve complex data-control planes > interaction." > > As it goes, reactive ND as it stands involve complex data-control planes interactions, the hardware needs to interrupt its process and tell the software in case of a cache miss. > This process is not only complicated but subject to DoS attacks and all prone to bugs. The solution eliminates that activity for a new address and that is a major plus for the router. Sadly it does not fix the problem permanently as the cache may be flushed. I believe it is important to mention both early in the draft to better position its value (great) and limits (the Neighbor cache is still a cache so the problem is not eliminated). I've added a "Solution Limitations" section: Solution Limitations The solution described in this document provides some improvement for a node configuring a new IPv6 address and start sending traffic from it. However that approach does not completely eliminate the scenario when a router receives some transit traffic for an address without the corresponding Neighbor Cache entry. For example: -- If the host starts using an already configured IPv6 address after a long period of inactivity, the router might not have the NC entry for that address anymore, as old/expired entries are deleted. - Flashing the router Neighbor Cache would trigger the packet loss for all actively used addresses removed from the cache. > =========================================================================================================== > Minor > ===========================================================================================================" > 1. A host joins the network and receives a Router Advertisement (RA) > packet from the first-hop router (either a periodic unsolicited > RA or a response to a Router Solicitation sent by the host). > " > Maybe clarify that this is a multicast RA sent to all hosts Not necessary. Solicited RAs can be (should be) unicast. > " > The > RA contains information the host needs to perform Stateless > Address Autoconfiguration ([RFC4862]) and to configure its > network stack. > " > You could say "SLAAC and/or DHCPv6" for completeness. Does RA contain information the host needs to perform DHCPv6? I'm not so sure.. > " > As in most cases the RA also contains the link- > layer address of the router, the host can populate its Neighbor > Cache with the router's link-local and link-layer addresses. > " > Maybe also clarify in before that sentence that the source IPv6 address of the RA is a link local address of the router (section 4.2 of RFC 4861) Done: " The RA contains information the host needs to perform SLAAC and to configure its network stack. The RA is send from the router's link-local address and in most cases also contains the link-layer address of the router. As a result the host can populate its Neighbor Cache with the router's link-local and link-layer addresses. " > " > Most router > implementations buffer only one data packet while > " > Is that something you know for sure? Else, you may indicate instead that the standard only requires the router to hold one data packet. > For memory, RFC 4861 section 7.2.2. "Sending Neighbor Solicitations" says: > " > ... > While waiting for address resolution to complete, the sender MUST, > for each neighbor, retain a small queue of packets waiting for > address resolution to complete. The queue MUST hold at least one > packet, and MAY contain more. However, the number of queued packets > per neighbor SHOULD be limited to some small value. When a queue > overflows, the new arrival SHOULD replace the oldest entry. Once > address resolution completes, the node transmits any queued packets. > ... > " Changed to: "As per Section 7.2.2 of [RFC4861] Routers MUST buffer at least one data packet and MAY buffer more, while resolving the packet destination address. However most router implementations limit the buffer size to a few packets only, so all subsequent packets for the host global address are dropped, until the address resolution process is completed." > --------------------------------------------------------------------------------------------------------------------------------------------- > > "connects to the network for the first time or after a timeout long" > > Maybe "inactivity time" is more suitable than "timeout" Done. > " This option > requires some investigation and discussions and seems to be excessive > for the problem described in this document. " > > The option itself is not "excessive", it is a technical solution. Maybe you could clarify what is excessive, e.g., the complexity to migrate, to implement and deploy, or the time till a solution is available commercially on all devices. Changed to "This option requires some investigation and discussion. However the implementation complexity and unclear adoption timeline makes this approach less preferable than one proposed in this document." > =========================================================================================================== > Nits > =========================================================================================================== > > "if a host A has an neighbor": an -> a > "same sequence of events happen": happen -> happens This text did not make it to 6man-grand anyway. > Voila! Merci! ;) -- SY, Jen Linkova aka Furry -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
