>> Despite the fact that RFCs prohibit hosts from reducing the valid >> lifetime to less than 2 hours in response to a received RA, some >> routers do send such RAs and some hosts do (in violation of the >> standards) deprecate the prefixes accordingly. This is kind of a >> no-win situation because if you deprecate the prefix, you have >> weaponized (spoofed) RAs as a mechanism to tell a host to deprecate >> a prefix. OTOH, if you dont deprecate the prefix, you have a >> situation where the user may well be suffering for at least two >> hours with a non-functional stale prefix. > > There are two lifetimes: the preferred lifetime and the valid lifetime. > The two hour limit only applies to the valid lifetime. (RFC 4862, > Section 5.5.3) > > So an address can always be deprecated (preferred lifetime is zero), > but it will remain valid for 2 hours or the current valid lifetime, > which ever is less. Yes, I conflated some terms… Sorry… To be clear: Some routers send PIOs in RAs with a valid lifetime of 0 and some systems erroneously process that and invalidate said prefix. This violates RFC4862 and is a potential DOS vector. If you invalidate the prefix, you have weaponized RAs as discussed in RFC4862. A deprecated valid prefix that actually should be invalid will cause less suffering than a non-deprecated prefix in the same circumstance, but the no-win situation I was describing remains. Owen -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
