Mailing List Archive: NANOG: users

What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets

Index | Next | Previous | View Threaded

mpetach at netflight

May 6, 2012, 8:25 AM

Post #1 of 10 (348 views)
Permalink

What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets

(tl;dr -- IPv6 link-local definition is ambiguous and inconsistent
across vendors)

I'm curious about what people's perception of valid link-local
addresses is; that is, what specifically makes a valid link-local
address?

The top portion of RFC 4291 lists the link-local prefix as:

2.4. Address Type Identification
The type of an IPv6 address is identified by the high-order bits of
the address, as follows:
Address type Binary prefix IPv6 notation Section
------------ ------------- ------------- -------
Link-Local unicast 1111111010 FE80::/10 2.5.6
Global Unicast (everything else)

(from http://tools.ietf.org/html/rfc4291#section-2.4 )

Thus, it would *seem* that an address such as

fe80:1:1:1::2/64

when configured on an interface for its link-local address would
be a valid link-local address, as it falls within fe80::/10

However, when we read section 2.5.6, we see a different
definition:

2.5.6. Link-Local IPv6 Unicast Addresses

Link-Local addresses are for use on a single link. Link-Local
addresses have the following format:

| 10 |
| bits | 54 bits | 64 bits |
+----------+-------------+---------------------+
|1111111010| 0 | interface ID |
+----------+-------------+---------------------+

Link-Local addresses are designed to be used for addressing on a
single link for purposes such as automatic address configuration,
neighbor discovery, or when no routers are present.

Routers must not forward any packets with Link-Local source or
destination addresses to other links.

(from http://tools.ietf.org/html/rfc4291#section-2.5.6 )

That section indicates that *only* addresses out of
fe80:0:0:0::/64
are valid link local addresses; that is, where the
upper 64 bits are precisely
1111111010000000000000000000000000000000000000000000000000000000

(1111111010 followed by 54 0 bits).

Is section 2.5.6 wrong? Should it have been written
more like section 2.5.7, that specified the address
as a prefix, followed by 54 bits of subnet ID? Or
did the authors really intend that most of fe80::/10
remain unused, and *only* a single /64 at the very
start of fe80::/10 would be valid?

I ask this because I'm running into situations where
indeed it seems that some router vendors do literally
only treat fe80::/64 as link-local, and *all other addresses
out of fe80::/10 are treated as global unicast*.

This has potential implications on the types of filtering
people may be assuming their router vendors are doing;
and, with respect to the parent thread, when you talk
about routers forwarding link-local packets, it would
probably be good to verify with your vendors whether
they take the sentence
"Routers must not forward any packets with Link-Local source or
destination addresses to other links."
to apply to all of fe80::/10, or only to the more
restrictive fe80::/64 specified in section 2.5.6.

I will note that empirical testing shows that even
different product lines from the same vendor show
different behaviours, as though some engineers
read section 2.5.6 in detail, and others simply
read section 2.4, and skipped the fine print.

So...operators...what do *you* think the correct
definition is? And which way would you prefer
your router vendors to read RFC4291? Do you
prefer the loose definition from section 2.4, or
do you prefer the stricter definition from section
2.5.6? Given that the RFC is ambiguous, and
has been for the past six years, I'd tend to think
the IETF doesn't really have a strong position one
way or the other, and is leaving it up to us as
operators to vote with our money, and give guidance
to router vendors as to which definition we'd like them
to follow.

Personally, I know my vote is to go with section 2.4,
rather than leave all the rest of fe80::/10 in an unusable
grey state, where some devices treat it as global unicast,
and others treat it as link-local. If we all standardize on
the reading in 2.5.6, we leave the entire rest of the /10
fallow, with only one /64 usable from it.

Which way do *you* vote?

Thanks!

Matt

dr at cluenet

May 6, 2012, 9:04 AM

Post #2 of 10 (340 views)
Permalink

Re: What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets [In reply to]

On Sun, May 06, 2012 at 08:25:06AM -0700, Matthew Petach wrote:
> So...operators...what do *you* think the correct
> definition is? And which way would you prefer
> your router vendors to read RFC4291?

I would expect them to follow 2.4, even if the current spec says that
the 54 bits between /10 and /64 are supposed to be set to 0 today.
And indeed, it's the most pragmatic way to deal with that fuzzy spec.

Best regards,
Daniel

--
CLUE-RIPE -- Jabber: dr [at] cluenet -- dr [at] IRCne -- PGP: 0xA85C8AA0

marka at isc

May 6, 2012, 3:08 PM

Post #3 of 10 (334 views)
Permalink

Re: What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets [In reply to]

Any address withing FE80::/10 is a link local address, however when
you are constructing a link local address you sent bits [11..64]
to zero. It's quite common for a specification to only use a subset
of the reserved space which is what happens here.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka [at] isc

randy at psg

May 6, 2012, 3:48 PM

Post #4 of 10 (343 views)
Permalink

Re: What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets [In reply to]

> Any address withing FE80::/10 is a link local address

said with great authority. shame the rfc does not do the same. matt
points out a spec and implementation problem.

randy

marka at isc

May 6, 2012, 4:38 PM

Post #5 of 10 (332 views)
Permalink

Re: What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets [In reply to]

In message <m24nrtapud.wl%randy [at] psg>, Randy Bush writes:
> > Any address withing FE80::/10 is a link local address
>
> said with great authority. shame the rfc does not do the same. matt
> points out a spec and implementation problem.
>
> randy

Zero is there to remove the "what do I set these bits to" problem
for auto configuration when you have the standard /64 net/host
split. The FE80::/10 is still clearly shown in 2.5.6 as a seperate
group of bits.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka [at] isc

cmadams at hiwaay

May 6, 2012, 8:40 PM

Post #6 of 10 (330 views)
Permalink

Re: What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets [In reply to]

Once upon a time, Randy Bush <randy [at] psg> said:
> > Any address withing FE80::/10 is a link local address
>
> said with great authority. shame the rfc does not do the same. matt
> points out a spec and implementation problem.

Well, the prefix length of 10 vs. 64 is hardly relevant when major
routers ignore the part about not forwarding the packets anyway.
--
Chris Adams <cmadams [at] hiwaay>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

mysidia at gmail

May 6, 2012, 10:42 PM

Post #7 of 10 (329 views)
Permalink

Re: What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets [In reply to]

On 5/6/12, Matthew Petach <mpetach [at] netflight> wrote:
> I'm curious about what people's perception of valid link-local
> addresses is; that is, what specifically makes a valid link-local
> address?

> The top portion of RFC 4291 lists the link-local prefix as:
[snip]
> Link-Local unicast 1111111010 FE80::/10 2.5.6
> Global Unicast (everything else)

/10 is the link-local prefix.
Every address in this /10 is part of the link-local prefix, and no IP address
in this /10 is a valid global unicast address.

> Thus, it would *seem* that an address such as
> fe80:1:1:1::2/64
> when configured on an interface for its link-local address would
> be a valid link-local address, as it falls within fe80::/10

This is in the the link-local prefix, but not a valid address, it doesn't
follow the format of a link local address as noted by 2.5.6.

[snip]
> Routers must not forward any packets with Link-Local source or
> destination addresses to other links.
> (from http://tools.ietf.org/html/rfc4291#section-2.5.6 )
> did the authors really intend that most of fe80::/10
> remain unused, and *only* a single /64 at the very
> start of fe80::/10 would be valid?

The usage of the remainder of the /10 reserved for link local
is unspecified.; It is conceivable but unlikely that uses might be
defined in the future.

> I ask this because I'm running into situations where
> indeed it seems that some router vendors do literally
> only treat fe80::/64 as link-local, and *all other addresses
> out of fe80::/10 are treated as global unicast*.

This is definitely erroneous, since fe80::/10 is excluded from the
global unicast address range.

Addresses outside the first /64 _might_ be valid link-local or not,
whatever they are, they are definitely not valid global unicast
addresses, and they fall within the link-local range: routers are
required to not forward packets with a source or destination within
the /10.

> This has potential implications on the types of filtering
> people may be assuming their router vendors are doing;

When we are talking about security matters... it's definitely not
safe to assume your vendor has implemented all the source/destination
address filtering they should.

Implement suitable testing to verify.

--
-JH

bill at herrin

May 7, 2012, 5:56 AM

Post #8 of 10 (325 views)
Permalink

Re: What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets [In reply to]

On 5/6/12, Matthew Petach <mpetach [at] netflight> wrote:
> Which way do *you* vote?

Hi Matthew,

Cisco routers forward packets for 127.0.0.0/8 unless explicitly
configured not to, treating it like any other unicast address.

Linux load balancers require a special kernel patch to also use them
as routers because the kernel authors failed to conceive of a
situation where accepting an external packet with a source address
matching a configured interface address was, in fact, a correct thing
to do.

I vote for the Cisco approach. It has occasionally quirky results but
it's also flexible enough to handle situations the protocol designers
didn't conceive of.

Regards,
Bill Herrin

--
William D. Herrin ................ herrin [at] dirtside bill [at] herrin
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

bzeeb-lists at lists

May 7, 2012, 9:36 AM

Post #9 of 10 (323 views)
Permalink

Re: What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets [In reply to]

On 7. May 2012, at 12:56 , William Herrin wrote:

> I vote for the Cisco approach. It has occasionally quirky results but
> it's also flexible enough to handle situations the protocol designers
> didn't conceive of.

Isn't it a simple scope violation in IPv6 and thus a bug and with that end of story?
I mean the check isn't even overly expensive in this case... and I can't see how much meaningful
other than unicast traffic passing a gateway you could do this way anyway. The worst
someone sends a small packet and you get a huge reply to a local node that didn't ask
for it keeping your switches and two random machines busy or generating a bit of nd noise,
or ...

19:12:31.257674 02:00:00:00:08:0b > 02:00:00:00:07:0a, ethertype IPv6 (0x86dd), length 70: (hlim 64, next-header ICMPv6 (58) payload length: 16) fe80::ff:fe00:80b > 2001:db8::1: [icmp6 sum ok] ICMP6, echo request, seq 12
19:12:31.257817 02:00:00:00:07:0a > 02:00:00:00:08:0b, ethertype IPv6 (0x86dd), length 118: (hlim 64, next-header ICMPv6 (58) payload length: 64) fe80::ff:fe00:70a > fe80::ff:fe00:80b: [icmp6 sum ok] ICMP6, destination unreachable, beyond scope 2001:db8::1, source address fe80::ff:fe00:80b

I actually tried to see if I could cross the atlantic with such a packet,
only to find that I didn't have an exist gateway showing this bug. Oh well,
I am safe.

/bz

--
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are. It matters what good you do!

mysidia at gmail

May 7, 2012, 9:26 PM

Post #10 of 10 (316 views)
Permalink

Re: What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets [In reply to]

On 5/7/12, William Herrin <bill [at] herrin> wrote:
> On 5/6/12, Matthew Petach <mpetach [at] netflight> wrote:
>> Which way do *you* vote?
> Hi Matthew,
> Cisco routers forward packets for 127.0.0.0/8 unless explicitly
> configured not to, treating it like any other unicast address.

The difference with IPv4, is the RFC1122 requirement is on hosts to
not allow the network number { 127, <any> } to appear outside the
host. There's no RFC requirement that a router refuse to forward
traffic with a source or destination address within the reserved
loopback network number. I a router filters based on source address
it is an added feature. there's no rfc requirement that an IPv4 router
"must not forward a packet with a source or destination address in the
[IPv4] loopback range". The Cisco behavior for 127/8 with IPv4
is therefore quite reasonable.

With IPv6, there is a RFC MUST requirement that such packets to the
link local address space not be forwarded, therefore that Cisco
behavior would be severely broken/ in IPv6 with regards to fe80::/10:
an IPv6 router must not forward such packets as would be allowed with
normal unicast addresses.

(Even if the router is configured with one of those addresses, locally)

--
-JH

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads