Re: slaacd: Reduce maximum IPv6 PIO lifetimes

Fri, 27 Mar 2020 11:58:12 -0700 

On 27/3/20 15:21, Florian Obser wrote:

I do like the limiting of pltime to router lifetime, the factor of 48
though. I don't know it seems like pulled out of thin air or to make
the math work out to 1 day.



It was made out so that vltime would be one day. To be honest, I believe 
that it could and should be smaller than thay (say, 2*pltime) -- at the 
end of the day:


* For ongoing sessions, TCP and such would nevertheless time out

* If the concern is local communications:
  1) One could set only ULAs to this long lifetime, and normal GUAs to
     something shorter
  2) And anyway, for local link communications, you have link-local
     addresses


But I ended up setting it to 48 * Router Lifetime because some IETF wg 
participants were a bit scared.  So I opted for this conservative 
choice... the multiplier can always be changed later.





I'm not fundamentally opposed to it and I'm fine with this going in if
the draft is accepted or if it's clear that there is going to be WG
concensus. Meaning we don't have to wait for this becoming and RFC.
I'm currently not up2date on what's going on on the list. What's the
state of this? I will also do a bit more reading on my own.



The topic has been discussed for about a year. There seemed to be 
consensus about reducing the defaults. For instance, one of the original 
authors of the ND spec noted that the current values are just insane, 
and the PIO lifetimes should be small (like the ones in my draft).
I'm supposed to present this stuff at the next 6man meeting. 6man is 
generally a pain (it took me over 6 years to replace the traditional 
SLAAC IIDs with RFC7217, via RFC8064).



The problem, and the need to do something, has been acknowledged: the 
v6ops wg already accepted the problem statement I-D: 
https://tools.ietf.org/html/draft-ietf-v6ops-slaac-renum-01



The problem can even happen accidentally if you e.g. configure rad(8), 
realize that made a typo, kill the daemon, change the config, and 
restart the daemon. -- the old prefix would live there for a loooong time.


Thanks,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

























					Reply via email to