]> Google

1 Darling Island Rd Pyrmont NSW 2009 AU furry13@gmail.com furry@google.com

OPS Area v6ops Working Group IPv6 SLAAC This document provides recommendations to network infrastructure vendors on how to deal with multiple IPv6 addresses per host.

Introduction One of the fundamental differences between IPv4 and IPv6 is that an IPv6 host can, and almost always does have multiple IPv6 addresses. RFC7934 discusses this aspect and explicitly states that IPv6 deployments SHOULD NOT limit number of IPv6 addresses a host can have. RFC7934 is mostly focuses on various methods of address assignment and how those methods should provide multiple addresses per host. However network devices, especially wireless ones performing Neighbor Discovery proxy, often have hardcoded limits on how many IPv6 addresses are allowed per a single MAC. When that limit is exceeded, traffic to/from the affected IPv6 addresses is blocked. Such failure mode is rather hard to diagnoze (as IPv6 addresses on a device may obtain and lose connectivity randomly) and leads to poor user experience. This document provides recommendations to network infrastructure device vendors on how to deal with multiple IPv6 addresses per device.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Impact of Limiting Number of IPv6 Addresses per Host The most common scenario of network-imposed limitations is Neighbor Discovery (ND) proxy. Many enterprise-scale wireless solutions implement ND proxy to reduce amount of broadcast and multicast downstream (AP to clients) traffic. To perform ND proxy a device usually maintains a table, containing IPv6 and MAC addresses of connected clients. At least some implementations have hardcoded limits on how many IPv6 addresses per a single MAC such a table can contain. When the limit is exceeded the behaviour is implementation-dependent. Some vendors just fail to install N+1 address to the table. Other delete the oldest entry for this MAC and replace it with the new address. In any case the affected addresses lose network connectivity. The problem is exacerbated by the following:

• For the given set of device IPv6 addresses the affected subset may vary over time (depending on what addresses have been used to send traffic recently), which drastically complicates the troubleshooting.
• The host and applications do not receive any explicit signals, the traffic is just blackholed.
• Previously working address might become affected if another IPv6 address is assigned to the host. In that case existing traffic flows can be interrupted and even on a dual-stack network Happy Eyeballs would not be able to mitigate the issue, as the failure occurs too late for IPv4 fallback.

As internal implementation details might require a vendor to limit the number of IPv6 addresses per host, it's crucial to provide some recommendations on how to minimize the negative impact of imposing such a limit, especially as virtualiztion on endpoints and IPv6-only WiFi networks are gaining momentum.

Recommendations on Handling Multiple IPv6 Addresses per Host If a network equipment manufacturer deems it necessary to impose any limit to a number of IPv6 addresses per host (or MAC address):

• The limit SHOULD be configurable.
• The default value MUST be at least 20.
• If the limit is exceeded, the device SHOULD log an error message containing the affected IPv6 address and device identificator (MAC address).
• If the limit is exceeded, the device SHOULD attempt to minimize the disruptions to existing flows, for example use Least-Recently-Used (LRU) algorithm to remove the oldest entry from the list of addresses.

IANA Considerations This memo includes no request to IANA.

Security Considerations TBA - I guess there is a risk of a host to create a lot of addresses and exhaust device memory.

References Normative References Informative References

Acknowledgements TBA

Contributors Thanks to Lorenzo Colitti for the discussions, the input and all contribution.