Re: Best practice - dual stack DNS?
Hi, On Tue, Oct 22, 2013 at 04:45:02AM +, Eric Vyncke (evyncke) wrote: I can confirm the lack of support on IOS (see my email address). Moreover, AFAIK there is no support in Windows, Android and Mac OS/X There is support in iOS, though :-) Gert -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: Over-utilisation of v6 neighbour slots
On 22 Oct 2013, at 06:03, Eric Vyncke (evyncke) wrote: But, the rapid rate of new RFC 4941 addresses for iOS has another impact because network devices cannot anymore limit the number of IPv6 addresses per MAC address in order to prevent a local DoS. So, either you disable SLAAC and rely on stateful DHCPv6 (but then Android is not happy) or use aggressive time to clean the ND cache... ... with the attendant difficulty in tracing systems that might be doing Bad Things. We have a mixture of Sup2Ts and Sup720s and we don't (yet) have v6 enabled on most of them. It's stuff like this that makes me think it's *still* not time to offer a general v6 service. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: Over-utilisation of v6 neighbour slots
On 22/10/13 10:18, Sam Wilson wrote: On 22 Oct 2013, at 06:03, Eric Vyncke (evyncke) wrote: But, the rapid rate of new RFC 4941 addresses for iOS has another impact because network devices cannot anymore limit the number of IPv6 addresses per MAC address in order to prevent a local DoS. So, either you disable SLAAC and rely on stateful DHCPv6 (but then Android is not happy) or use aggressive time to clean the ND cache... ... with the attendant difficulty in tracing systems that might be doing Bad Things. We have a mixture of Sup2Ts and Sup720s and we don't (yet) have v6 enabled on most of them. It's stuff like this that makes me think it's *still* not time to offer a general v6 service. I disagree - and since I'm the one who posted about the problem, I call dibs on getting to decide how serious it is ;o) We offer a general IPv6 service, and we've had very few real problems. It is NOT as hard as people make out, and if you wait until every last problem is solved, you'll be waiting forever. You'll also be missing out on the opportunity to learn about issues early and influence your vendors and your own future purchases in appropriate ways. Hold off on IPv6 is something I would recommend to my competitors...
Re: Over-utilisation of v6 neighbour slots
Hi Phil, 1. Has anyone else run into this sort of thing (neighbour table exhaustion) and what kind of approach did you take to solving or ameliorating it? DHCPv6? We run to the same problem as well. Not on wireless network, but on large Ethernet campus. The problem is, that we are stacking several switches to one virtual. The benefits are great, but the problem is that the cache size is not combination of the physical switches size, but is the size of one physical switch. This is understandable, but you will face the same problem as on the wireless network - cache exhaustion. Decreasing the exhaustion time was the first solution, but than we have to move several VLANs to another switch, to load balance the caches. 2. Does anyone know if Apple (and other vendors) understand the negative consequences of their aggressive rotation of IPv6 privacy addresses, and are going to address it? Probably not, because Windows behaviour is the same. Not so aggresive, but this is because of personal computers are used in different way than mobile phones. 3. Does anyone know if any equipment vendors have more intelligent strategies for handling this kind of situation - LRU expiry of v6 neighbours at 90% util rather than self-destructing FIB overflow, for example ;o) The HP/H3C we are using will deny creation of a new record which is also quite bad. Everythink works for already connected clients but new clients fail. It's great for throubleshooting. [We're aware the sup720 is old, but it seems like this could be an issue even for more recent devices at sufficient scale] Absolutely, we tested switches of several vendors and the problem is the same. The cache size for IPv6 is always smaller than IPv4 cache size and this is a problem, because even in the perfect use case, you need twice as big IPv6 cache as IPv4 - link local + global addresses. Regards, Matej smime.p7s Description: S/MIME Cryptographic Signature
RE: Best practice - dual stack DNS?
FWIW, the RFC6106 support that's in IOS (big I) allows one to specify DNS Server Addresses but not, currently, the DNS Search List. As Lorenzo mentioned, this is in the latest ASR1000 release, and will appear on other platforms over time as their releases pick up the latest version of ND. E.g. for the T release on ISRs, this is intended to ship in Q1CY14 - but as ever, contact your account team for committed dates. Trevor From: ipv6-ops-bounces+twarwick=cisco@lists.cluenet.de [mailto:ipv6-ops-bounces+twarwick=cisco@lists.cluenet.de] On Behalf Of Eric Vyncke (evyncke) Sent: 22 October 2013 06:15 To: Lorenzo Colitti Cc: Roger Wiklund; ipv6-ops@lists.cluenet.de Subject: RE: Best practice - dual stack DNS? I stand corrected and thanks for the good pieces of news -éric From: Lorenzo Colitti [mailto:lore...@google.com] Sent: mardi 22 octobre 2013 10:42 To: Eric Vyncke (evyncke) Cc: Roger Wiklund; ipv6-ops@lists.cluenet.demailto:ipv6-ops@lists.cluenet.de; Brian E Carpenter Subject: RE: Best practice - dual stack DNS? AIUI Cisco supports RFC 6106 on the ASR1K. Mac OS X and iOS do support it, I think (tested recently). Android does not yet support it. Windows does not support it. On 22 Oct 2013 13:45, Eric Vyncke (evyncke) evyn...@cisco.commailto:evyn...@cisco.com wrote: I can confirm the lack of support on IOS (see my email address). Moreover, AFAIK there is no support in Windows, Android and Mac OS/X -éric From: ipv6-ops-bounces+evyncke=cisco@lists.cluenet.demailto:cisco@lists.cluenet.de [mailto:ipv6-ops-bounces+evynckemailto:ipv6-ops-bounces%2Bevyncke=cisco@lists.cluenet.demailto:cisco@lists.cluenet.de] On Behalf Of Roger Wiklund Sent: mardi 22 octobre 2013 01:54 To: Brian E Carpenter Cc: ipv6-ops@lists.cluenet.demailto:ipv6-ops@lists.cluenet.de Subject: Re: Best practice - dual stack DNS? Not supported on either IOS or JUNOS afaik. /Roger On Mon, Oct 21, 2013 at 9:41 PM, Brian E Carpenter brian.e.carpen...@gmail.commailto:brian.e.carpen...@gmail.com wrote: What about http://tools.ietf.org/html/rfc6106 ? Brian On 22/10/2013 01:24, Roger Wiklund wrote: Hi. I'm setting up a wireless guest network with dual stack. Private IPv4 via DHCP and public IPv6 via SLAAC. At first had the client first hop IPv6 routing on the WAN CPE using SLAAC and DHCPv6 just for DNS. I decided to move the client first hop IPv6 routing to the ASA firewall instead, but it does not support DHCPv6. So currently I only have IPv4 DNS and what works just fine. What's the best practice for dual stack DNS? Should I bother with setting up DHCPv6 relay etc? Thanks! /Roger
Re: Over-utilisation of v6 neighbour slots
On Oct 22, 2013, at 3:18 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 10/22/2013 04:56 AM, Doug Barton wrote: Has anyone communicated directly with the Apple folks on this issue? How would one even *do* that? I unicasted this offline to someone I know at Apple: hopefully she can get attention from the right people. David Barak
