Netdev List
 help / color / mirror / Atom feed
From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
To: "Stefan (metze) Metzmacher" <metze@samba.org>
Cc: netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
Subject: Re: [ipv6] valid_lft and active connections
Date: Wed, 15 Jun 2011 12:37:41 +0900	[thread overview]
Message-ID: <1308109061.19757.40.camel@cirrhata> (raw)
In-Reply-To: <4DF753C6.1000700@samba.org>

Stefan (metze) Metzmacher wrote:
> Am 14.06.2011 13:41, schrieb YOSHIFUJI Hideaki:
> > Hello.
> > 
> > Stefan (metze) Metzmacher wrote:
> >> If I use ipv6 addresses with valid_lft != forever, the ipv6 addresses
> >> are removed from the interface if the valid_lft expires, even if there're
> >> established connection which use with address.
> >>
> >> Would it be possible keep the address until the last active connection
> >> is closed? Otherwise the usable of the privacy extensions will make
> >> very long living tcp connections impossible.
> >>
> > 
> > I cannot imagine why you do not hear RAs before the address expires.
> 
> They do not reset the valid lifetime counter for temporary addresses.
> 
> And I think that valid_lft and preferred_lft should work with a manual
> configured setup in a similar way.

This is because of RFC3041 Section 3.3:

|   1) Process the Prefix Information Option as defined in [ADDRCONF],
|      either creating a public address or adjusting the lifetimes of
|      existing addresses, both public and temporary.  When adjusting the
|      lifetimes of an existing temporary address, only lower the
|      lifetimes.  Implementations must not increase the lifetimes of an
|      existing temporary address when processing a Prefix Information
|      Option.

It would be make sense to allow extending valid lifetime of non-deprecated
addresses, but not sure.

> > And well, I don't think it is a good idea because it is not what
> > "valid lifetime" means.
> > 
> > We have 3 states:
> > 
> > 1) time <= preferred lifetime
> > 2) preferred lifetime < time <= valid lifetime
> > 3) valid lifetime < lifetime
> > 
> > You can make new connection during the period of 1 and you can continue
> > using that connection during the period of 1 and 2.
> 
> But it means tcp connection can not last longer than the valid lifetime of
> a temporary address, which is very ugly as the application layer will
> run into
> timeouts instead of getting an immediate error when the kernel drops the
> related ip.
> 

Valid lifetime represents administrative "hard" lifetime.  If it 
expired, all address must be gone.

> > Ask network administrator to advertise longer "valid" lifetime, if
> > needed, and you may want to make net.ipv6.conf.*.max_addresses larger.
> 
> My aim is to have a preferred lifetime of say 4 hours, in order to have
> no limit
> on the lifetime of tcp connections, I'd have to set valid lifetime to
> forever,
> which means that I'll have about 180 addresses on an interface after
> a month (8760 after a year) which are mostly all unused.

This is how it works.

How can you determine if one address is not unused at all?
For UDP, applications only know, for example.

In fact, RFC3041 Section 3.4 says:
|   As an optional optimization, an implementation may wish to remove a
|   deprecated temporary address that is not in use by applications or
|   upper-layers.  For TCP connections, such information is available in
|   control blocks.  For UDP-based applications, it may be the case that
|   only the applications have knowledge about what addresses are
|   actually in use.  Consequently, one may need to use heuristics in
|   deciding when an address is no longer in use (e.g., the default
|   TEMP_VALID_LIFETIME suggested above).

Of course, we could have some sysctl (but default must be off
(or moderate; do it if the number addresses exceeds some limit).

> Do you know a better solution?

Ask your administrator to advertise larger valid lifetime.
Otherwise, other implementation will have similar issues, anyway.

We could have above "optimization" with sysctl.

And, please note that if you want to change address preference in 
an application, consider using IPV6_ADDR_PREFERENCES socket
option.

--yoshfuji


      reply	other threads:[~2011-06-15  3:37 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-06-14 10:39 [ipv6] valid_lft and active connections Stefan (metze) Metzmacher
2011-06-14 11:41 ` YOSHIFUJI Hideaki
2011-06-14 12:27   ` Stefan (metze) Metzmacher
2011-06-15  3:37     ` YOSHIFUJI Hideaki [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1308109061.19757.40.camel@cirrhata \
    --to=yoshfuji@linux-ipv6.org \
    --cc=metze@samba.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox