RA & DHCP problem...

Nick Hilliard nick at foobar.org
Sun Dec 29 12:37:23 CET 2013


On 28/12/2013 15:07, Philipp Kern wrote:
> how do these deployments look like?

large.  Either small numbers of very large l2 domains or else large numbers
of l2 domains with lots of hosts.  In either case, the use case is tens of
thousands of ipv6 hosts.

> Because the granuality is generally
> per broadcast link and I don't think we are talking about multiple
> routers on one broadcast domain with the DHCP server doing the load
> balancing?

I don't know what you mean here.  I'm talking exclusively about networks
with multiple gateways with a requirement for tightly timed failover.

> You still need ND for tightly timed failover or you switch the MAC
> address somewhere else

No, you can't do tightly timed failover with RAs - it's not possible within
the terms of the minimum timers specified in the docs.  The minimum
possible failover time using RA is about 6 seconds by tweaking the NS
interval, and that's assuming you set the NS reachable timer = 1000ms and
the retransmit timer = 100ms.  Both of these are operationally dubious
because they make your network scale according to the number of hosts on
your network rather than the number of l2 domains.  This doesn't matter on
granny's home dsl network; it matters very much at large scale.

The alternative is to advertise RAs at the rfc-specified minimum interval
of 3s, giving a failover time of 10s.  This isn't compatible with many
business cases.

> why is RA a bad thing here? (As you can
> advertise the VRRP IP or VIP in it, for instance).

There are two intertwined issues here: 1. why RA is a poor choice in
certain situations and 2. why DHCPv6 is a better choice in these situations.

1. running RA+DHCPv6 is running two protocols to handle autoconfiguration,
which is not particularly compatible with the KISS principal because two
protocols is by necessity more fragile than operating with just one.  If
alternatively dhcpv6 were able to provide a defgw option, we could drop an
entire protocol.

2. two protocols is inherently more difficult and therefore expensive to
debug than one.

3. there is no way of specifying a global unicast ipv6 address.  You can
only specify link-local addresses.

4. there is no way for RAs to deploy different gateways to different hosts:
all hosts on the network must be configured in the same way.

5. there is no way to specify anything other than a default gateway.

6. the failover characteristics of RAs are very poor by modern standards.

Nick




More information about the ipv6-ops mailing list