DAD - on or off

Benedikt Stockebrand bs at stepladder-it.com
Fri Jun 28 12:00:47 CEST 2013


Hi Merike and list,

just catching up, so sorry about the delay:

Merike Kaeo <merike at doubleshotsecurity.com> writes:

> As more deployments are ongoing, what are folks doing with router (and
> critical server) interfaces wrt DAD?  I briefly followed RFC4429
> Optimistic Duplicate Address Detection (DAD) for IPv6' but am
> wondering whether people turn off DAD on router interfaces in
> practice.

>From a protocol perspective, disabling DAD doesn't make any sense: If
you have multiple nodes trying to use the same address, then you have a
situation that needs to be cleard up manually anyway.  Disabling DAD
only makes the situation worse: Instead of a router complaining about a
duplicate address, you have a non-deterministic behaviour within your
network (one of those things I've learned to hate with IPv4).

>From an operations/broken implementation perspective, disabling DAD is a
quick and rather ugly hack to work around init scripts or equivalent
which don't wait until DAD has succeeded.  As a personal opinion, I'd
rather fix the actual problem (by kicking the vendor/developer, if
necessary) than come up with this kind of kludge that will bite one only
long after one has forgotten about it.

To my understanding RFC 4429 just addresses the situation where highly
mobile devices can't wait for DAD to complete.  As a matter of personal
opinion, I don't really see much use in it, at least in environments
like you mention where servers are involved.  But then, maybe I've just
never seen the sort of environment where RFC 4429 actually makes any
sense.  Instead, I'd rather see some way to link the DAD timeout
interval to the link speed, or similar---I consider waiting a second or
more even on a Fast Ethernet interface somewhat silly.

> Scenario:
> a. router has an IPv6 address
> b. someone creates a node with same IPv6 address
> c. router reboots
>
> My question is....does (b) even get connected to local network?  My
> assumption is no.  

Correct.

> So if (b) were to be able to take over router's interface then it has
> to create the address and connect to network during the time a router
> reboots.  Is this correct?

Yes.  In other words, the time frame where this could happen is rather
limited, assuming that you don't reboot your router every few minutes.


Have a nice weekend,

    Benedikt

-- 
			 Business Grade IPv6
		    Consulting, Training, Projects

Benedikt Stockebrand, Dipl.-Inform.        http://www.stepladder-it.com/



More information about the ipv6-ops mailing list