On 07/18/2014 2:06 PM, Rob Mosher wrote:
> You shouldn't be grouping neighbor discovery in the same rate limits
> as other type of icmpv6. If someone starts pinging your router at a
> high rate
Echo/echo-reply isn't handled in this section.
> or if there is a routing loop that generates a bunch of time exceeded
> messages it will cause your neighbor discovery to fail and will be
> unable to reach your peers. Those are just two examples, but you
> really need neighbor discovery to be handled elsewhere.
>
Time exceeded's will only go back to the router originating the traffic
so if there's a routing loop, the messages go back to the individual
sources. It's unlikely that my router is going to generate a lot of
traffic to cause ND to fail. And hopefully the upstream routers with
the loop also has a policy to limit their time exceeded messages...
Given the neighbor solicitations I'm seeing, I do think that this points
out a 'flaw' in the exchange's IPv6 address assignments. It seems like
we should be using hextet's 7 for16bit ASNs and hextets 6 and 7 for
32bit ASNs - I'm not sure if there is a policy for 32bit ASN IPv6
addressing as no one appears to have one yet.
If anyone is interested, I used this as my basis for my IPv6 policy and
I appear to have used smaller values policing values than what had been
suggested:
http://archiv.cesnet.cz/doc/techzpravy/2010/ipv6-copp/ipv6-copp.pdf
> --
> Rob Mosher
> Senior Network and Software Engineer
> Hurricane Electric / AS6939
>
> On 7/17/2014 5:07 PM, James Stahr wrote:
>> First off, Did anyone make any changes on 07/15/2014 around 08:00?
>>
>> The reason is that I think I've resolved an issue with our IPv6
>> peering with the MICE route servers, Charter, and TDS and I'm looking
>> for a larger audience to see if it's my issue or perhaps an issue at
>> the exchange. I believe it to be the latter, but I'm not an IPv6
>> expert.
>>
>> Starting two days ago around 8am CDT, we started experiencing BGP
>> timeouts on some of our IPv6 BGP sessions. I was able to work around
>> the issue by removing our COPP policy and the BGP sessions were
>> stable for 24 hours. Reapplied the policy, sessions started to drop
>> again. Looked at the policy to see which category is being exceeded,
>> it's not the routing section which allows BGP/BFD/etc, but the
>> ICMP-v6 one:
>>
>>
>> ipv6 access-list COPP-icmp-v6
>> remark ICMP type 1/3,2,3/0,3/1,4/0,4/1,4/2,130,143
>> permit icmp any any destination-unreachable
>> permit icmp any any packet-too-big
>> permit icmp any any time-exceeded
>> permit icmp any any parameter-problem
>> remark nd-na, nd-ns, ra, rs
>> permit icmp any any nd-na
>> permit icmp any any nd-ns
>> permit icmp any any router-advertisement
>> permit icmp any any router-solicitation
>> remark MLD - query, report_v2
>> permit icmp any any mld-query
>> permit icmp any any 143
>>
>>
>> which is being policed like this:
>>
>> class Icmp-v6
>> police 32000 60000 120000 conform-action transmit exceed-action drop
>>
>> I've worked around the issue by making a 4x increase in the policing,
>> but the question I have is what happened at the exchange to provoke
>> my COPP policy? Alternatively, is this normal or indicate who has
>> the problem:
>>
>>
>>
>> r-pop-min-1#deb ipv6 icmp
>> ICMP Packet debugging is on
>> r-pop-min-1#
>> Jul 17 14:36:08.143 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::56E0:3200:50CE:4178, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.281 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.281 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.285 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.359 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.433 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.435 CDT: ICMPv6: Sent N-Solicit,
>> Src=FE80::CA4C:75FF:FE23:805, Dst=2001:504:27::8252:0:1
>> Jul 17 14:36:08.459 CDT: ICMPv6: Received N-Advert,
>> Src=2001:504:27::8252:0:1, Dst=FE80::CA4C:75FF:FE23:805
>> Jul 17 14:36:08.535 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.535 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.539 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.559 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::8252:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.586 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::B664:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.617 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.687 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.782 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.783 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.783 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1
>> r-pop-min-1#
>> Jul 17 14:36:08.842 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:08.990 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.028 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.070 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.148 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.203 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.322 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.322 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.327 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.399 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.439 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.481 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.533 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::B664:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.572 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.572 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.581 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.608 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::2E21:72FF:FE71:37B1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.613 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::8252:0:1, Dst=FF02::1:FF00:1
>> r-pop-min-1#
>> Jul 17 14:36:09.659 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.831 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.831 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.831 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:09.884 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.069 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.172 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.240 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.320 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.364 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.441 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.521 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.573 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.573 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.588 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::B664:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.622 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.659 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::8252:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.684 CDT: ICMPv6: Received N-Solicit,
>> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.817 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.830 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.830 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.830 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.853 CDT: ICMPv6: Received type 130,
>> Src=FE80::21B:DFF:FEE7:15C0, Dst=FF02::1
>> r-pop-min-1#
>> Jul 17 14:36:10.908 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>> Jul 17 14:36:10.925 CDT: ICMPv6: Received N-Solicit,
>> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1
>>
>> I'm thinking that the answer is that this is not normal, as it looks
>> like I'm getting duplicate solicitations in the same second.
>>
>> -James
>>
>> ########################################################################
>>
>> To unsubscribe from the MICE-DISCUSS list, click the following link:
>> ?SUBED1=MICE-DISCUSS&A=1
>
> ########################################################################
>
> To unsubscribe from the MICE-DISCUSS list, click the following link:
> ?SUBED1=MICE-DISCUSS&A=1
>
>
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link:
?SUBED1=MICE-DISCUSS&A=1
|