 |
 |
On 07/18/2014 2:06 PM, Rob Mosher wrote: > You shouldn't be grouping neighbor discovery in the same rate limits > as other type of icmpv6. If someone starts pinging your router at a > high rate Echo/echo-reply isn't handled in this section. > or if there is a routing loop that generates a bunch of time exceeded > messages it will cause your neighbor discovery to fail and will be > unable to reach your peers. Those are just two examples, but you > really need neighbor discovery to be handled elsewhere. > Time exceeded's will only go back to the router originating the traffic so if there's a routing loop, the messages go back to the individual sources. It's unlikely that my router is going to generate a lot of traffic to cause ND to fail. And hopefully the upstream routers with the loop also has a policy to limit their time exceeded messages... Given the neighbor solicitations I'm seeing, I do think that this points out a 'flaw' in the exchange's IPv6 address assignments. It seems like we should be using hextet's 7 for16bit ASNs and hextets 6 and 7 for 32bit ASNs - I'm not sure if there is a policy for 32bit ASN IPv6 addressing as no one appears to have one yet. If anyone is interested, I used this as my basis for my IPv6 policy and I appear to have used smaller values policing values than what had been suggested: http://archiv.cesnet.cz/doc/techzpravy/2010/ipv6-copp/ipv6-copp.pdf > -- > Rob Mosher > Senior Network and Software Engineer > Hurricane Electric / AS6939 > > On 7/17/2014 5:07 PM, James Stahr wrote: >> First off, Did anyone make any changes on 07/15/2014 around 08:00? >> >> The reason is that I think I've resolved an issue with our IPv6 >> peering with the MICE route servers, Charter, and TDS and I'm looking >> for a larger audience to see if it's my issue or perhaps an issue at >> the exchange. I believe it to be the latter, but I'm not an IPv6 >> expert. >> >> Starting two days ago around 8am CDT, we started experiencing BGP >> timeouts on some of our IPv6 BGP sessions. I was able to work around >> the issue by removing our COPP policy and the BGP sessions were >> stable for 24 hours. Reapplied the policy, sessions started to drop >> again. Looked at the policy to see which category is being exceeded, >> it's not the routing section which allows BGP/BFD/etc, but the >> ICMP-v6 one: >> >> >> ipv6 access-list COPP-icmp-v6 >> remark ICMP type 1/3,2,3/0,3/1,4/0,4/1,4/2,130,143 >> permit icmp any any destination-unreachable >> permit icmp any any packet-too-big >> permit icmp any any time-exceeded >> permit icmp any any parameter-problem >> remark nd-na, nd-ns, ra, rs >> permit icmp any any nd-na >> permit icmp any any nd-ns >> permit icmp any any router-advertisement >> permit icmp any any router-solicitation >> remark MLD - query, report_v2 >> permit icmp any any mld-query >> permit icmp any any 143 >> >> >> which is being policed like this: >> >> class Icmp-v6 >> police 32000 60000 120000 conform-action transmit exceed-action drop >> >> I've worked around the issue by making a 4x increase in the policing, >> but the question I have is what happened at the exchange to provoke >> my COPP policy? Alternatively, is this normal or indicate who has >> the problem: >> >> >> >> r-pop-min-1#deb ipv6 icmp >> ICMP Packet debugging is on >> r-pop-min-1# >> Jul 17 14:36:08.143 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::56E0:3200:50CE:4178, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.178 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.281 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.281 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.285 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.359 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.433 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.435 CDT: ICMPv6: Sent N-Solicit, >> Src=FE80::CA4C:75FF:FE23:805, Dst=2001:504:27::8252:0:1 >> Jul 17 14:36:08.459 CDT: ICMPv6: Received N-Advert, >> Src=2001:504:27::8252:0:1, Dst=FE80::CA4C:75FF:FE23:805 >> Jul 17 14:36:08.535 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.535 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.539 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.559 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::8252:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.586 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::B664:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.617 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.687 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.782 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.783 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.783 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1 >> r-pop-min-1# >> Jul 17 14:36:08.842 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:08.990 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.028 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.070 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.148 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.191 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.203 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.322 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.322 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.327 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.399 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.439 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.481 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.533 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::B664:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.572 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.572 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.581 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.608 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::2E21:72FF:FE71:37B1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.613 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::8252:0:1, Dst=FF02::1:FF00:1 >> r-pop-min-1# >> Jul 17 14:36:09.659 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.831 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.831 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.831 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:09.884 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.069 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.172 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.223 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.240 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.320 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.364 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.441 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.521 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.573 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.573 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.588 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::B664:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.622 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.659 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::8252:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.684 CDT: ICMPv6: Received N-Solicit, >> Src=FE80::221:9BFF:FE8A:D29D, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.817 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.830 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.830 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.830 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::3BA3:0:1, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.853 CDT: ICMPv6: Received type 130, >> Src=FE80::21B:DFF:FEE7:15C0, Dst=FF02::1 >> r-pop-min-1# >> Jul 17 14:36:10.908 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> Jul 17 14:36:10.925 CDT: ICMPv6: Received N-Solicit, >> Src=2001:504:27::D1AF:0:2, Dst=FF02::1:FF00:1 >> >> I'm thinking that the answer is that this is not normal, as it looks >> like I'm getting duplicate solicitations in the same second. >> >> -James >> >> ######################################################################## >> >> To unsubscribe from the MICE-DISCUSS list, click the following link: >> ?SUBED1=MICE-DISCUSS&A=1 > > ######################################################################## > > To unsubscribe from the MICE-DISCUSS list, click the following link: > ?SUBED1=MICE-DISCUSS&A=1 > > ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: ?SUBED1=MICE-DISCUSS&A=1