AMT/vPro MLD storms?
All, In the last week or so, we've started to see a problem on newer PCs with the Intel AMT/vPro (a kind of inline out-of-band management controller, for those unfamiliar with it) which now supports IPv6... after a fashion. The specific issues is that under certain as-yet unidentified conditions, two such machines which are asleep will start to emit MLD packets at a high rate - 1kpps. This eats a lot of CPU on the attached router (and can't be great for everything else, either). The MLD packets must of course be coming from the AMT/vPro stack which shares the system MAC address (an unwise design decision IMO) and sort of shares it's IP stack. We've confirmed this by looking at the port speed, which is 10meg when the machine is asleep (versus 1gig when awake). It seems that the AMT controllers goad each other into emitting the packets - if you take one offline, the other stops. The MLD packets are of the form: 2c:44:fd:xx:xx:xx 33:33:00:01:00:03, ethertype IPv6 (0x86dd), length 86: fe80::2e44:fdff:fexx: ff02::1:3: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:3, length 24 ...and alternate from each machine; as above, as if each machine is induced to emit an MLD packet by seeing the other do it. Note the v6 LL IP is a mutated form of EUI-64 (locally-assigned bit toggled?) Has anyone seen anything like this? Cheers, Phil
Re: AMT/vPro MLD storms?
On 06/02/14 12:42, Sam Wilson wrote: Note the v6 LL IP is a mutated form of EUI-64 (locally-assigned bit toggled?) Are you sure about that last? Surely the U/L bit should be flipped Oops. Quite right, well spotted.
So, time for some real action?
http://www.internetsociety.org/deploy360/blog/2013/12/campaign-turn-off-ipv4-on-6-june-2014-for-one-day/ I fully support this idea. But I'm in doubt what to actually do on 6 June. There isn't much benefit in turning off IPv4 on client devices in our office, because we already have a good idea what will work and what won't. Turning off IPv4 on all internet facing services would be better, because it will point out any IPv6 connectivity problems that visitors have. In that case, I can go about this in several ways. Doing it through (low TTL + removal of A records) gives you less control over things. If you block IPv4 access at the service level (filtering/ACLs), then it's easier to restore things. Maybe some intermediate solution, such as serving up an explanation page to IPv4 users? Other ideas? -- Dick Visser System Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands
Re: So, time for some real action?
On 06/02/2014 14:51, Dick Visser wrote: http://www.internetsociety.org/deploy360/blog/2013/12/campaign-turn-off-ipv4-on-6-june-2014-for-one-day/ This is a terrible idea which will cause IPv6 to be associated with gratuitous breakage. Nick
Re: So, time for some real action?
I know there are different opinions on this. But between black and white there are many shades of grey. That's why I was asking. I know that some stuff will break, I'm looking for ways to put this 'breakage' to positive use. On 6 February 2014 16:48, Nick Hilliard n...@foobar.org wrote: On 06/02/2014 14:51, Dick Visser wrote: http://www.internetsociety.org/deploy360/blog/2013/12/campaign-turn-off-ipv4-on-6-june-2014-for-one-day/ This is a terrible idea which will cause IPv6 to be associated with gratuitous breakage. Nick -- Dick Visser System Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands
Re: So, time for some real action?
On 06/02/2014 16:04, Dick Visser wrote: I know there are different opinions on this. But between black and white there are many shades of grey. That's why I was asking. I know that some stuff will break, I'm looking for ways to put this 'breakage' to positive use. people don't care about ipv6. They care about their email, their web searches, their helpdesk access, their online bank accounts, their mortgage, their partner and their dog. If you cause them to lose access to their online things, then ipv6 will stick in their mind as the thing which caused this problem. This is not going to be productive. Nick
Re: So, time for some real action?
On Thu, 2014-02-06 at 15:48 +, Nick Hilliard wrote: On 06/02/2014 14:51, Dick Visser wrote: http://www.internetsociety.org/deploy360/blog/2013/12/campaign-turn-off-ipv4-on-6-june-2014-for-one-day/ This is a terrible idea which will cause IPv6 to be associated with gratuitous breakage. Concur. This might make sense if IPv6-enabled networks were the norm and not the exception. But that's not true today nor will it likely be on June 6 this year. -- Antonio Querubin t...@lavanauts.org
Re: So, time for some real action?
On Feb 6, 2014, at 11:15 AM, Nick Hilliard n...@foobar.org wrote: On 06/02/2014 16:04, Dick Visser wrote: I know there are different opinions on this. But between black and white there are many shades of grey. That's why I was asking. I know that some stuff will break, I'm looking for ways to put this 'breakage' to positive use. people don't care about ipv6. They care about their email, their web searches, their helpdesk access, their online bank accounts, their mortgage, their partner and their dog. If you cause them to lose access to their online things, then ipv6 will stick in their mind as the thing which caused this problem. This is not going to be productive. Nick De-cloak… Rarely do I do this, but this needs a chorus.. +1 …cloak Best, -M
Re: So, time for some real action?
If I understand the proposal correctly, the idea is that individuals will disable IPv4 for a day, on their own personal equipment or workstations. If so: 1. That *might* be useful, but it's unclear to me why having a day for this is helpful; the purpose of IPv6 day #1 and #2 was to coordinate the enabling for people who *didn't* opt in, so that any impact would have an obvious cause. If an individual wants to do this, they can do it at any time and see the effects. 2. The wording needs to be improved, drastically. It has a very care-free tone to it, which is not helpful to the overall efforts. IMHO effort at this point would be best directed to the large, holdout broadband providers in countries with low uptake (e.g. BT in the UK). Full ACK. I also see the relevance of world launch events, but I strongly doubt that world IPv4 stop would have any impact (other than us IT guys being seen as looking for an excuse for a day off). Say I have an hybrid car. What is the relevance of deciding, on a given day, not to use the fuel engine? (or to go through the trouble of pumping the fuel out of the car). Regards Stéphane Dodeller
Re: So, time for some real action?
Hi Dick, At 06:51 06-02-2014, Dick Visser wrote: I fully support this idea. But I'm in doubt what to actually do on 6 June. Turning off IPv4 like that does not sound like a good idea to me. It is possible to determine what would break if the network is IPv6 only. The idea would only make life difficult for users. Regards, -sm
Re: So, time for some real action?
On 2/6/14, 08:51 , Dick Visser wrote: http://www.internetsociety.org/deploy360/blog/2013/12/campaign-turn-off-ipv4-on-6-june-2014-for-one-day/ I fully support this idea. But I'm in doubt what to actually do on 6 June. There isn't much benefit in turning off IPv4 on client devices in our office, because we already have a good idea what will work and what won't. Turning off IPv4 on all internet facing services would be better, because it will point out any IPv6 connectivity problems that visitors have. In that case, I can go about this in several ways. Doing it through (low TTL + removal of A records) gives you less control over things. If you block IPv4 access at the service level (filtering/ACLs), then it's easier to restore things. Maybe some intermediate solution, such as serving up an explanation page to IPv4 users? Other ideas? You do not want to intentionally break anything. My plan is to set up a separate SSID that has IPv6 only, probably with NAT64 also, this allows individual users who what to participate to do so. However, by using a separate SSID, if there is breakage that prevents a user from doing there job, they can simply change back to the normal SSID and do their job. We used a similar strategy when turning-on IPv6 Dual-Stack several years ago. Over 6 months we had over 5000 people use that separate SSID without any reported IPv6 related issues, only general wireless issues. This was used as evidence to management for enabling IPv6 Dual-Stack on the production wireless SSID and phasing out the separate SSID. The goal this time wouldn't be to converge the production and separate IPv6 only SSID anytime soon. But to create an extended voluntary testing environment. Also, the separate SSID provides an option when the production SSID runs out of IPv4 addresses. So, please DO NOT do anything that intentionally breaks an unsuspecting user, this is a really bad idea and is counter productive to the IPv6 cause. Even this possibly misguided campaign calls for this to be a voluntary action. I say possibly misguided, because telling my boss that I can't work because something doesn't support IPv6 seems to be going a little too far. Telling my boss that I'm participating in this IPv6 only day and it my take a little longer while I try something in IPv6 only first then switching back if it doesn't work, seems much more reasonable to me. Thanks. -- David Farmer Email: far...@umn.edu Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 1-612-626-0815 Minneapolis, MN 55414-3029 Cell: 1-612-812-9952
Re: So, time for some real action?
On 2/6/14, Phil Mayers p.may...@imperial.ac.uk wrote: On 06/02/14 16:04, Dick Visser wrote: I know there are different opinions on this. But between black and white there are many shades of grey. Maybe. But this phrase: If turning IPv4 off results in inability to perform our job for our employers, we tell them the reason and take a day off. ...does not send a good message. I would be inclined to tell the member of staff to get their a**e into work and stop acting like such a child. Last time I checked, anyone with available days off can take them at any time for any reason. If I understand the proposal correctly, the idea is that individuals will disable IPv4 for a day, on their own personal equipment or workstations. If so: 1. That *might* be useful, but it's unclear to me why having a day That's exactly the idea. It's explicitly *NOT* to break others' networks nor to have the innocent users suffer. for this is helpful; the purpose of IPv6 day #1 and #2 was to coordinate the enabling for people who *didn't* opt in, so that any impact would have an obvious cause. If an individual wants to do this, they can do it at any time and see the effects. Having a defined day when others are doing the same thing makes it easier to allocate the time for it, at least for some. 2. The wording needs to be improved, drastically. It has a very care-free tone to it, which is not helpful to the overall efforts. If you are talking about the original wording on the AVAAZ - I'd be very happy to hear better wording, feel free to unicast. IMHO effort at this point would be best directed to the large, holdout broadband providers in countries with low uptake (e.g. BT in the UK). What would that effort consist of ? --a
Re: So, time for some real action?
On Thu, Feb 06, 2014 at 06:52:49PM +0100, Andrew ? Yourtchenko wrote: On 2/6/14, Phil Mayers p.may...@imperial.ac.uk wrote: Maybe. But this phrase: If turning IPv4 off results in inability to perform our job for our employers, we tell them the reason and take a day off. ...does not send a good message. I would be inclined to tell the member of staff to get their a**e into work and stop acting like such a child. Last time I checked, anyone with available days off can take them at any time for any reason. I can see it now: Employee: I can't work today because I've turned off IPv4 and none of our systems support IPv6. So I won't be coming in to the office. Boss: So you're taking a vacation day. Employee: Yes, but I also won't be using any IPv4. Boss: Fine, just make sure you're here tomorrow with your eye-pee-whatever turned on. Bill.
Re: So, time for some real action?
On 06/02/2014 17:52, Andrew Yourtchenko wrote: Last time I checked, anyone with available days off can take them at any time for any reason. Most places aren't quite that generous; notice, simultaneous team member leave and exceptional circumstance clauses typically apply. But I take your point; individuals are of course free, modulo such concerns, to take time off for their own reasons. IMHO taking a days leave because IPv4 is still required is silly. But hey, who am I to say? That's exactly the idea. It's explicitly *NOT* to break others' networks nor to have the innocent users suffer. Ok. But if you read the replies to the original email, it's clear a lot of people didn't get that. So there is a messaging problem here. Having a defined day when others are doing the same thing makes it easier to allocate the time for it, at least for some. Shrug. If you say so. If you are talking about the original wording on the AVAAZ - I'd be very happy to hear better wording, feel free to unicast. My problem is entirely with the work point. Denying yourself online shopping and facebook is just that - self-denial. Though a really brave option would be to do that *permanently*, and let the retailers know why you're *never* shopping with them until they're v6-ready. Denying yourself the ability to work *in the field you're trying to affect change* seems futile. It would be better to go to work, try and work with IPv4 disabled, make a note of everything that didn't work, then commit to fixing it all before the same time next year. That's both far harder, and far more productive, than throwing your hands in the air and saying nothing works without IPv4 - which is not a surprising conclusion ;o) IMHO effort at this point would be best directed to the large, holdout broadband providers in countries with low uptake (e.g. BT in the UK). What would that effort consist of ? That is an excellent question which I am not well equipped to answer. If there is anyone on the list with insight in the UK broadband market, and any workable suggestions and/or hopeful news, I'd love to hear it. I note that BT have, recently, gone to the expense of deploying CGN but not IPv6 - which is not promising. Aalthough the newest CPE has IPv6 stuff in the UI, currently all disabled, so maybe they'll turn it on later...
Re: So, time for some real action?
On 07/02/2014 04:48, Nick Hilliard wrote: On 06/02/2014 14:51, Dick Visser wrote: http://www.internetsociety.org/deploy360/blog/2013/12/campaign-turn-off-ipv4-on-6-june-2014-for-one-day/ This is a terrible idea which will cause IPv6 to be associated with gratuitous breakage. That was my first reaction, but It’s all voluntary – you can turn off IPv4 on your own devices, but no one will be turning off IPv4 for anyone else. doesn't sound quite that bad; only geeks will do that, and probably only for about 5 minutes. So it's probably a cute idea. I see a button here for turning of the loudspeaker, and another one for Bluetooth, but I can't seem to find the EyePeeVeeFour button. Brian
Re: So, time for some real action?
On 2/6/14, Phil Mayers p.may...@imperial.ac.uk wrote: That's exactly the idea. It's explicitly *NOT* to break others' networks nor to have the innocent users suffer. Ok. But if you read the replies to the original email, it's clear a lot of people didn't get that. So there is a messaging problem here. Upon rereading the text all devices we use might mean servers for some. I added the clarification to make the intent more explicit, as well as a it goes without saying post-scriptum at the end. Hopefully this will make it more explicit that this is not a call to get the IT professionals to go and gratuitously cut off the wires off the live servers. If you are talking about the original wording on the AVAAZ - I'd be very happy to hear better wording, feel free to unicast. My problem is entirely with the work point. Denying yourself online shopping and facebook is just that - self-denial. Though a really brave option would be to do that *permanently*, and let the retailers know why you're *never* shopping with them until they're v6-ready. To start with it, we'd need at least one retailer that *does* support IPv6. Are there any at all ? If not - then one would need to create a large enough group that would express this as a single entity - if it were to get big enough, it might make it interesting for some retailer to cater to this group. Denying yourself the ability to work *in the field you're trying to affect change* seems futile. It would be better to go to work, try and work with IPv4 disabled, make a note of everything that didn't work, then commit to fixing it all before the same time next year. That's both far harder, and far more productive, than throwing your hands in the air and saying nothing works without IPv4 - which is not a surprising conclusion ;o) I thought about it a lot at the time of writing that sentence and indeed my first reaction was to write pretty much exactly what you suggest. It's great, challenge and all, and it works - if the professional in question is in direct authority to change the situation. But if they aren't - what can they do ? What I ended up with seemed like the least unreasonable idea for a lowest common denominator. But I am very open to another not-too-unreasonable idea that is achievable. Making it harder is not a desirable property, though. Maybe transforming this into a taking a day off and using this time to educate the others and help them with their IPv6 deployment could be a better option ? Take a day off because you can't do work without IPv6 and then use this time to configure an IPv6-only SSID with NAT64 on a network where you *do* have control (may be still a different segment at work, or maybe your home network) or test a couple of apps and submit bug reports - how does this sound ? IMHO effort at this point would be best directed to the large, holdout broadband providers in countries with low uptake (e.g. BT in the UK). What would that effort consist of ? That is an excellent question which I am not well equipped to answer. If there is anyone on the list with insight in the UK broadband market, and any workable suggestions and/or hopeful news, I'd love to hear it. The next IETF is by a coincidence in London in just a few weeks. Might be interesting to pop by and ask this question during the plenary and see if any ideas emerge. :-) --a
Re: So, time for some real action?
On Thu, Feb 6, 2014 at 11:05 PM, Andrew Yourtchenko ayour...@gmail.com wrote: Maybe transforming this into a taking a day off and using this time to educate the others and help them with their IPv6 deployment could be a better option ? Take a day off because you can't do work without IPv6 and then use this time to configure an IPv6-only SSID with NAT64 on a network where you *do* have control (may be still a different segment at work, or maybe your home network) or test a couple of apps and submit bug reports - how does this sound ? *This* sounds much better that the original idea of breaking things, I'd say. ...hmmm...should such a day off be classified as 'for religious reasons'? ;))) -- SY, Jen Linkova aka Furry
