Opened 10 months ago

Closed 10 months ago

Last modified 2 months ago

#1080 closed request (fixed)

NAT64 network doesn't work for first ~15 seconds after connection

Reported by: lorenzo@… Owned by: panda@…
Priority: tbd Milestone: ietf-098
Component: incoming Keywords:
Cc: ek@… My Current Location: Montreux 3
My MAC Address: 64:bc:0c:50:38:2c My OS: Android O preview

Description

Due to IPv6 issues, all my Android devices can't use the ietf or ietf-nat64 network for the first 10-15 seconds after connecting.

The following example is taken on "ietf-nat64", but the same appears to occur on "ietf" as well. The device will complete 802.1x negotiation, do DAD, get an RA with a global address, but then nothing works for the first 10-15 seconds. After that time, I get a very weird DAD packet sent by a Cisco box for my own IPv6 address, and then things start working. Here's an annotated tcpdump of all port 53 and ICMPv6 packets, except omitting some periodic RAs and NUD packets:

  1. Get on network, perform DAD, send RS, get RA with prefix and DNS server:

09:42:24.823617 64:bc:0c:50:38:2c > 33:33:ff:50:38:2c, ethertype IPv6 (0x86dd), length 78: :: > ff02::1:ff50:382c: ICMP6, neighbor solicitation, who has fe80::66bc:cff:fe50:382c, length 24
09:42:25.827362 64:bc:0c:50:38:2c > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: fe80::66bc:cff:fe50:382c > ff02::2: ICMP6, router solicitation, length 16
09:42:25.979313 08:81:f4:8a:a7:f0 > 64:bc:0c:50:38:2c, ethertype IPv6 (0x86dd), length 150: fe80::1998:1 > ff02::1: ICMP6, router advertisement, length 96
09:42:25.983529 64:bc:0c:50:38:2c > 33:33:ff:50:38:2c, ethertype IPv6 (0x86dd), length 78: :: > ff02::1:ff50:382c: ICMP6, neighbor solicitation, who has 2001:67c:370:1998:66bc:cff:fe50:382c, length 24
09:42:25.983857 64:bc:0c:50:38:2c > 33:33:ff:6c:c6:2b, ethertype IPv6 (0x86dd), length 78: :: > ff02::1:ff6c:c62b: ICMP6, neighbor solicitation, who has 2001:67c:370:1998:41a5:38e3:906c:c62b, length 24

  1. Immediately use the IPv6 address I got to send DNS queries for connectivitycheck.gstatic.com, www.google.com, ipv4only.arpa (NAT64 detection):

09:42:26.102495 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 109: 2001:67c:370:1998:41a5:38e3:906c:c62b.2211 > 2001:67c:370:229::6.53: 21398+ AAAA? connectivitycheck.gstatic.com. (47)
09:42:26.106525 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 94: 2001:67c:370:1998:41a5:38e3:906c:c62b.13619 > 2001:67c:370:229::6.53: 28989+ AAAA? www.google.com. (32)
09:42:26.128679 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 93: 2001:67c:370:1998:41a5:38e3:906c:c62b.24946 > 2001:67c:370:229::6.53: 23380+ AAAA? ipv4only.arpa. (31)

  1. After 5 seconds of no response, retransmit the DNS queries:


09:42:31.108741 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 109: 2001:67c:370:1998:41a5:38e3:906c:c62b.17817 > 2001:67c:370:229::7.53: 21398+ AAAA? connectivitycheck.gstatic.com. (47)
09:42:31.110206 08:81:f4:8a:a7:f0 > 64:bc:0c:50:38:2c, ethertype IPv6 (0x86dd), length 78: fe80::1998:1 > fe80::66bc:cff:fe50:382c: ICMP6, neighbor advertisement, tgt is fe80::1998:1, length 24
09:42:31.111151 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 94: 2001:67c:370:1998:41a5:38e3:906c:c62b.22410 > 2001:67c:370:229::7.53: 28989+ AAAA? www.google.com. (32)
09:42:31.135125 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 93: 2001:67c:370:1998:41a5:38e3:906c:c62b.21404 > 2001:67c:370:229::7.53: 23380+ AAAA? ipv4only.arpa. (31)

... and again:

09:42:36.114986 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 109: 2001:67c:370:1998:41a5:38e3:906c:c62b.2211 > 2001:67c:370:229::6.53: 21398+ AAAA? connectivitycheck.gstatic.com. (47)
09:42:36.117228 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 94: 2001:67c:370:1998:41a5:38e3:906c:c62b.13619 > 2001:67c:370:229::6.53: 28989+ AAAA? www.google.com. (32)
09:42:36.141290 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 93: 2001:67c:370:1998:41a5:38e3:906c:c62b.24946 > 2001:67c:370:229::6.53: 23380+ AAAA? ipv4only.arpa. (31)

  1. What? A Cisco box sends a fake DAD probe for my IPv6 address?

09:42:36.937825 00:3a:7d:71:93:89 > 64:bc:0c:50:38:2c, ethertype IPv6 (0x86dd), length 78: :: > ff02::1:ff6c:c62b: ICMP6, neighbor solicitation, who has 2001:67c:370:1998:41a5:38e3:906c:c62b, length 24
09:42:36.938541 64:bc:0c:50:38:2c > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 86: 2001:67c:370:1998:41a5:38e3:906c:c62b > ff02::1: ICMP6, neighbor advertisement, tgt is 2001:67c:370:1998:41a5:38e3:906c:c62b, length 32

  1. Retransmit DNS queries again, and again. 10 seconds pass:

09:42:41.121230 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 109: 2001:67c:370:1998:41a5:38e3:906c:c62b.17817 > 2001:67c:370:229::7.53: 21398+ AAAA? connectivitycheck.gstatic.com. (47)
09:42:41.123489 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 94: 2001:67c:370:1998:41a5:38e3:906c:c62b.22410 > 2001:67c:370:229::7.53: 28989+ AAAA? www.google.com. (32)
09:42:41.147377 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 93: 2001:67c:370:1998:41a5:38e3:906c:c62b.21404 > 2001:67c:370:229::7.53: 23380+ AAAA? ipv4only.arpa. (31)
09:42:46.129534 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 109: 2001:67c:370:1998:41a5:38e3:906c:c62b.13974 > 2001:67c:370:229::6.53: 1761+ AAAA? connectivitycheck.gstatic.com. (47)
09:42:46.130552 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 94: 2001:67c:370:1998:41a5:38e3:906c:c62b.7285 > 2001:67c:370:229::6.53: 32390+ AAAA? www.google.com. (32)
09:42:46.130645 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 94: 2001:67c:370:1998:41a5:38e3:906c:c62b.17098 > 2001:67c:370:229::6.53: 22387+ AAAA? www.google.com. (32)
09:42:46.153967 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 93: 2001:67c:370:1998:41a5:38e3:906c:c62b.14337 > 2001:67c:370:229::6.53: 21476+ AAAA? ipv4only.arpa. (31)

  1. Finally get an answer for one query. Time taken: 22 seconds.

09:42:46.774636 08:81:f4:8a:a7:f0 > 64:bc:0c:50:38:2c, ethertype IPv6 (0x86dd), length 280: 2001:67c:370:229::6.53 > 2001:67c:370:1998:41a5:38e3:906c:c62b.13974: 1761 1/4/4 AAAA 2607:f8b0:4009:80c::2003 (218)

  1. Now other queries work as well:

09:42:51.137833 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 94: 2001:67c:370:1998:41a5:38e3:906c:c62b.1986 > 2001:67c:370:229::7.53: 22387+ AAAA? www.google.com. (32)
09:42:51.138124 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 94: 2001:67c:370:1998:41a5:38e3:906c:c62b.10805 > 2001:67c:370:229::7.53: 32390+ AAAA? www.google.com. (32)
09:42:51.145327 08:81:f4:8a:a7:f0 > 64:bc:0c:50:38:2c, ethertype IPv6 (0x86dd), length 258: 2001:67c:370:229::7.53 > 2001:67c:370:1998:41a5:38e3:906c:c62b.10805: 32390 1/4/4 AAAA 2607:f8b0:4009:800::2004 (196)
09:42:51.145916 08:81:f4:8a:a7:f0 > 64:bc:0c:50:38:2c, ethertype IPv6 (0x86dd), length 258: 2001:67c:370:229::7.53 > 2001:67c:370:1998:41a5:38e3:906c:c62b.1986: 22387 1/4/4 AAAA 2607:f8b0:4009:800::2004 (196)
09:42:51.157360 64:bc:0c:50:38:2c > 00:00:5e:00:02:c6, ethertype IPv6 (0x86dd), length 93: 2001:67c:370:1998:41a5:38e3:906c:c62b.19511 > 2001:67c:370:229::7.53: 21476+ AAAA? ipv4only.arpa. (31)
09:42:51.160038 08:81:f4:8a:a7:f0 > 64:bc:0c:50:38:2c, ethertype IPv6 (0x86dd), length 239: 2001:67c:370:229::7.53 > 2001:67c:370:1998:41a5:38e3:906c:c62b.19511: 21476 2/4/0 AAAA 64:ff9b::c000:aa, AAAA 64:ff9b::c000:ab (177)

Change history (8)

comment:1 Changed 10 months ago by panda@…

Owner: changed from llynch@… to panda@…
Status: newaccepted

Hi Lorenzo,

Thank you for the report.

The MAC address 00:3a:7d:71:93:89 is our Cisco Wireless LAN Controller. I will check the configuration and investigate this issue.

Thank you.
Hirochika Asai

comment:2 Changed 10 months ago by llynch@…

updating due to trac notification issue for reporter

comment:3 Changed 10 months ago by jim@…

[Resending due to a problem with outbound ticket emails]

Hi Lorenzo,
Thank you for the report.
The MAC address 00:3a:7d:71:93:89 is our Cisco Wireless LAN Controller. I will check the configuration and investigate this issue.
Thank you.
Hirochika Asai

comment:4 Changed 10 months ago by panda@…

Hi Lorenzo,

We could reproduce this issue.

The NS from Wireless Lan Controller (WLC) is due to the feature that WLC converts multicast packets to unicast with its forwarding database cache to mitigate multicast packets that consume radio time slot much. We suspect the cause of this issue is that this forwarding database needs several seconds to get updated after your association. Currently, we cannot find any way to disable this feature, but we are trying to find alternative way to solve the packet losses (filtered by WLC) for first several seconds.

We will continue to work on this issue and let you know when we find anything.

Thank you.
Hirochika Asai

comment:5 Changed 10 months ago by panda@…

Hi Lorenzo,

We enable the unknown address multicast NS forwarding on WLC so that NS packets can be forwarded before WLC completes proxy DAD. This does not disable WLC's weird DAD but should fix the issue that you loses packets for the first several seconds.

Could you please check if the issue is solved?

Thank you.
Hirochika Asai

comment:6 Changed 10 months ago by jim@…

Lorenzo,

Just a quick ping. Jen submitted a ticket on this as well, and she's confirmed that Asai-san's fixes resolved her issue. We just wanted to double check with you that you're seeing it as fixed before we resolve this ticket. Could you take a few seconds to test?

Thanks!

  • Jim

comment:7 Changed 10 months ago by jim@…

Resolution: fixed
Status: acceptedclosed

Lorenzo,

For ticket queue cleanliness, I'll close this ticket, as we believe things are fixed. A reply from you will re-open if you find something outstanding. Let us know if you still have issues!

  • Jim

comment:8 Changed 2 months ago by Rick Alfvin

Milestone: ietf-98ietf-098

Milestone renamed

Note: See TracTickets for help on using tickets.