Re: [Anima] WGLC on draft-ietf-anima-stable-connectivity-03 - Respond by July 28, 2017

Toerless Eckert <tte@cs.fau.de> Thu, 14 September 2017 21:18 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CABA71320D9 for <anima@ietfa.amsl.com>; Thu, 14 Sep 2017 14:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S2gdQMn7cJ9T for <anima@ietfa.amsl.com>; Thu, 14 Sep 2017 14:18:49 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 563E013208E for <anima@ietf.org>; Thu, 14 Sep 2017 14:18:49 -0700 (PDT)
Received: from faui40p.informatik.uni-erlangen.de (faui40p.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:77]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 6CB6858C4AF; Thu, 14 Sep 2017 23:18:45 +0200 (CEST)
Received: by faui40p.informatik.uni-erlangen.de (Postfix, from userid 10463) id 5066FB0CB9F; Thu, 14 Sep 2017 23:18:45 +0200 (CEST)
Date: Thu, 14 Sep 2017 23:18:45 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Anima WG <anima@ietf.org>
Message-ID: <20170914211845.GA30086@faui40p.informatik.uni-erlangen.de>
References: <5D36713D8A4E7348A7E10DF7437A4B927CDFE66F@NKGEML515-MBX.china.huawei.com> <136a3ebd-dedb-9e2b-86be-a7d5fd12ad9b@gmail.com> <20170803010809.GA12136@faui40p.informatik.uni-erlangen.de> <a12a758e-9edc-14c0-a4e5-a051b83c9e97@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <a12a758e-9edc-14c0-a4e5-a051b83c9e97@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/L846Sb4Nh03DPiS7oh8zNMdZC2w>
Subject: Re: [Anima] WGLC on draft-ietf-anima-stable-connectivity-03 - Respond by July 28, 2017
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 21:18:52 -0000

Hi Brian, 

Sorry, for the delay. I have not sen further feedback on stable-connectivity-05
bside this mail of yours. See answers below, let me know if you want me to rev
with the one possible textual improvement or if we think -05 is good enough.

Cheers
    Toerless

On Fri, Aug 04, 2017 at 11:31:37AM +1200, Brian E Carpenter wrote:
> I'm just coming back on a couple of points. Generally -05 is almost there...
>
> > See the rewritten SIIT section. IMHO, there can be no simpler "network" based
> > address translation. Where network based means that the translation happens
> > in some device he network operator needs to provision. Like the ACP edge device.
> > Or even an additional address translation device.
> > 
> > So, the only IMHO easier option is when the OS of the NMS host would internally
> > have IPv4/IPv6 translation so the device/VM looks to the outside like full IPv6.
> 
> Yes, that is exactly the effect of 464XLAT in the end-system (not in the
> router).

I found rfc6877 a confusing read, but from what i figure, it's not exactly what
i was thinking of: with rfc6877, you still need the server side to have a reachable/mappable
IPv4 address, and that is something any device in the ACP does not have naturally.
(aka: NOC server as client connecting to ACP device, ACP device is server).

If i already need to set up some other form of NAT to give an ACP device an outside IPv4
address, then 464XLAT does not buy me any simplifications.

I was rather thinking of taking the NAT network function that i was describing
and simply embody them in a set of linux NAT rules configured on on the NOC linux
system that runs the IPv4-only NMS application. Aka: Not a novel NAT scheme,
but just a way to avoid having to deal with the problem in the network (adding a NAT
device you would otherwise not need):

Its a NMS host problme, deal with it in the NMS host. If you can not change the app,
let the OS do the NAT. Of course, this would not work for the poor customer who bought
a black-blox NMS soution which may run windows, or where you can not configure the
linux. Then again, nowadays, most NOC components should be software in VMs, and
for those, you should certainly be able to do the NAT in the vswitch of the server.

In any case: my interest in expanding the NAT section further is quite limited.
The whole goal of the NAT section was to explain that you need 1:1 address mapping
and that you can hack this up in likely most available routers with NAT support,
but do not consider this to be a good long term solution but use it as a stopgap
to upgrade your NOC software to IPv6.

No idea why IETF draft/RFC doesn't allow me to write such a simple paragraph ;-))

So, let me know if you feel strongly anything that should be added/modified to the
NAT section.

> > Alas, i didn't have the time to investigate these options. And most likely if at
> > all you could only make those work for linux.
> 
> Linux or Windows, yes. In a vendor's router o/s, who knows? But maybe they
> will all support IPv6 anyway?

Lets hope so, yes.

> > So, for now i just remove the note and clarified the last sentence a bit.
> > 
> > If there is anything specific to be said bout why 464XLAT might be better
> > longer term, let me know and i can add it. For now it looks like yet another
> > network device configured option to me, but i have not tried to understand it
> > all the way.
> 
> I think you'd need one of the 464XLAT authors to have a look at the scenario,
> because I don't claim to understand it all.

Well, the analysis i made above (server must support IPv4 as stated in the RFC)
makes me discount it as a more beneficial option to mention.

> >>>    Using current registration options implies that there will not be
> >>>    reverse DNS mapping for ACP addresses.
> >>
> >> Really? I assume we're talking about two-faced DNS, and afaik nothing
> >> stops an operator providing reverse mapping in the private DNS.
> >> That seems to be implied by the following paragraphs, so the text
> >> seems inconsistent anyway.
> > 
> > I know it under the name "split-horizon DNS". Is there any reference ?
> 
> The DNS community in the IETF hates split DNS so much that
> not much has been written about it. I did find these:
> https://tools.ietf.org/html/rfc6950#section-4
> https://tools.ietf.org/html/rfc7157#section-6.3
> https://tools.ietf.org/html/draft-richardson-homenet-secret-gardens

RFC1918 actually explains it succinctly without giving it a name.
RFC4193 only tells you what you shouldn't do with DNS. How helpfull ;-)

So, let me know if you think it's worth creating another stable-connectivity rev,
i'd suggest to replace the "split-horizon" sentence with:

Operators may therefore need to use a private DNS setup for the ACP ULA
addresses. This is the same setup that would be necessary for using
RFC1918 addresses in DNS. See for example [RFC1918] section 5, last
paragraph. In [RFC6950] section 4, these setups are discussed in more detail.

Cheers
    Toerless

> Regards,
>     Brian