Re: [BEHAVE] [v6ops] protocols without need for ALG ?

Toerless Eckert <eckert@cisco.com> Sat, 01 August 2015 09:33 UTC

Return-Path: <eckert@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67C021B2C8E; Sat, 1 Aug 2015 02:33:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.511
X-Spam-Level:
X-Spam-Status: No, score=-13.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_BACKHAIR_44=1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nog6FqVETm5b; Sat, 1 Aug 2015 02:33:05 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5F01A002A; Sat, 1 Aug 2015 02:33:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2922; q=dns/txt; s=iport; t=1438421585; x=1439631185; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=cCWEUVpOr1hzipzqO37Hixb+FO300IRjweHZNqcCYY0=; b=jrrKPJlDtVcNwaEnF9/mqRCC+dglmdRRXkCZvQ1F2NNQyOQ+7FzJooXP IPW1PTLlPz6DpQ9SQHh4i2JzB8wLOvqmNkaztc+x88ljD/7BIZPd1VDsR RSZVijSJ1KyC/GswtmdnYUhLvq6MCaBob3ILn6bxdZtv72phf9y/GpawF g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AjAwAlkbxV/4sNJK1RChkBAQGCflRpvEMJggiFdQKBIjgUAQEBAQEBAYEKhCMBAQEBAgEnEz8FCwsYCSUPBUmIOQgNyDUBAQEBAQEBAQEBAQEBAQEBAQEBAQEXi0+EK10HgxiBFAWNQYQ2gwKMSgKBR4Qgk2EmhB0eMYJMAQEB
X-IronPort-AV: E=Sophos;i="5.15,591,1432598400"; d="scan'208";a="174442543"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-6.cisco.com with ESMTP; 01 Aug 2015 09:33:04 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t719X4kA025682 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 1 Aug 2015 09:33:04 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id t719X3hG005688; Sat, 1 Aug 2015 02:33:03 -0700
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id t719X3ei005687; Sat, 1 Aug 2015 02:33:03 -0700
Date: Sat, 1 Aug 2015 02:33:03 -0700
From: Toerless Eckert <eckert@cisco.com>
To: Tore Anderson <tore@fud.no>
Message-ID: <20150801093303.GA4585@cisco.com>
References: <20150730205806.GI1667@cisco.com> <CAD6AjGSKc0jGSkgSKdMsY1gZwYYguJQ06f4nZsWEqBdR9J3e6w@mail.gmail.com> <55BBA7C1.3000502@gmail.com> <20150731174421.GA9032@cisco.com> <20150731221716.5729154a@envy.fud.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20150731221716.5729154a@envy.fud.no>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/behave/Iqmx2NKylP1XPIYds6ixSmblvpI>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] [v6ops] protocols without need for ALG ?
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Aug 2015 09:33:07 -0000

On Fri, Jul 31, 2015 at 10:17:16PM +0200, Tore Anderson wrote:
> Yep, but be aware that with SIIT you will need to identify all
> the IPv6 endpoints you want the IPv4-only NOC folks to be able to
> access. These endpoints need either to be provisioned with an
> IPv4-translatable IPv6 address (traditional SIIT), or get an IPv4
> mapping provisioned on the protocol translator (SIIT-DC style
> deployment with EAMs).

The autonomic addressing plan proposed so far is that we'd have
very few eg; /112 prefixes (eg: one per so-called registrar),
and then eg: 16 bit of serial number. So you can see how easy this
would map with siit-eam. 

> You could also use Stateful NAT64 (RFC6146)
> with statically configured BIB entries to accomplish pretty much the
> same thing as the SIIT-DC approach, but you do get a lot of superfluous
> baggage that way (all the stateful connection/session tracking stuff).

Is there a Yang model for 4146 so i can beter understand what the
intended operator experience is ? ;-))

Yes, it does mention "static configured mapping" in three places in the
text, and i see in Cisco IOS implementation also the ability to
configure 1:1 IPv4<->IPv6 mappings, and i therefore guess that these
are the "static configured mappings" of 4146, but what i can't find
is any explanation why the operations of such entries would have
to be stateful at all. What would those 4146 entries do different than
stateless siit-eam /32 <-> /128 entries, and whats the "benefit" ? 

But obviously, in a network with 50,000 IPv6 nodes with ULAs,
i wouldn't want to set up an orchestration to configure 50,000
1:1 entries, even stateless, but rather a single /16 <-> /112
(or a few similar slightly longer prefixes). 

> BTW you asked about traceroute, and I don't think anyone answered, so:
> ICMPv6 packets originated by IPv6 hops behind the translator (that are
> not provisioned with an IPv4-translatable IPv6 address) will appear as
> originating from a "random" IPv4 address (which could repeat multiple
> times in the path).

Thanks.

> That could possibly be confusing to NOC staff, so
> I'd suggest giving the RFC6791 addresses descriptive PTR records in DNS
> ("this-apparent-ipv4-hop-really-represents-an-ipv6-router-in-the-autonomic-network-see-rfc6791.example.com").

Yepp. Haven't gotten around to all DNS recommendations, but given how
i am trying to see that full stateless mapping will suffice i hopefully
won't run intot hese problems.

> Let me know if you want some help or pointers on how to set up a
> stateless translator for testing purposes. Or you could use one of
> mine, as it works just as well over the public internet too (as long as
> the IPv6 endpoints you want to manage are numbered with globally
> reachable addresses). I'd be happy to assist.

Sure, please send me pointers offline, i'll take a look! 

Cheers
    Toerless