Re: [homenet] Support for RFC 7084 on shipping devices...

Ole Troan <otroan@employees.org> Mon, 07 October 2019 06:36 UTC

Return-Path: <otroan@employees.org>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 940EF1200F3; Sun, 6 Oct 2019 23:36:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kBnFhdBUtFD1; Sun, 6 Oct 2019 23:36:52 -0700 (PDT)
Received: from clarinet.employees.org (clarinet.employees.org [198.137.202.74]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EAAB12002F; Sun, 6 Oct 2019 23:36:52 -0700 (PDT)
Received: from astfgl.hanazo.no (unknown [IPv6:2a01:79c:cebd:47d8:b160:d5e5:c5fc:e022]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id 48B374E11AC9; Mon, 7 Oct 2019 06:36:49 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id B9C351E7F393; Mon, 7 Oct 2019 08:36:46 +0200 (CEST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <A5D12082-3D6A-4540-9AFB-2530D4FA6A32@fugue.com>
Date: Mon, 7 Oct 2019 08:36:46 +0200
Cc: Markus Stenberg <homenet@ietf.org>, 6MAN <6man@ietf.org>, Mikael Abrahamsson <swmike@swm.pp.se>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FF34E138-469F-40F6-BA8F-7AE02F878B29@employees.org>
References: <56255ECF-9002-4440-BA0D-665EFC4BA9C6@fugue.com> <F638F635-9A1C-409E-BDB8-C00DF00A64C8@employees.org> <alpine.DEB.2.20.1910040752050.968@uplift.swm.pp.se> <A52F076F-817D-4807-8CD6-280C2040AEBF@employees.org> <5F0D2E3D-BE20-4421-8A37-E81E6B93B3A5@fugue.com> <E50D25C7-8EF1-4685-9442-021F019F7F62@employees.org> <60B2C15B-E126-4F86-AA9A-9EB9A6C0EB2D@fugue.com> <FBCD2C32-9CBE-4499-A3E9-0FF4991E34DF@employees.org> <A5D12082-3D6A-4540-9AFB-2530D4FA6A32@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/3J46Bt5Jb387erBH-5woV15QYNA>
Subject: Re: [homenet] Support for RFC 7084 on shipping devices...
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 06:36:55 -0000

Hi Ted,

>> Are you saying there might be gaps in HNCP? Or things we could do to make it more deployable?
>> If it's just a matter of running code missing, I'm not sure defining anything else new in the IETF would help that problem.
> 
> There are definitely missing features from the protocol that I’d like to add.   But I think the fact that the protocol isn’t deployed on a _single_ commercially available router, and is not really usable on OpenWRT by a non-expert, is an indication that there is substantial remaining work to do.   Operations work is not out of scope for IETF; maybe I should have asked this on v6ops.   We have historically said “not our problem,” but I don’t agree that that’s the right answer.   If HNCP had really convincingly solved the problem, we would not be seeing what we are seeing.

I believe HNCP has solved the technical problem it set out to do. Allow for an automatically configured, arbitrary topology network with multiple exits.
The deployment challenge of that is that every router must support HNCP and must support SADR.

>> I know why I haven't implemented HNCP on software I work on... and I also know that there aren't any very realistic alternatives either.
> 
> Can you say why that is?

Quite a few reasons, some which might be not relevant to your case of course.
 - the pendulum between distributed algorithms and centralized controllers is for the problems I'm working on largely towards the centralized side
 - it's quite a lot of work. it requires a new routing protocol, it requires a changed forwarding paradigm, and it requires integration with a lot of features
 - it does not support the case "permissionless extensions of the network".

>> RA guard isn't applicable in a RFC7084 context. RFC7078 talks about routing and routers. I.e. what happens at the network layer.
> 
> You mean at the “internet layer,” I assume?

No, I mean the network layer. RA guard operates as a layer violating feature at the data-link layer.

>> If you are talking about what happens at the often integrated bridge CE devices have, then sure, they could implement RA Guard.
>> But having your additional router sending RAs across the homenet might not be a particularly good idea anyway.
> 
> Why not?   What would be a better idea?   I don’t mean to say that using RAs in this way is ideal, but what’s the alternative that doesn’t involve the vast complexity of per-host routing?

I don't understand how it would work. Add another router with it's own link. How would you get addresses for that link? Make them up from ULA? And then advertise that in an RA upstream with the MSR option?
That would put a lot of responsibility on the hosts of getting things "right".
And what if you added two of your routers, or connected them differently?

Per-host routing is in itself trivial and likely scales orders of magnitude further than you need. But there are problems with MLSR that are unsolved / not solved to my liking yet there.

>> Sounds like you need to set it up as a NAT.
> 
> I really hope you are just making a funny joke here.   But it’s not very funny.   What I want is something that’s operationally simple, not something with lots of moving parts that have to be kept track of.   NATs in particular suck for any UDP-based protocol.

for "permissionless extensions of the network" there isn't much else than NAT.
Your other likely option is an ND proxy. If you are very sure that nothing else can be added to the network (we don't want to build a spanning tree protocol out of ND).

>> I wasn't thinking of doing it exactly like the 6lowpan does it.
>> Regardless I don't see why scaling should be problematic, are you planning to have millions of rapidly moving hosts on your shared /64 network?
> 
> If you have N devices on a single link on the other side of the router, then when using either RA or a routing protocol, the amount of information you need to propagate to get things working is very small: just a prefix and a router.   If you can’t do that, then the amount of information you need to propagate is at a minimum N units, and possibly K*N, for some not insignificant factor K.
> 
> To be clear, the reason I’m concerned about this is that I’ve looked at implementing it on OpenWRT, and it’s at least roughly doubling the complexity of the work required, even if you can depend on using IPv6.   If you have to use IPv4 on one side, then it’s even more complexity.   And it’s utterly stupid complexity—it adds no value over subnetting.   Why add that to the network?

Because you don't like the mechanisms for automated subnet assignment? ;-)
And no, I'm not suggesting we should do MLSRv2 as a competitor for HNCP. MLSRv2 would also require an update to every router, and a network operator allowing extensions to the network.


> This is why I’m asking people if they have knowledge of what is actually deployed.   I think this is the right place to ask, but if you disagree, I’m open to suggestions.

I do not disagree. I think having that feedback loop from implementation/deployment/operational experience is important.

Best regards,
Ole