IETF Logo Mail Archive

Re: [homenet] I-D Action: draft-haddad-homenet-multihomed-00

Teco Boot <teco@inf-net.nl> Fri, 26 October 2012 07:29 UTC

Return-Path: <teco@inf-net.nl>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1A0A21F8451 for <homenet@ietfa.amsl.com>; Fri, 26 Oct 2012 00:29:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u7LGLbqAtx8f for <homenet@ietfa.amsl.com>; Fri, 26 Oct 2012 00:29:58 -0700 (PDT)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9833E21F8450 for <homenet@ietf.org>; Fri, 26 Oct 2012 00:29:57 -0700 (PDT)
Received: by mail-ee0-f44.google.com with SMTP id d4so1030700eek.31 for <homenet@ietf.org>; Fri, 26 Oct 2012 00:29:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=IwH0NyTdq6PT10q0/Jvuy3ERc6QyJboDQfjpttxrwdM=; b=XVj/+cpi7DXaWlZkec0hCfvGzEmW9MoTOcHi1RG6sqHwnqwG2LEoEaEZYD3q969hoU st4aufnI9KBdIvMBTCE7AmJS4VHxEIcng6q9f3tFam9O87VjaAYYErXs0MVJ7agzSpbg ZS/IpRsyqAYU0ek93jhoANT8bQupcYtuSV3Z++D87OLHFA6L569MGK4UBn1RTfw5tjC9 14oSyAU8PRzJuzAXUZGOfV+1CWqpv58L5zuIIjNxd6RgPM3qeaMWooeW7Tskg2l0n0TZ pUcAg6fqjqwqLH5XbKOHRSnTW5+AbY+vAMsydFuF5u6K6FWwtRGbWMg1RmBAg2xkBWmU rqgg==
Received: by 10.14.172.137 with SMTP id t9mr30291377eel.2.1351236596613; Fri, 26 Oct 2012 00:29:56 -0700 (PDT)
Received: from [10.175.173.38] (524A14A4.cm-4-3a.dynamic.ziggo.nl. [82.74.20.164]) by mx.google.com with ESMTPS id f3sm1036612eeo.13.2012.10.26.00.29.53 (version=SSLv3 cipher=OTHER); Fri, 26 Oct 2012 00:29:54 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="us-ascii"
From: Teco Boot <teco@inf-net.nl>
In-Reply-To: <50896915.6080404@mtcc.com>
Date: Fri, 26 Oct 2012 09:29:57 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <994FBBCB-0844-4182-927B-6ED5A7B19986@inf-net.nl>
References: <201210011801.q91I1tfW056624@gateway1.orleans.occnc.com> <10328E81-3C94-455B-9A37-B421200A5C38@ecs.soton.ac.uk> <EMEW3|19238916f7ff9a0ada655caf80bba8cao9AAbJ03tjc|ecs.soton.ac.uk|10328E81-3C94-455B-9A37-B421200A5C38@ecs.soton.ac.uk> <7F6EA97D-5DA8-4872-A647-D879B1955824@gmail.com> <49FCFE49-9DFB-44D2-ADAD-636A3C80F906@ecs.soton.ac.uk> <EMEW3|09bc323dc12a06be7c21e18f2752cd05o9LECn03tjc|ecs.soton.ac.uk|49FCFE49-9DFB-44D2-ADAD-636A3C80F906@ecs.soton.ac.uk> <7F4B245F-9355-4134-9176-EB7DB1634469@apple.com> <77A8749D-DF81-4816-8277-CB69861E524A@fugue.com> <C3720598-400C-4B83-9CEC-878B3FA8109E@ecs.soton.ac.uk> <EMEW3|3e5d3f7836c5b4ddbd99d74df88ecc6ao9LJ8r03tjc|ecs.soton.ac.uk|C3720598-400C-4B83-9CEC-878B3FA8109E@ecs.soton.ac.uk> <5085905A.8030206@mtcc.com> <52E31542-3B7C-4EC1-9B2C-3C9D8E6B3BB1@apple.com> <50859C1B.7070707@mtcc.com> <CAKD1Yr0v3NdN+QCj=jFiZcv0ox1S-YAj29dZyMd6kAWAv723dg@mail.gmail.com> <5086B5A7.3040706@mtcc.com> <0435F886-1E8B-4302-832F-C9D0269981A4@apple! .com> <50896915.6080404@mtcc.com>
To: Michael Thomas <mike@mtcc.com>
X-Mailer: Apple Mail (2.1283)
X-Gm-Message-State: ALoCoQnZGreuTfZD+9Nb8dV8TgxW94OePv3dqOjrUo1S8pV6sqRFMHaTyfuTnpIuzHtnDvenvKhq
Cc: homenet@ietf.org
Subject: Re: [homenet] I-D Action: draft-haddad-homenet-multihomed-00
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2012 07:29:59 -0000

Op 25 okt. 2012, om 18:30 heeft Michael Thomas het volgende geschreven:

> On 10/23/2012 11:01 AM, james woodyatt wrote:
>> On Oct 23, 2012, at 08:20 , Michael Thomas <mike@mtcc.com> wrote:
>>> On 10/22/2012 08:35 PM, Lorenzo Colitti wrote:
>>>> Can you explain why this behaviour, combined with the "prefer matching interface" rule in RFC 3484, is not sufficient? If not, then there is no problem to solve here.
>>> Your ISP gives you 2001:xxxx:: via SLAAC. Your employer gives you 2000::,
>>> but also has 2001:yyyy::. You connect to a server on 2001:yyyy::. Your
>>> 3484 v6 stack picks 2001:xxxx for the source address. Hilarity ensues:
>> My IPv6 stack doesn't pick a 2001:xxxx:... address.  When the VPN client connects, it inserts a more-specific host route to 2001:yyyy::/z via the VPN pseudo-interface, so the IPv6 stack picks the interface address assigned by the VPN access concentrator as the source address for application flows to the 2001:yyyy:/z network.
>> 
>> Hilarity does not ensue. Happy faces on the security team.
>> 
>> 
> 
> As I alluded to in my previous note, this doesn't work unless the vpn is
> terminated in host devices. When it's router-router, it fails as I mentioned
> because the hosts are clueless. I expect that walled off overlay networks
> will be more rather than less prevalent in v6, especially when homenets
> are truly visible -- though access controlled -- from the outside which is
> pretty untrue today with v4/nat.

More thoughts on this scenario. Assume the company has many branch 
offices (e.g. 1000 small sites, with 2001:xxxx::/48 from ISP), 
where main office has 2000::/48. Each branch office is equipped as 
a homenet, the gear is cheap and just acts as the requirements. It
provides Internet access and VPN to main office and indirect to all 
other branches. Branch office managers set up their homenet equivalent 
to the branch offices. This doubles the number of VPN tunnels. 
For Internet access, nodes on branch offices / homenet configure a 
2001:xxxx:0:mmmm::/64 address. Main office nodes configure 2000:0:0:nnnn::/64. 

We better not send 2000 routes during VPN tunnel setup, for access to
main office and each branch office / homenet. We better configure a 2nd 
address on nodes in the branch offices / homenets, for connectivity 
to nodes in main office or branch office / homenet.
VPN tunnel provides a 2000:0:0:zzz0::/60 prefix to each branch office /
homenet and nodes configure an additional 2000:0:0:zzzz::/64 address for 
access via VPN.

Routing shall forward packets with destination inside the site based
on destination address. For packets outside, routing shall use the source
address. Source addresses in 2001:xxxx::/48 are send to ISP, 
source addresses in 2000:0:0:zzz0/60 are send via VPN tunnel.

IGP / VPN servers in main office may have to handle a bench of prefixes, 
prefix handling on tunnels is kept low.

On source address selection, nodes prefer a 2000:0:0:zzzz::/64 for
destinations within the company, 2001:xxxx:0:mmmm::/64 for elsewhere.

Is this the model we have in mind?

How can source address selection pick the 2001:xxxx:0:mmmm::/64 address for
a destination out of 2000::/16, but not 2000::/48? This is a MIF problem.
Use RFC 6724 policy table Label? Supersede Rule 8?

Now, company acquires another and 2001:yyyy::/48 is connected to the main office.
Branch offices / homenets wants to connect to a 2001:yyyy::/48 address via 
the VPN. I see multiple options:
a) circumvent problems: first renumber acquired company to 2000::/48
b) push a 2001:yyyy::/48 route on VPN tunnels
c) add another VPN prefix on all branch offices / homenets for 2001:yyyy::/48
Option a is the preferred solution, let's pass this to 6renum. Homenet protocols
may help.
Option b makes branch office / homenet IGP more complicated due to route 
redistribution, source address selection and ingress filtering.
Option c makes VPN stack more complicated, due to assignment of multiple 
prefixes.
NPT66 & happy eyeballs could help. But IMHO these are hacks.

Opinions?

Teco

> 
> Mike
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet

v2.23.0 | Report a Bug | By Email