IETF Logo Mail Archive

Re: Last Call: <draft-ietf-opsec-lla-only-07.txt> (Using Only Link-Local Addressing Inside an IPv6 Network) to Informational RFC

"George, Wes" <wesley.george@twcable.com> Thu, 27 March 2014 15:35 UTC

Return-Path: <wesley.george@twcable.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 873D71A00FB; Thu, 27 Mar 2014 08:35:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.475
X-Spam-Level:
X-Spam-Status: No, score=-0.475 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E_8Hl8eClzPK; Thu, 27 Mar 2014 08:35:27 -0700 (PDT)
Received: from cdpipgw01.twcable.com (cdpipgw01.twcable.com [165.237.59.22]) by ietfa.amsl.com (Postfix) with ESMTP id 3DE501A0067; Thu, 27 Mar 2014 08:35:26 -0700 (PDT)
X-SENDER-IP: 10.136.163.11
X-SENDER-REPUTATION: None
X-IronPort-AV: E=Sophos;i="4.97,743,1389762000"; d="scan'208";a="252260015"
Received: from unknown (HELO PRVPEXHUB02.corp.twcable.com) ([10.136.163.11]) by cdpipgw01.twcable.com with ESMTP/TLS/RC4-MD5; 27 Mar 2014 11:34:24 -0400
Received: from PRVPEXVS15.corp.twcable.com ([10.136.163.79]) by PRVPEXHUB02.corp.twcable.com ([10.136.163.11]) with mapi; Thu, 27 Mar 2014 11:35:24 -0400
From: "George, Wes" <wesley.george@twcable.com>
To: Christopher Morrow <christopher.morrow@gmail.com>, Ted Lemon <ted.lemon@nominum.com>
Date: Thu, 27 Mar 2014 11:35:23 -0400
Subject: Re: Last Call: <draft-ietf-opsec-lla-only-07.txt> (Using Only Link-Local Addressing Inside an IPv6 Network) to Informational RFC
Thread-Topic: Last Call: <draft-ietf-opsec-lla-only-07.txt> (Using Only Link-Local Addressing Inside an IPv6 Network) to Informational RFC
Thread-Index: Ac9J0it4g4ypupX+RKK9IVT6u5ttqg==
Message-ID: <CF59AE52.16403%wesley.george@twcable.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/7iFFVCYuEnT6WlEIUjKAKwiJimc
Cc: opsec wg mailing list <opsec@ietf.org>, The IESG <iesg@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 15:35:29 -0000

I’d like to add another voice supporting the suggestion that this document
include an IESG warning that it is not an IETF-recommended thing to do, in
order to reduce possibility of confusion about whether or not IETF
consensus in this case is “yes this is a thing consenting adults can do on
the privacy of their own network” vs a ringing endorsement that “IETF
thinks that this is a thing that you SHOULD do on your network”. Even
though the document is not a BCP, the document’s status as an
informational consensus RFC carries weight among those looking for
guidance on the nuts and bolts of implementing IPv6 on a network.

The authors have done a good job of responding to this concern by
eliminating the language contained in earlier versions of the doc that
read like a recommendation/endorsement, but I’d still rather see this as
an individual document, and failing that, suitably prefaced with a warning.

Some specific comments to help explain why “bad idea” keeps getting thrown
around:


On 3/26/14, 9:31 PM, "Christopher Morrow" <christopher.morrow@gmail.com>
wrote:
>So, I was presuming that the LLA was ONLY for the ptp links, and that
>loopbacks would still be standard old addresses like today.
>
>If the above is the case (my presumption) then you have access to the
>local-lo0 equivalent as along as your IGP is healthy, and you're ok.

Conveniently, I’ve raised this before [1]
"Diagnostic tools like pings and traces, as well as more important things
like PMTUD are brittle enough without advocating this practice for
questionable benefit. Yes, you can configure a router to respond to ICMP
via a routable loopback address. However,  relying on such configuration
being properly implemented, let alone applied pervasively and consistently
to make critical bits of infrastructure work seems risky. Now I have to
ask whether the trace failed because the router isn't responding with the
right interface, or because something's actually broken. I also have a
hunch that this would expose a whole new crop of routing protocol next-hop
bugs and assorted weirdness based on what (flawed) assumptions router
vendors made about interface addressing and reachability when
implementing."

>
>complexity is going to cause you pain, it is going to cause you
>problems and it is going to lengthen outages :( avoid complexity.
+1

A further quote from [1] regarding operational considerations that the
document has not, IMO suitably addressed:
"LLA has other issues:
- diagnostic pings across connected interfaces are harder to complete -
instead of simply typing ping [address], one must now specify the exit
interface, effectively doubling the commands required.
- diagnostic traceroutes are similarly harder because one must specify a
routable source interface and destination.
- in large networks, most connected interfaces are numbered using a
standard numbering scheme such that one can derive the address of the
remote side by simply adding or subtracting 1 from the local IP address.
Pings to the remote side when dynamic LLAs are used require determining
the address to be pinged, either via a show interface on the remote side,
or a show ipv6 neighbor on the local side, and may be more prone to
operator-induced failure due to the fact that the addresses are not
obviously similar to one another.
- because dynamic addresses are not present in the configuration, it is
impossible to search for them to determine where a given address may be if
it shows up in diagnostic information (packet captures, traces, routing
updates, etc). Statically-assigned addresses show up in configuration,
meaning that simple tools like grepping a rancid config repository can
find the router on which that address is located."

Thanks,

Wes George

[1] http://www.ietf.org/mail-archive/web/opsec/current/msg01258.html


Anything below this line has been added by my company’s mail server, I
have no control over it.
-----------


This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.

v2.23.0 | Report a Bug | By Email