RE: Thinking differently about the site local problem (was: RE: site local addresses (was Re: Fw: Welcome to the InterNAT...))
Margaret Wasserman <mrw@windriver.com> Mon, 31 March 2003 21:18 UTC
Received: from ran.ietf.org (ran.ietf.org [10.27.6.60]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA25012; Mon, 31 Mar 2003 16:18:27 -0500 (EST)
Received: from majordomo by ran.ietf.org with local (Exim 4.10) id 1906sT-0003pL-00 for ietf-list@ran.ietf.org; Mon, 31 Mar 2003 16:31:37 -0500
Received: from odin.ietf.org ([10.27.2.28] helo=ietf.org) by ran.ietf.org with esmtp (Exim 4.10) id 1906rU-0003Yt-00 for ietf@ran.ietf.org; Mon, 31 Mar 2003 16:30:36 -0500
Received: from mail.wrs.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA24838 for <ietf@ietf.org>; Mon, 31 Mar 2003 16:14:10 -0500 (EST)
Received: from IDLEWYLDE.windriver.com ([147.11.233.8]) by mail.wrs.com (8.9.3/8.9.1) with ESMTP id NAA16771; Mon, 31 Mar 2003 13:16:08 -0800 (PST)
Message-Id: <5.1.0.14.2.20030331151741.049a5c10@mail.windriver.com>
X-Sender: mrw@mail.windriver.com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Mon, 31 Mar 2003 16:08:56 -0500
To: alh-ietf@tndh.net
From: Margaret Wasserman <mrw@windriver.com>
Subject: RE: Thinking differently about the site local problem (was: RE: site local addresses (was Re: Fw: Welcome to the InterNAT...))
Cc: ietf@ietf.org
In-Reply-To: <077601c2f7be$e0fcdc70$ee1a4104@eagleswings>
References: <5.1.0.14.2.20030331124842.049a5c10@mail.windriver.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf@ietf.org
Precedence: bulk
Hi Tony, At 11:51 AM 3/31/2003 -0800, Tony Hain wrote: >Margaret Wasserman wrote: > > Of course, in the case of site-local addresses, you don't > > know for sure that you reached the _correct_ peer, unless you > > know for sure that the node you want to reach is in your > > site. > >Since the address block is ambiguous, routing will assure that if you >reach a node it is the correct one. This FUD needs to stop! I believe that you have misunderstood my point... I'll try to explain further, although our friends in the applications area may be able to give better examples. Let's assume that there is a FooBar server in SiteA. If another node in SiteA (NodeA) is communicating via a multi-party application to a node in SiteB (NodeB), and wants to refer NodeB to the FooBar server in SiteA, what does it do? If this is IPv6 with site-local addressing, NodeA may be speaking to the FooBar server using a site-local address. What happens if NodeA sends that site local address to NodeB? NodeB tries to reach the FooBar server at the SL address that points to the FooBar server in SiteA. But, within SiteB, that same address may point to a non-existent subnet, to a non-existent node or to an existing node in SiteB. Scoped routing doesn't stop NodeB from reaching the wrong node, it guarantees that NodeB _will not_ reach the right node and _may_ reach the wrong node. The type of failure that NodeB will receive is different in each case. If the address points to a non-existent subnet or node, an ICMP error may or may not be generated and no connection will be established (timeout), but if there is an existing node in SiteB with the same address, NodeB will receive some type error from that node (the node that NodeB _thinks_ is the FooBar server), such as port not available, connection reset, or an application-level error. Or, worse yet, NodeB may not receive any error at all, and may never know that it was speaking to the wrong node. Now, what if NodeA has a list of addresses for the FooBar server (perhaps obtained through the use of split DNS) that includes both site-local and global addresses? Perhaps NodeA will send the whole list of addresses to NodeB. If NodeB tries the site-local address first (as current IPv6 address selection rules indicate) it will not reach the FooBar server. However, it could have reached the FooBar server using a global address. Perhaps, you believe that NodeA should include intelligence inside the application that knows NOT to send site-local addresses to NodeB if NodeB is not in the same site? If so, how does NodeA find out that NodeB is not in the same site? One proposal is that NodeA should only send addresses to NodeB that are of the same or larger scope as the IP address that NodeA is currently using to reach NodeB. But, this has problems, too: - It requires some fairly complicated changes to existing applications to make them work properly on IPv6. - It requires applications to make address selection choices based on the addresses in use at the network layer. Since there is an increasing desire for applications to be unaware of the addresses used at the network layer, and to survive changes in those addresses (see SCTP, SIP, Mobile IP, etc.), this is not an architecturally sound mechanism. - It doesn't give a good answer for what the application should do if it only has one address available for the referral, and it is not of sufficient scope. - It may not interact well with access control mechanisms that depend on using a site-local address to reach services, as it errs on the side of not sending site-local addresses, even when they may be valid. There are, IMO, three major problems (and several minor problems) with the use of site-local addressing on globally connected networks: (1) Routing protocol issues/complexity, such as the need to handle ambiguous addresses in routing exchanges and the need to maintain site "convexity". These problems can be avoided by avoiding site-border routers and site-border nodes (as in the "moderate" proposal), AND by placing site borders on OSPF/IS-IS area boundaries or on AS boundaries. (2) Institutionalizing the need for split DNS. I understand that some network administrators choose to use split DNS today, but that doesn't meant that we want to build a requirement for split DNS it into the IPv6 architecture. IMO, requiring the DNS infrastructure to be aware of and enforce topology boundaries is a poor architectural choice. (3) The need for upper-layer protocols (transport, session and application-layer protocols) to include address selection logic to decide when to pass (and not to pass) site-local addresses in upper-layer communications. This requires modification to existing application protocols and implementations, and is an unnecessary source of added complexity and cost for IPv6 implementations. We have yet to come up with any workable model for the use of site-local addressing on connected networks that does not exhibit problems (2) and (3). Thoughts? Margaret
- RE: Thinking differently about the site local pro… Michel Py
- RE: Thinking differently about the site local pro… Christian Huitema
- Re: Thinking differently about the site local pro… Keith Moore
- RE: Thinking differently about the site local pro… Margaret Wasserman
- RE: Thinking differently about the site local pro… Jeroen Massar
- RE: Thinking differently about the site local pro… Vernon Schryver
- RE: Thinking differently about the site local pro… Tony Hain
- Re: Thinking differently about the site local pro… Eliot Lear
- Re: Thinking differently about the site local pro… Valdis.Kletnieks
- Thinking differently about names and addresses Dave Crocker
- Re: Thinking differently about the site local pro… Måns Nilsson
- Re: Thinking differently about the site local pro… Stephen Sprunk
- RE: Thinking differently about the site local pro… Margaret Wasserman
- Re: Thinking differently about the site local pro… Keith Moore
- Re: Thinking differently about the site local pro… Keith Moore
- RE: Thinking differently about the site local pro… Jeroen Massar
- Re: Thinking differently about the site local pro… Matt Crawford
- Re: Thinking differently about the site local pro… Matt Crawford
- RE: Thinking differently about the site local pro… Michel Py
- Re: Thinking differently about the site local pro… Keith Moore
- Re: Thinking differently about the site local pro… Keith Moore
- Re: Thinking differently about the site local pro… Keith Moore
- Re: Thinking differently about the site local pro… Valdis.Kletnieks
- Re: Thinking differently about the site local pro… Matt Crawford
- RE: Thinking differently about the site local pro… John C Klensin
- RE: Thinking differently about the site local pro… Jeroen Massar
- Re: Thinking differently about the site local pro… Keith Moore
- Re: Thinking differently about the site local pro… Keith Moore
- RE: Thinking differently about the site local pro… Tony Hain
- Re: Thinking differently about the site local pro… Valdis.Kletnieks
- RE: Thinking differently about the site local pro… Jeroen Massar
- RE: Thinking differently about the site local pro… Jeroen Massar
- Re: Thinking differently about the site local pro… Keith Moore
- Re: Thinking differently about the site local pro… S Woodside
- RE: Thinking differently about the site local pro… Michel Py
- RE: Thinking differently about names and addresses Tony Hain
- Re: Thinking differently about names and addresses Dave Crocker
- site locals are bankrupt Keith Moore
- Re: Thinking differently about names and addresses John C Klensin
- Re: Thinking differently about names and addresses Harald Tveit Alvestrand
- Re: Thinking differently about the site local pro… John Stracke
- RE: Thinking differently about names and addresses Tony Hain
- Re: Thinking differently about the site local pro… John Stracke
- Re: Thinking differently about the site local pro… J. Noel Chiappa
- Re: Thinking differently about the site local pro… J. Noel Chiappa
- Re: Thinking differently about names and addresses Keith Moore
- Re: Thinking differently about names and addresses Dave Crocker
- Re: Thinking differently about names and addresses Dave Crocker
- Re: Thinking differently about the site local pro… Keith Moore
- RE: Thinking differently about names and addresses Tony Hain
- Re: Thinking differently about names and addresses Keith Moore
- Re: Thinking differently about the site local pro… Bill Manning
- Re: Thinking differently about the site local pro… Michael Richardson
- Re: Thinking differently about the site local pro… Pekka Savola
- Re: Thinking differently about the site local pro… Harald Tveit Alvestrand
- RE: Thinking differently about the site local pro… Jeroen Massar
- RE: Thinking differently about the site local pro… Spencer Dawkins
- Re: Thinking differently about the site local pro… Keith Moore
- RE: Thinking differently about the site local pro… Jeroen Massar
- Re: Thinking differently about the site local pro… Bill Manning
- Re: Thinking differently about the site local pro… Keith Moore
- Re: Thinking differently about the site local pro… Keith Moore
- Re: Thinking differently about the site local pro… Keith Moore
- RE: Thinking differently about the site local pro… Jeroen Massar
- Re: Thinking differently about the site local pro… John C Klensin
- RE: Thinking differently about the site local pro… Jeroen Massar
- Re: Thinking differently about the site local pro… Keith Moore
- Re: Thinking differently about the site local pro… Randy Bush
- RE: Thinking differently about the site local pro… Tony Hain
- RE: Thinking differently about the site local pro… Daniel Senie
- RE: Thinking differently about the site local pro… Jeroen Massar
- RE: Thinking differently about the site local pro… Jeroen Massar
- RE: Thinking differently about the site local pro… Jeroen Massar
- RE: Thinking differently about the site local pro… Tony Hain
- Re: Thinking differently about the site local pro… John Stracke
- Re: Thinking differently about the site local pro… Keith Moore
- RE: Thinking differently about the site local pro… Brian Zill
- Re: Thinking differently about the site local pro… Fredrik Nyman
- RE: Thinking differently about the site local pro… Jeroen Massar
- RE: Thinking differently about the site local pro… Margaret Wasserman
- RE: Thinking differently about the site local pro… Jeroen Massar
- Re: Thinking differently about the site local pro… John Stracke
- Re: Thinking differently about the site local pro… Keith Moore
- Re: Thinking differently about the site local pro… John Stracke
- v6 support (was Re: Thinking differently about th… Keith Moore
- Re: v6 support (was Re: Thinking differently abou… Steven M. Bellovin
- Re: v6 support (was Re: Thinking differently abou… Eric Rosen