IETF Logo Mail Archive

Re: [IPv6] I-D Action: draft-ietf-6man-rfc6724-update-00.txt

Nick Buraglio <buraglio@forwardingplane.net> Tue, 24 October 2023 12:32 UTC

Return-Path: <buraglio@forwardingplane.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C81FC15153E for <ipv6@ietfa.amsl.com>; Tue, 24 Oct 2023 05:32:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forwardingplane.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ilY2qjcHZ_bF for <ipv6@ietfa.amsl.com>; Tue, 24 Oct 2023 05:32:21 -0700 (PDT)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2515C151548 for <ipv6@ietf.org>; Tue, 24 Oct 2023 05:32:21 -0700 (PDT)
Received: by mail-qk1-x730.google.com with SMTP id af79cd13be357-778a6c440faso231733585a.3 for <ipv6@ietf.org>; Tue, 24 Oct 2023 05:32:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forwardingplane.net; s=google; t=1698150740; x=1698755540; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=K0rcJPtrv8El8i/IugaOAqTbyU4O8IQKxn4quUjIm4M=; b=OKEMFXc3Bw8xqzsVGbjJtPF/HJsDhce5CYASvUU57h76fTbUYCmzUE0nMU0Uxo2VSF cgHogv3q7dMoFB/qLZYH7Nqc+j7+7GNaEIhp95AFqQyr28TCxced3qnNyReCh/tczXip MQ7aW7axpp2yCcXI+H9lEhMnB1L+wpt6x+fuQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698150740; x=1698755540; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=K0rcJPtrv8El8i/IugaOAqTbyU4O8IQKxn4quUjIm4M=; b=q2I/TJ2x68kfeIXlj2fxjt0o/dmYebHopP1fj+v5S4a2GcXPvect3VnIqDE785JnUB YwFn2BPNTNoRsLZgDTvYWA9bVMkMj73WLYDvQhQdp8Cd3//Ff5OHdbf9Pl+qA25rpjIW 7OA7mF/oR6eYOg203EjjeOvxtBrpTq3Kb1vvwHbWDpEQypz8yS6iqSgbQwtY0hw4RrEz nNEE2vHvOG4nXOvxlP2oNg2p/f4RdtF7PKiF79xjvWbE1yNiGjVK+oDah+wbRQ7qlPfN ISK5RJA7VwO4MtW2fKuGk3LxAxg/i76U4EwmVKAVGTgZC0IAi6g/d6SsUrxDThz7eMj/ vjqQ==
X-Gm-Message-State: AOJu0Yy/C5Qf8ieAK4pHPMtsQgAwnpX69H3ASItvYSi+4az4H233BNz+ frK6IY6pHaL6XKFkpqNRUFni/m61OD6RrrQULoAN36TSF/p/C7TREm85/Q==
X-Google-Smtp-Source: AGHT+IHP+2gxKyvdBdAEtB9hJaeKRBURze5DXVPM3x/oSYaCstae/7jOuZeDkrpg1EQrUJ4ChJRQ31u28D7quh9SqKs=
X-Received: by 2002:ac8:5c02:0:b0:418:1c96:8ae9 with SMTP id i2-20020ac85c02000000b004181c968ae9mr11757873qti.11.1698150740543; Tue, 24 Oct 2023 05:32:20 -0700 (PDT)
MIME-Version: 1.0
References: <e1c50f43dac34ee296be60ef97acf06f@huawei.com> <1A5F2950-22F6-4F48-B528-00368B6898EF@employees.org> <CAJU8_nXsZfTQx8JFobt=p14O78RqrcOicB5V4Z1N3pHojOkzEw@mail.gmail.com> <AE7749C6-F4B4-4DC5-ABBE-39CE53870A17@employees.org> <CAJU8_nV2VMyZ7=NHodkrFKE3Kz4zOEZJBcGKUhqEVPmb2en+Pw@mail.gmail.com> <CAJU8_nWERUVQSnxtnVw9eG0vhfhZTebGho-uO3yA2v_Dq5FL5w@mail.gmail.com> <85dbb14c-a3d7-fd50-6872-16f483b9d172@gmail.com> <CAJU8_nWxY3MSzfpH=5T6co19E6s2hH7Wz6reO4S9dXKxS_MQxQ@mail.gmail.com> <F7D02A81-1894-4DD1-A37D-338ED3EAED1F@employees.org> <1535bf14-ef0d-1ff2-d76a-1d88b762ddd2@gmail.com> <38E4A9DF-44B7-492C-AF7C-A8FF43ADBE26@employees.org> <1efc2830-a8ff-a4a3-e1d8-f55672db5979@gmail.com> <9E039643-96A7-4A7E-B797-363DD106F61A@employees.org> <CAPt1N1k2TNmfJgyrfgjoPADGSDamEfDg9GS0EtzgZ=uhNSQuXg@mail.gmail.com>
In-Reply-To: <CAPt1N1k2TNmfJgyrfgjoPADGSDamEfDg9GS0EtzgZ=uhNSQuXg@mail.gmail.com>
From: Nick Buraglio <buraglio@forwardingplane.net>
Date: Tue, 24 Oct 2023 07:32:09 -0500
Message-ID: <CACMsEX_SJPLqc1Jm4SqFEeokvnHM-Pa8vkQ3VpMN8uhYcSUBPg@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Ole Troan <otroan=40employees.org@dmarc.ietf.org>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aa66ae06087587ff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/2P9zZs2UhDABDAOS8qWfo0T0_AU>
Subject: Re: [IPv6] I-D Action: draft-ietf-6man-rfc6724-update-00.txt
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2023 12:32:25 -0000

On Tue, Oct 24, 2023 at 5:04 AM Ted Lemon <mellon@fugue.com> wrote:
>
> I hadn't had a time to read the new document until just now. Thanks for
pointing this issue out, Ole—I had thought that the plan was to require the
ULA/48<->ULA/48 automation suggested in 6724, not to just modify the table
to assume that any ULA <-> any ULA will always work. I agree that this is
incorrect.

IIRC, we had discussed making this a MUST and it was not a popular option.
I don't have the thread here in front of me but if I remember it was on the
v6ops list and was not well received. The issue is as Ole pointed out, the
wording is "Since ULAs are defined to have a /48 site prefix, an
implementation *might* choose to add such a row automatically on a machine
with a ULA.”, which as we detailed in
https://datatracker.ietf.org/doc/draft-ietf-v6ops-ula/ is an operations
non-starter in a non-trivial percentage of implementations. This makes that
design option exceedingly hard to implement and support, specifically on
kit that needs it (such as cameras, IOT, OT, and other embedded systems).
This approach was seen as a best case, short term given that ULA is by
design meant to be local. ULA to ULA that is outside of the /48 scope
perhaps *should* fail, by the current definition of how use is intended.
Then there is, of course, the fact that applications can still do whatever
they'd like (for example, older versions of Java disable IPv6 by default
and could, in theory, disable or require ULA use).

>> Ordered SA, DA pairs (winner at bottom):
>> 192.168.10.10 -> 198.51.100.121
>> fd00::1 -> fd00:dead:beef::1

>> Which isn’t necessarily going to work. For outside the ULA zone,
wouldn’t it be better to use global?

Probably. That feels to me like a caveat in the happy eyeballs section. In
the cases that a network is dual stacked and only has ULA, ULA will win but
fail, and in some cases HE will force IPv4 use (without the presence of an
IPv6 translator).
If we add that caveat, which is probably more of an edge case than a
typical deployment, would that be sufficient?

>
> On Tue, Oct 24, 2023 at 11:56 AM Ole Troan <otroan=
40employees.org@dmarc.ietf.org> wrote:
>>
>>
>>
>> > On 24 Oct 2023, at 04:09, Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:
>> >
>> > On 24-Oct-23 10:46, Ole Troan wrote:
>> >>>>> On Mon, Oct 23, 2023 at 4:29 PM Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:
>> >>>>> On 24-Oct-23 05:32, Kyle Rose wrote:
>> >>>>>> Just to clarify one thing in my previous email (and in so doing
to further demonstrate how complex address selection is even without Happy
Eyeballs):
>> >>>>>>
>> >>>>>> Given an IPv6 destination address, SAS as currently formulated
*irrespective of any changes we make to the default policy table* will
return a ULA if that is the only v6 address the client has. As it should!
>> >>>>>>
>> >>>>>> My *preference* is for the combined DAS/SAS address selection
algorithm examining all the (source,dest) pairs for all of a host's A/AAAA
records to put the (v4,v4) pair before the (ULA,GUA) pair because I expect
the former to work and the latter to fail, for the reasons I mentioned.
>> >>>>>
>> >>>>> And that's *exactly* why we need a "NPTv6 present" flag that
defaults to False.
>> >>>>>
>> >>>>> With some mechanism for turning it on. As suggested elsewhere,
putting it in the router advertisement would be a good spot, because I'm
not sure deriving it empirically is the right approach either (since some
networks might enable NAT66 as fallback but with severe performance
penalties).
>> >>>>>
>> >>>>> But, to Nick's plea, also not for 6724bis.
>> >>>> We have a separate draft on NTPv6-bis.
>> >>>> I’m not at all convinced we need a flag for NTPv6.
>> >>>
>> >>> I'm totally convinced that we do, from trying to write code without
it.
>> >> Well, this email uses it as transport without the flag…
>> >
>> > I'm sure we can make anything work; my implementation of the flag
works by attempting a connection. The point of the flag is to ensure that
ULA->GUA is excluded from the choices unless it actually works. True, HE
will exclude it anyway but not all apps use HE. The more of HE's logic that
we can move to the kernel, the better.
>> >
>> > (Hmm. Being honest, I haven't actually tested the ULA->GUA success
path, because I don't have NPTv6 installed. But I do have NAT44 installed,
and the logic for RFC1918->Global IPv4 is identical.)
>>
>> Trying to read 6724 + 6724-update and deduce behaviour turned out to be
so tricky that I wrote a little 6724/update implementation.
>>
>> ULA -> GUA works the same for both 6724 and 6724-update:
>>
>> Sources:
>> [fd00::1, fe80::1, ::ffff:c0a8:a0a, ::ffff:a9fe:d4e]
>>
>> Destinations:
>> 2a02:26f0:4300:289::b33
>> 2a02:26f0:4300:28e::b33
>> 104.110.1.61
>>
>> Ordered SA, DA pairs (winner at bottom):
>> fd00::1 -> 2a02:26f0:4300:28e::b33
>> fd00::1 -> 2a02:26f0:4300:289::b33
>> 192.168.10.10 -> 104.110.1.61
>>
>> Both prefers v4 in this case. But HE takes care of that, so that’s fine.
>> With or without a flag, you’d like the implementation to try.
>>
>> With 6724-update, ULA to ULA will be preferred. And in the below example
since you are exiting the site, you’d also expect the implementation to
probe.
>>
>> Sources:
>> [2001:db8::1, fd00::1, fe80::1, ::ffff:c0a8:a0a, ::ffff:a9fe:d4e]
>> Destinations:
>> fd00:dead:beef::1
>> 198.51.100.121
>>
>> Ordered SA, DA pairs (winner at bottom):
>> 192.168.10.10 -> 198.51.100.121
>> fd00::1 -> fd00:dead:beef::1
>>
>> Which isn’t necessarily going to work. For outside the ULA zone,
wouldn’t it be better to use global?
>>
>> Which brings me to the main point:
>> "Since ULAs are defined to have a /48 site prefix, an implementation
>> might choose to add such a row automatically on a machine with a ULA.”
>>
>> Is from RFC6724. Why wouldn’t have this implemented be enough?
>> And push implementations to do this instead of respinning 6724.
>>
>> O.
>>
>>
>>
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email