IETF Logo Mail Archive

Re: [IPv6] New Version Notification for draft-bctb-6man-rfc6296-bis-01.txt

Mark Smith <markzzzsmith@gmail.com> Sat, 23 December 2023 03:47 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA93C151088 for <ipv6@ietfa.amsl.com>; Fri, 22 Dec 2023 19:47:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3zYlbr3RFbB for <ipv6@ietfa.amsl.com>; Fri, 22 Dec 2023 19:47:52 -0800 (PST)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA2D7C14F696 for <ipv6@ietf.org>; Fri, 22 Dec 2023 19:47:52 -0800 (PST)
Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-a236456fee1so301412766b.1 for <ipv6@ietf.org>; Fri, 22 Dec 2023 19:47:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1703303271; x=1703908071; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VNigw95vK4BoRraeZ4tTqtSQwUN06T3jFzeziFj7vGk=; b=Yn00hqU+dxNdavJD6OQCq2bAP1xDuLrkE43JjnWIUCm1ustSp0zRaFA7eB4cdmaSrR R1mEoPU77iHWSoB6F0g/liKLYwk+43rwiCAIHDXLlR5tmDDEKdh6Pc6FoMCRjZ+THB/a jfZifOCis0v2Pp47flYVcF+WAQlMX0hGwgQ++yLXRaY4x3W1ffbSq8/DwWPBMxNbJGoO vm8z+izBR8DKv+9mUTJlZGkVQnPDsmGhvGq0Y0sLoS2RaGhhET8R91UbndsDo/aXeAio esCUvGd0dvTEzjgCfU2oXdzmVGc8oRVeiJIcBUSNgrX6/ZNV/bdTV7d1E4rK0+672w/m ByOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703303271; x=1703908071; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VNigw95vK4BoRraeZ4tTqtSQwUN06T3jFzeziFj7vGk=; b=NCiy0DrGYbwQC0YwI+eaB5b5MWiZV+5w3yu1hV1EKNYWmYs4dpVp5DZ0wU7JqbDo+q GVRERXnG3BpyLtgB5asuYqdjO82woXruQvUZdDxCc2OoyT9A5kmR0VbyoWmzOWHexcyO 2wr/6I6a0Zkx/d8Rtn7+2opgR4tlzMVXlUGeZRZq0HVqe8n3jhmdQHKdaOO3eM8cHeR6 KtSvm3OkEGZsDgtUIYRt5Afj1icqbAj4g9WYiYsgB8+wa8pBTjA14sktDk+xzTqLqaFs x8+cbiYbHmA45OlLI6WvDp50Roa6TmxtmWcp9BB3pKsmHTr/kgpAjC4drnAk+kXU8qLS GrOA==
X-Gm-Message-State: AOJu0Yw+mWpQul48Awm6wIZ7/UJfPyLKECSlAK9Jh0Dc13BzMpfqv00b zt1IZc2U3/qrq5sq4J+vTVBcVSavHYJzXCvbSHxbF9BmBKA=
X-Google-Smtp-Source: AGHT+IHB0EfNxWqzf0u7usYzDZcONoUkpRzcjthEMH0O52WOCdgaBl0Gw0s6A82OzCPi2MwvYz4MDhmbxLEfwwABdqY=
X-Received: by 2002:a17:906:73dc:b0:a26:d98d:4ce0 with SMTP id n28-20020a17090673dc00b00a26d98d4ce0mr37395ejl.108.1703303270848; Fri, 22 Dec 2023 19:47:50 -0800 (PST)
MIME-Version: 1.0
References: <PH0PR11MB75221420F76CDF5FA9D68DBBC981A@PH0PR11MB7522.namprd11.prod.outlook.com> <B405457D-1516-4276-976A-BDFAAFD36595@employees.org> <1e350795-3275-8e63-c5a3-5805e9338efb@gmail.com> <23FE0B91-384F-459E-AF14-6E3297F05844@employees.org> <03708c83-cd29-5ce9-dd03-1b485bf70e63@gmail.com> <1DC0F823-E757-4C4C-BE58-69F7BF872A36@employees.org> <fd87e5ad-39c4-4f6a-a6df-e7437ba55c75@gmail.com> <4766F17C-A58A-4C92-A430-CCDD0DBCBFFF@employees.org> <CAO42Z2xThbnaVFpoR9guZzwsVYva-9o1C-qE9fRi-GGc2+pM7Q@mail.gmail.com> <1C599541-E072-47F3-B951-DED5EA6277CE@employees.org>
In-Reply-To: <1C599541-E072-47F3-B951-DED5EA6277CE@employees.org>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sat, 23 Dec 2023 14:47:23 +1100
Message-ID: <CAO42Z2xkAtEijqgFE8RDXagtqqFCanQv_uEEhfQB6ECPj6x2Sw@mail.gmail.com>
To: Ole Troan <otroan@employees.org>
Cc: 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000675a2f060d2532ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/2x7wmueJHUXt9NY65Z_qDC_muCc>
Subject: Re: [IPv6] New Version Notification for draft-bctb-6man-rfc6296-bis-01.txt
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Dec 2023 03:47:56 -0000

Hi Ole,

Sorry not to get back to you sooner.

On Thu, 7 Dec 2023, 00:06 Ole Troan, <otroan@employees.org> wrote:

> Mark,
>
> Your email reads like you are arguing against NAPT66, not NPTv6.
>

I'm arguing against NPTv6.

(I"m glad you've used "NAPT66", I've been a bit confused by people using
NAT66 to refer to something different to NPT because to me "NAT" means 1:1
(from RFC 2663), so I read NAT66 as NPTv6, where as NAPT(44)/(66) is
1:many).


> NPTv6 is transport layer agnostic. And provides a static 1:1 mapping
> between inside and outside addresses.


> RFC6296, section 5 goes into details on application considerations for
> NPTv6.
>

Okay, I think I've missed or forgotten the later 5.2 section that mention
STUN, TURN etc., possibly because I would have expected the main and pretty
comprehensive "5.  Implications for Applications" text to mention the work
arounds like STUN etc., and then the next 5.1 section is about networking
issues, which tends to imply that application issues have been fully
discussed.


> Would you mind restating your points in that context?
>
> Btw, do you have a particular application in mind, it would be a useful
> exercise to see what it would take for it to work with NPTv6.
>


VoIP SIP and gaming traffic are two examples, as are servers inside/behind
the NPT.

There have been SIP over IPv6 implementations for quite a long time. SIP
handsets register their own addresses with the SIP servers.

Xbox uses peer-to-peer communications over IPv6.
https://archive.nanog.org/sites/default/files/wed.general.palmer.xbox_.47.pdf

Once there is a possibility of NPT then those two major applications will
have to implement STUN/TURN, and STUN/TURN servers will need to be
deployed, a deployment burden that doesn't currently exist with IPv6
without NPT.


Some sort of server behind NPT e.g. WWW server becomes an issue with DNS if
NPT has been deployed for redundancy. Either both post NPT GUA addresses
for the server have to be put in DNS, with the issue of an unreachable DNS
entry of one of the NPT redundant links fails and the corresponding long
time outs. Dynamic DNS updates from the server to remove the unreachable
isn't possible without STUN/TURN and some way for the server to detect the
NPT link failure event.


I think application developers will choose the most likely to work as well
as simplest application communications architecture.

In the possible presence of NPT (or NAT of any type), that is always a
client-server architecture, even when a peer-to-peer architecture would
better suit the application.

It's always client-server because clients that are likely behind NPT don't
have to implement STUN/TURN, and there doesn't have to be STUN/TURN servers.

For servers, it's simplest if the server is on the IPv6 Internet and the
server has a direct GUA address.

This is what I was getting to regarding NPT (NAT) encoding two classes of
devices at the network layer, and also encouraging Internet centralisation.
Devices likely behind NPT will be easiest to treat as application clients
only, never or rarely application peers or servers, and servers will be
most easily deployed on "outside" of NPT, i.e. on the Internet with PI GUA
addresses, likely at centralised cloud providers.


Regards,
Mark.








>
> Best regards,
> Ole
>
>
> >> Brian,
> >>
> >> Just on the ALG point.
> >>
> >
> > Related to applications, it needs to be pointed out that if
> > applications wish to benefit from a more direct peer-to-peer style
> > communications model, where the peers are located on the "inside" of
> > the NPT device, applications will need to implement one or more of the
> > following NAT traversal RFCs. As there is no way to detect the
> > presence or not of an upstream NPT device without implementing these
> > protocols, it becomes necessary to implement them in all peer-to-peer
> > communications model applications just in case there is an NPT device
> > present in the communications path.
> >
> > RFC 8445, Interactive Connectivity Establishment (ICE): A Protocol for
> > Network Address Translator (NAT) Traversal
> > RFC 6544, TCP Candidates with Interactive Connectivity Establishment
> (ICE)
> >
> >
> > There probably also needs to be some discussion about how NPT creates
> > two classes of hosts at the network layer, where the boundary between
> > the host classes occurs at the NPT device.
> >
> > Class 1 are hosts outside of the NPT device, meaning holding GUA
> > addresses that are not translated, and can therefore host applications
> > that follow client-server, peer-to-peer or a mix of those two
> > communications models, which ever suits, without applications having
> > to implement NAT traversal protocols.
> >
> > Class 2 hosts are those that are inside the NPT domain, meaning
> > holding addresses that are translated by the upstream NPT device e.g.
> > ULAs, and can only, by default, host the client component of
> > applications that follow a client-server model, when communicating
> > with the server component residing on hosts that outside of the NPT
> > domain, unless the application also implements the above NAT traversal
> > protocols.
> >
> >
> > Finally, because NPT creates a client only class of hosts, and imposes
> > a client-server model on applications residing on those hosts, it is
> > also codifying centralisation of the Internet, because it is encoding
> > at the network layer a default model of private addressed
> > clients/public addressed servers model over the Internet.
> >
> > (I won't be all that surprised if the following happens if NPT goes
> > standards track:
> >
> > - CGNAT vendors will implement it, because they will want to continue
> > to provide their customers with a post-IPv4 "solutions".
> >
> > - They will have a couple of ways to sell the deployment of CGNAT NPT:
> >
> >        - to facilitate flash renumbering of residential customers,
> > which would mean customers will be provided with ULA prefixes by
> > default rather than GUA prefixes.
> >
> >        - to create what would be an artifical public IPv6 address
> > upsell from a default of private addresses, similar to the IPv4
> > address public address upsell model that exists today (that isn't
> > artificial due to IPv4 address scarcity).
> >
> > That means residential and SOHO customers will cease to have GUA
> > prefixes, meaning their hosts will become Class 2/clients only by
> > default.)
> >
> > Regards,
> > Mark.
> >
> >>>>> I imagine that pushback will continue. In order to make the
> discussion rational rather than emotional, I think the "NPTv6
> Applicability" section needs major work. There are generalisations like
> "similar ALGs may be required for these applications to work through NPTv6
> Translators" and "creates complexity for DNS deployment... 'split DNS',
> which may add complexity to network configuration". I think that text needs
> to specify the necessary mitigations and give normative references.
> >>>> I kinda like the general text in the applicability section.
> >>>> What do you think about adding a separate Application Level Gateway
> section with text similar to:
> >>>> https://datatracker.ietf.org/doc/html/rfc4787#section-7
> >>>
> >>> Sure, as long as the general statements are supported by concrete
> technical details that's fine. I see that RFC4784 is a valid BCP, but it's
> scoped for UDP so that's a bit limiting.
> >>>
> >>> And then I have to wonder if any of the updates in RFC7857 are also
> relevant, although it explicitly excludes IPv6 from consideration.
> >>>
> >>>> ?
> >>>> Stating that ALGs if implemented should default to off. Don’t know if
> that text can be updated to say something along the lines of modern
> application protocols not including IP address references?
> >>>
> >>> Maybe, but of course that still leaves legacy protocols. Maybe we need
> ART area advice on that?
> >>
> >> I don’t think so. NPTv6 is transport layer agnostic, and does no TCP
> state tracking.
> >>
> >> What do you think about this paragraph for ALG considerations:
> >>
> >> "7.  Application Layer Gateways
> >>
> >>   As explainined in [RFC5382] and [RFC4787] Application Layer Gateways
> >>   (ALGs) interfer with UNSAF [RFC3424] methods or protocols that try to
> >>   be NAT-aware.  NPTv6 is designed to be transport layer agnostic and
> >>   an ALG would be incompatible with this design and the checksum-
> >>   neutral mapping.
> >>
> >>   It is RECOMMENDED that an NPTv6 translator does not include ALGs.
> >> “
> >>
> >> Cheers,
> >> Ole
> >> --------------------------------------------------------------------
> >> IETF IPv6 working group mailing list
> >> ipv6@ietf.org
> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> --------------------------------------------------------------------
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
>
>
>
>

v2.23.0 | Report a Bug | By Email