IETF Logo Mail Archive

Re: [IPv6] RFC 6724 shouldn't prefer partial reachability over reachability

Nick Buraglio <buraglio@forwardingplane.net> Mon, 13 November 2023 15:10 UTC

Return-Path: <buraglio@forwardingplane.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C8E4C14CF01 for <ipv6@ietfa.amsl.com>; Mon, 13 Nov 2023 07:10:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forwardingplane.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NBk8UnwzVBDP for <ipv6@ietfa.amsl.com>; Mon, 13 Nov 2023 07:10:29 -0800 (PST)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C5E4C14F747 for <ipv6@ietf.org>; Mon, 13 Nov 2023 07:10:29 -0800 (PST)
Received: by mail-qt1-x829.google.com with SMTP id d75a77b69052e-41cd8bd5727so27015111cf.3 for <ipv6@ietf.org>; Mon, 13 Nov 2023 07:10:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forwardingplane.net; s=google; t=1699888228; x=1700493028; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+70x41U1Irl5VIKedABuhfW1yHoRX+hTHAtjVyCfR44=; b=ORJA0lmoNJ/lI9TU6DY7PvGvujbw4xcSITRoZLV36PfKSQeEFFfXjSHSqE8590qPyq OkC2wF4YsHyeBjHEjWadJzuV0lGgGmuU9xe05kDW7ka4s7HdMfhb6vF7GGvOF/Ksys/T d4px9/eFv2Y5hLRYh2HLXT6cQQN9Hu2vQX+/w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699888228; x=1700493028; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+70x41U1Irl5VIKedABuhfW1yHoRX+hTHAtjVyCfR44=; b=YQMVEIbsotBQJN29tps0lwPRRLiTmcwJO+q+C/jHBkBMSZL2ijQ/7NGdNIha7gcjeT r17XsF2OzDRWvmkZFtcpZ5aUXOLdG3CCmWMjoQS7F8j31T7npv5IBvQecpLgRZTRF2Tb IHh9lofvqMRYrcQxAMOCgikLxdISZuj6XtatodOOEJGPHJlbzRb1FxWjBJlFgfVpGhFV V2LXuRNWMICE+yTj6yxsKtvf7rkQ4DDddp+N8/EMROLqgXErIGjSqY2Nwdm1/MIu8faJ umEwR9vUcOjHUD5LadMG/eIVKx+F0Zi+M1KrNmdXJBGoUn1eO9TQdedS+orNjywbSpDJ j7Cg==
X-Gm-Message-State: AOJu0YyWZprPSJd/VlJ7XFySUYQ4lI24TBCBxkH4ugewenwRcHaUr59n 4v+4jAmm4UEqVIe2US/KEGZeYNG4wrkeCQCyMGgiGGkbi+hmLGtRqMi3+g==
X-Google-Smtp-Source: AGHT+IE4+Ts3v1BdfFmyIPtU1YRmk2Wl30P4qeeuaQZmBEN4U1fUMcn3r7hl5yZ8MN2GJ3JOp4FCcrl0rZQQDUKwXSo=
X-Received: by 2002:ac8:5f06:0:b0:41c:bad9:6045 with SMTP id x6-20020ac85f06000000b0041cbad96045mr9714096qta.14.1699888228147; Mon, 13 Nov 2023 07:10:28 -0800 (PST)
MIME-Version: 1.0
References: <CAKD1Yr2uD+XE+HA6vs3BfEchpWr5H2NEeoXLrXm7-U9_ckw1sA@mail.gmail.com> <CAN-Dau2Nw21wUm-mjxq3bnYczPJbApVhcZZ6oie+HiB4yvr_PQ@mail.gmail.com> <CAKD1Yr1z2x8iKXYQtPVifj-XkP7MeRq=NWe0gdWBGC1aS_j0Mg@mail.gmail.com> <CACMsEX8f_qmpZ898vKLy_56Jy1WKEju94fYEz5fuV4Pc3iJ=tw@mail.gmail.com> <CAKD1Yr1tZa0W=617hQrgYYqmUbfgFp7EhmvgqKzaBvF=r=5FuA@mail.gmail.com> <CAJU8_nUOjrO5FPPXTCNeA-9YuSPT7SmGkiM82DGiMacyfntV6w@mail.gmail.com> <CAN-Dau0FP31h3s+Fzbam7GJg-rNGsX3m8Hx3k=+895NT0a4iqw@mail.gmail.com>
In-Reply-To: <CAN-Dau0FP31h3s+Fzbam7GJg-rNGsX3m8Hx3k=+895NT0a4iqw@mail.gmail.com>
From: Nick Buraglio <buraglio@forwardingplane.net>
Date: Mon, 13 Nov 2023 09:10:17 -0600
Message-ID: <CACMsEX8J8nGJKX9nUvev_H_zsEmznwKUU-xZyJzubybbCeK-_Q@mail.gmail.com>
To: David Farmer <farmer=40umn.edu@dmarc.ietf.org>
Cc: Kyle Rose <krose@krose.org>, IETF IPv6 Mailing List <ipv6@ietf.org>, Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ff37bb060a0a1126"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/36ryyUpXUibENaXiFpOKj4AXzyQ>
Subject: Re: [IPv6] RFC 6724 shouldn't prefer partial reachability over reachability
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2023 15:10:33 -0000

On Mon, Nov 13, 2023 at 8:56 AM David Farmer <farmer=
40umn.edu@dmarc.ietf.org> wrote:

> So if it is ok to mitigate DNS misconfigurations with border ACLs and
> Routing information in the routers delivering ICMP Destination Unreachable
> messages to hosts, using Happy Eyeballs racing different options, and
> advising people not to put ULAs in the public DNS, then why is it NOT OK to
> use some of that same information to make a first cut at which ULA /48s are
> local or not on the host?
>
> To be honest, this is a big enough problem that we should be using all the
> tools in the toolbox to solve it.
>
> Preferring known local /48s in the host's policy table doesn't eliminate
> the need for other mitigations, but as Lorenzo points out, those other
> mitigations have a cost, too. Why incur those costs %99.9999 of the time
> when there is no hope for reachability in the first place? And, Mark, I
> hear you. ULAs must be preferred above GUAs, but why prefer the %99.99999
> of ULAs that will never work anyway?
>
> We need;
>
> I agree with all of these.


> 1. ICMP Destination Unreachable messages from ACLs and routes in the
> routers, RFC 4193 Sections 4.1 and 4.3
>
> 2. Happy Eyeballs, RFC 8305, and maybe it needs some tweaks
>

This could be an opportunity for HE3 draft that is now in v6ops, perhaps?

>
> 3. Advice to not put ULAs in Public DNS, RFC 4193 Section 4.4 But we need
> to include options to instantiate local DNS properly. Just saying "DON'T DO
> THAT" isn't good enough.
>
We could add some verbiage into this update to say the same, but updating
4193 is  another task altogether.

>
> 4. Prefer only known local ULA /48s in host policy tables, beefing up
> Section 10.6 of RFC6724.
>
We could add some more text to reflect that, too.

>
> I think it’s not one or the other; we need to do all four of these.
>

Right, and we have to take a first step to start that trip, which is what
this draft is proposing. We also can't expect to address every possible
corner case, that is a sure-fire recipe for decision paralysis.
A great deal of what we've been discussing is fairly edge case and/or
subjective (e.g. dns implementation specifics). We very much should not
make the perfect the enemy of the good, especially when we have a fairly
large task.

Most of what I am reading both literally and between the lines is that this
is a recognized impediment to moving to a more v6-first world, and that's
good because that's what we're proposing and I think that's the goal of
this group. We will see if we can get some test results out this
week, hopefully that will alleviate some concerns.

>
> Thanks
>
>
> On Mon, Nov 13, 2023 at 05:13 Kyle Rose <krose@krose.org> wrote:
>
>> On Sun, Nov 12, 2023 at 8:02 PM Lorenzo Colitti <lorenzo=
>> 40google.com@dmarc.ietf.org> wrote:
>>
>>> If we don't do this, RFC 6724 will make the wrong decision most of the
>>> time in the IPv4+ULA case. IPv4 addresses have global reachability and
>>> hosts can safely assume that they will work. ULA does not have global
>>> reachability, but this proposed change sort of assumes it does. "Don't put
>>> non-local ULAs in DNS" isn't a great answer, because DNS is not the only
>>> way that hosts get addresses.
>>>
>>
>> Maybe not, but it's overwhelmingly the most common mechanism for service
>> discovery between hosts with no pre-existing relationship, and putting ULA
>> into a DNS horizon (public or otherwise) from which the addresses are
>> unreachable is a misconfiguration. (Notably, getaddrinfo is also the most
>> common place the address selection algorithms described in 6724 and
>> predecessors are implemented, and getaddrinfo is tightly coupled with DNS,
>> so it makes sense that we're mostly focused on DNS in this discussion.)
>>
>> But also: does the mechanism of leakage matter? I frankly don't
>> understand why any exposure of unreachable ULA to a host should be
>> considered anything other than a misconfiguration. Even time-bounded
>> inconsistency like a local caching resolver handing out now-unreachable ULA
>> after a device moves networks seems like a bug: the OS should flush the
>> resolver cache, or at least those entries learned from the changed
>> interface, when this happens.
>>
>> I would like some examples of ULA leakage that you don't consider to be
>> misconfigurations. Until then, my conclusions remain as before:
>>
>>  - You should have a route to any ULA you are attempting to use, and if
>> you don't, that's a misconfiguration.
>>  - Attempting to mitigate every such misconfiguration via mere passive
>> address selection is futile.
>>
>> I'll note that mitigations are the whole purpose of Happy Eyeballs.
>>
>> "Rely on happy eyeballs" isn't a good answer either - HE always has a
>>> latency cost, and also, many applications and OSes don't implement it
>>> (example: java applications; most Android apps).
>>>
>>
>> Seems like something the OS or protocol stack could provide as a service
>> in most cases, rather than relying on applications to implement it.
>> Regardless, IMO it's perfectly reasonable for applications to misbehave
>> when the network is misconfigured: operators should fix their networks.
>>
>> Also: *this failure mode doesn't exist in RFC 6724 today*. Generally, if
>>> you follow the rules in RFC 6724 you'll get something that works
>>>
>>
>> 6724 and the proposed changes work or not under the same  circumstances:
>> whether the selected destination address is routable or not. You could just
>> as easily leak an unroutable 1918 address as you could leak an unroutable
>> ULA. Both are misconfigurations.
>>
>> Kyle
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email