IETF Logo Mail Archive

Re: [IPv6] Suggestion for multi homed clients without NAT/NPT

"Philipp S. Tiesel" <philipp@tiesel.net> Fri, 06 January 2023 14:09 UTC

Return-Path: <philipp@tiesel.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9661C14F748 for <ipv6@ietfa.amsl.com>; Fri, 6 Jan 2023 06:09:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rfZJ1DCIlBwa for <ipv6@ietfa.amsl.com>; Fri, 6 Jan 2023 06:09:05 -0800 (PST)
Received: from einhorn-mail-out.in-berlin.de (einhorn.in-berlin.de [192.109.42.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAC4EC14F725 for <ipv6@ietf.org>; Fri, 6 Jan 2023 06:09:02 -0800 (PST)
X-Envelope-From: philipp@tiesel.net
Received: from x-berg.in-berlin.de (x-change.in-berlin.de [217.197.86.40]) by einhorn.in-berlin.de with ESMTPS id 306E8x302826039 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Fri, 6 Jan 2023 15:09:00 +0100
Received: from p200300ed5f1232005882383991c01daf.dip0.t-ipconnect.de ([2003:ed:5f12:3200:5882:3839:91c0:1daf] helo=smtpclient.apple) by x-berg.in-berlin.de with esmtpsa (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <philipp@tiesel.net>) id 1pDnP1-0003ct-Lg; Fri, 06 Jan 2023 15:08:59 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.300.101.1.3\))
From: "Philipp S. Tiesel" <philipp@tiesel.net>
In-Reply-To: <6fa6cd37-d64f-b05f-89b9-668b048d06d6@gmail.com>
Date: Fri, 06 Jan 2023 15:08:49 +0100
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, 6man <ipv6@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <04E5CCF4-1817-472D-BC5A-28BABFA2AF56@tiesel.net>
References: <b3742e2b-6472-9eb4-bee2-507fa8cdf4c6@posteo.de> <05ed3426-7731-baef-44a1-6fc50ce69a5b@gmail.com> <9586.1672523456@localhost> <14437462-8E95-4554-A4A4-A83E08382439@tiesel.net> <9192.1672934804@localhost> <6fa6cd37-d64f-b05f-89b9-668b048d06d6@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-Mailer: Apple Mail (2.3731.300.101.1.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/8rkHXkZL7xZcLYnIonlTSgkYA9E>
Subject: Re: [IPv6] Suggestion for multi homed clients without NAT/NPT
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2023 14:09:08 -0000


> On 6. Jan 2023, at 05:17, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> 
> On 06-Jan-23 05:06, Michael Richardson wrote:
>> Philipp S. Tiesel <philipp@tiesel.net> wrote:
>>     > I did my Ph.D. on that topic and called it Happy Eyeballs on Steroids.
>>     > Most results went into the TAPS WG… maybe have a look at
>>     > - https://datatracker.ietf.org/doc/draft-ietf-taps-arch/
>>     > - https://datatracker.ietf.org/doc/draft-ietf-taps-interface/
>>     > - https://datatracker.ietf.org/doc/draft-ietf-taps-impl/
>> Very cool.  I will read them. I didn't know TAPS was doing this, and I
>> suspect that few in 6man know either.  Maybe a 5 minute presentation is in order.
> 
> From a very superficial dive into those drafts, it seems that there is no
> explicit discussion of *why* a transport entity might have several addresses
> and how their usage interacts with routing (starting with choice of default
> router). I guess TAPS would say that's out of scope, but I also guess that
> 6MAN and V6OPS would need convincing that the TAPS approach will solve
> our problems.

Okay… I guess we need to carefully sort things here:

- Source-Dest-Routing incl. auto-configuration is a pre-requisite for any
  endpoint based multi-path or multi-homing solution…
- The Happy Eyeballs (on steroids) approach is one good way to make
  use of multi-homing on connection establishment.
- TAPS is an abstract API/architecture that is (among other things) targeted
  at making Happy Eyeballs (on steroids) seamless for the application and 
  the default for connection establishment

So all of the above can sum-up to one possible solution.

> Just saying we'll aggressively use happy eyeballs reminds
> me of the practical issues of using SHIM6, which amounts to a different
> kind of happy eyeballs. Neither will work unless the site supports source
> routing, to put it simply.

That is true, but sadly not really implemented and active on all major platforms.
 - I just verified that MacOS does it by default, 
 - Linux can do it, but last time I checked fails to auto-configure it.
 - I haven’t tried Windows on that recently 

> 
> See https://datatracker.ietf.org/doc/html/draft-naderi-ipv6-probing-01
> 
>> Philipp S. Tiesel <philipp@tiesel.net> wrote:
>>     > I am convinced RFC 8028 would also be a great start for clients with
>>     > multiple default routes, e.g., enabling stuff like multi-path TCP to
>>     > work correctly, but it will not be sufficient for meaningful
>>     > multi-homing / source address selection.
>> Do your IDs explain why?
>>     > In addition, to avoiding problems with CDNs, it is also  required to
>>     > separately keep track of DNS on a per-router/PvD basis and only use the
>>     > matching source addresses for new connections, so RDNSS should also be
>>     > treated analog to the source address in RFC 8028.
>> I'm surprised to hear this.  I'm not convinced that PvD are a good idea, I
>> think that they represent IPv4 thinking, and I think that there are better
>> ways to do this in IPv6.  So I'm curious to understand how they are connected.

PvDs allow you to decide whether two networks a host is hooked up to are
“the same network”, e.g., Wifi and wired access to the same corporate network,
and to get some properties about like “It’s a corporate VPN for the following domains”
or “It’s an expensive cellular fallback”.

While RA preferences allow our to select one/multiple same-weight defaults, 
PvDs can give you semantic information that is useful in a network policy.
In the end, PvDs are useless without an TAPS-like API/architecture that smartly
couples name resolution and source+destination address selection.

So, why do we need to separate DNS replies on a per-PvD basis?
- Some host names might not be resolvable in public DNS
- Some dst-addresses are not reachable from every part of the Internet.
  Especially for CDNs, thats’ fine – I really should not try to use a
  CDN cache within ISP A from a source served by ISP B.

>>     > Having tried to manage traffic from within getaddrinfo() I can only
>>     > recommend to abandon that idea.
>>     > A lengthly write-up why can be found here in Section 6 of this expired
>>     > draft:
>>     > https://datatracker.ietf.org/doc/html/draft-tiesel-taps-socketintents-bsdsockets-02
>> Thank you. I agree that it can't be done properly in getaddrinfo().
> 
> We all agree on that, I think (and also see the discussion on ULA
> usability). But the Internet runs on getaddrinfo() and we can't
> expect that to change for many years, even if TAPS is a brilliant
> success.
> 
> So Eduard's question remains for the time being: how do we achieve
> appropriate source and destination address selection with only the
> socket API to help us?

The answer is depressing: Not at all for the majority off applications.
Stuck with the BSD socket API and it’s resolver library, there is 
no way of linking DNS-replies to default-routes/PvDs. 

There may be one exception: Given the amount of DNS and networking code
in modern Web browsers (incl. their own DNS stack), these might be able
to make some use of source and destination address selection based 
on the insight gained from their own internal DNS resolver.
Once the application has somehow managed to do source and destination
address selection and given we have source-dest-routing working,
s=socket(); bind(s, src); connect(s, dst); is sufficient.  

This is a really hard cross-silo problem ;-)

> 
>   Brian
> 
>>     > The only way forward I see is something like TAPS and Appel’s
>>     > implementation is already pretty close what it would needs to make use
>>     > of multi-homing here. They just need a litte more
>>     > aggressive/opportunistic happy eyeball candidate selection.
>> Is there a FAQ on how to play with this code?
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>>            Sandelman Software Works Inc, Ottawa and Worldwide


AVE!
   Philipp S. Tiesel

--  
Philipp S. Tiesel
https://philipp.tiesel.net/

v2.23.0 | Report a Bug | By Email