IETF Logo Mail Archive

Re: Network merge [Re: RFC6724-bis?]

Nick Buraglio <buraglio@es.net> Mon, 26 September 2022 12:40 UTC

Return-Path: <buraglio@es.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B939C1522BA for <ipv6@ietfa.amsl.com>; Mon, 26 Sep 2022 05:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=es.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eXE2TiBIpC4i for <ipv6@ietfa.amsl.com>; Mon, 26 Sep 2022 05:40:11 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C30DCC14CF10 for <ipv6@ietf.org>; Mon, 26 Sep 2022 05:40:11 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id rk17so592444ejb.1 for <ipv6@ietf.org>; Mon, 26 Sep 2022 05:40:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.net; s=esnet-google; h=content-transfer-encoding:cc:to:subject:message-id:date:from :reply-to:in-reply-to:references:mime-version:from:to:cc:subject :date; bh=2Jh8ekAFdnLYT8zjaXd7F3sm2Qx0n7IRs8Nu3uqagAE=; b=ULJ+cGt+BSvWvmJTajJJe0SX+e320O6ywEwz0/QjA3OFJF2St9l5Ai6G+Tj45SX5c6 8bD9vugefpYrhSKtfQD6I6qKYp4t1PUSp8uV3MP8vrW70YSuSm1WiylmoOneDp6yGd8G gIuAOMi9Xi51kgixv3mq5iFnlc+jPvEK+gMJt1xDJaf8yma0jU3Us+Owgfa2b0eHxwOl 5znAXbwVPefRtWB3PY+Fhfq3RUOytW5EWJMJai5mivHig4It5ayULJMWV6IByrfXhDT8 LLiJW6OcCtvroFi3KPfstbanSP/cm/Xw1ru8t0+7l2lBb0ydnd8ano7xv0dQyix5UmMT wFAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :reply-to:in-reply-to:references:mime-version:x-gm-message-state :from:to:cc:subject:date; bh=2Jh8ekAFdnLYT8zjaXd7F3sm2Qx0n7IRs8Nu3uqagAE=; b=NDGnrMIQctYE6Jvb4FCspC2uM/1wJfAquMwd+Pq7TLWH9r1NZl07hJhiscY3W7NNbX I1sODMTna4Xzy45LVL7KSFdD/ygcZw3aHJU1UoBFOJM0W55lKE4s7oA7Zj3g6Xk7U2FT SjBVACLutpt7yvjkB7aBoUEFbGV+O0tOIhCPxBlJVmO8pIjw0dmh+8yqIKag3t2CTTG6 UEW5N+qLD/vEFKP9V/H4xeDYKVmCbXTeqo37OszeoaEv+Qwn7GP4muANXAuEEYy2Uuhy pkcT+X4X5ZQPsffNjA1tZ8A7X26u83LNsWP2kRVoKTp35gGC2i48AfrI5C7WnOZ0s3ec 4kQw==
X-Gm-Message-State: ACrzQf02Y0xEOG9A70W0LPuL0Bl6FHCOxi5U4AsKPUHa/43x3ArtcCJX HhSgPrbsExvuSHjrv6w+RGnwsrLCkCfVh0POWzWnRJ1MwaDot6Ale6918jvgNp4sNWIJ8X2y4Gn nbzdlic3HR9/YFdz9O4qD4R6ACLHnkoLmNO8iChT4d5Xo2FOWJQ3mxr79Se/uUvI+Hs6WklY7TR tNSg==
X-Google-Smtp-Source: AMsMyM7Xct7cfQYGBlHTxNKs2KN41Q7pSkjEjis6kYhTAsiOv/yCgkJhn/d9ZDoPNCkJTIawT+Hrfhe0d0ZNyFFmTlM=
X-Received: by 2002:a17:906:847b:b0:773:db0f:d533 with SMTP id hx27-20020a170906847b00b00773db0fd533mr18479981ejc.0.1664196009558; Mon, 26 Sep 2022 05:40:09 -0700 (PDT)
MIME-Version: 1.0
References: <66892DC8-6DA4-4DC8-85B0-E1E1647CD9F7@gmail.com> <CAPt1N1=xR_2Xw+1KL6vbzZ69N+vonhcTNvO=DBceeApfoS2bMQ@mail.gmail.com> <e76267b6101146cf8a1bd6fa567c6b77@huawei.com> <CAN-Dau2QO5sxevJwUbOj+_wyiCdOjnPEZM14Jhevvkq4YZqU7Q@mail.gmail.com> <bc85e623-ef89-d2e2-4e33-b8ce0a4ec343@gmail.com> <CAN-Dau0Wbki6xwcEdy8ZK-pO9jeT6+8TKZgbmXWUgnkR+dRhBg@mail.gmail.com> <CAPt1N1=OmC+HNVGWbgj9JtGbpcuzKOgjZ1KXJm5mXgpji-G4Mw@mail.gmail.com> <6edcc5d8-edf1-51de-103c-a4ac6060fef6@gmail.com> <29689d645d22409b962f6c361d71e098@huawei.com> <CAN-Dau3rwi4X4NqLbHMmPQQ=i7y23Kz70JK09ggsXSxkJfT5xA@mail.gmail.com> <bf7c7d74cc7744ef8ded7d043ceb3e5e@huawei.com> <CAN-Dau0=LD9MTYKJQoSw=b9S25nmrNuqRSyLdsztFZscG8ZbUg@mail.gmail.com> <CAPt1N1kjOWh8R70pNO0eH9EJUH-v6HyxGMqxpy0N2hydHN33LQ@mail.gmail.com> <CAM5+tA9mqjrtq3pTggv1pA4fOYXUODkZHy74vs8cffVOrBefbQ@mail.gmail.com> <0b6886d3-5ea9-0a1d-8b16-4e17daeb6924@gmail.com> <CAM5+tA9dAjh0MTRG3922xTe3_aChHFa9AYCFCGmt395KwuvBYA@mail.gmail.com> <cd26ae80-2569-6134-c8b0-247c3b4e32ef@gmail.com>
In-Reply-To: <cd26ae80-2569-6134-c8b0-247c3b4e32ef@gmail.com>
Reply-To: buraglio@es.net
From: Nick Buraglio <buraglio@es.net>
Date: Mon, 26 Sep 2022 07:39:58 -0500
Message-ID: <CAM5+tA84OJNnvfgbgxYnVj-sxuwbqTLXnTGD2qgcb89ueO8r-A@mail.gmail.com>
Subject: Re: Network merge [Re: RFC6724-bis?]
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: 6man WG <ipv6@ietf.org>, David Farmer <farmer=40umn.edu@dmarc.ietf.org>, Ted Lemon <mellon@fugue.com>, Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/EwFUNhQeOqL3BkaTGO7Mny7v8eY>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2022 12:40:16 -0000

----
nb

On Sat, Sep 24, 2022 at 3:38 PM Brian E Carpenter
<brian.e.carpenter@gmail.com> wrote:
>
> Just focusing on the corner case:
>
> On 25-Sep-22 07:47, Nick Buraglio wrote:
> >
> >
> > On Fri, Sep 23, 2022 at 8:12 PM Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>
> ...
> >     But there is still a corner case: if two networks using ULAs are
> >     merged, and the necessary routes are installed, the individual
> >     hosts would still need manual intervention. A high precedence for
> >     fc00::/7 would avoid that.
> >
> >
> > At least to me at this time it seems that although this use case is real, it should just be noted as an edge case that is out of scope.
>
> I think we need to say a little more, since the network merge case was one of the original motivations for ULAs in the first place (otherwise, statistical uniqueness has no real value).

Fair point.

>
> At least, we need to say that in the case of a network merge, human intervention to configure ULA precedence will be needed. I still find that unsatisfactory, since the idea was always that unplanned merges might happen (in unmanaged networks, not in enterprise networks). If we decide to leave that unsolved, I think we'll be back to this problem later.

Also a good point.

>
> Now as to how to fix this without a global precedence for ULAs, I am wondering about a PIO with L=0 and A=0 (exactly as recommended in RFC 8028, but for other reasons). If a host sees such a PIO for a ULA prefix, it could serve as a signal that the prefix is to be given a suitable precedence, even though it is not on-link and not used for SLAAC.

This feels like a really good, achievable solution. What I was hoping
to avoid was structural changes that would take forever to implement -
especially given the lackluster track record for existing
implementations involving the GAI file -  I think the PIO option
avoids that.

>
> (Credit where credit is due: Ted Lemon suggested this.)

Indeed, it is a smart idea.

>
>     Brian
>
> > Anything more is changing the conversation to a much larger change. Given the intention of ULA was always centered around /48, it seems right to keep that focus. As always, I’m totally willing to be convinced otherwise, but the two changes I mentioned in my last email feels like the right path.
> >
> >
> >
> >           Brian
> >
> >      >
> >      >>
> >      >> On Fri, Sep 23, 2022 at 6:10 PM David Farmer <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>> wrote:
> >      >>>
> >      >>> To be honest, I don't understand the nuances of RFC 6724 well enough to judge what may or may not break by changing the priority for the whole ULA prefix (fc00::/7).
> >      >>>
> >      >>> RFC 6724, section 10.6, states the following;
> >      >>>
> >      >>>     By default, global IPv6 destinations are preferred over
> >      >>>     ULA destinations, since an arbitrary ULA is not necessarily
> >      >>>     reachable:
> >      >>>
> >      >>>    .....
> >      >>>
> >      >>>     Since ULAs are defined to have a /48 site prefix, an implementation
> >      >>>     might choose to add such a row automatically on a machine with a ULA.
> >      >>>
> >      >>> I've been told that implementations that follow the suggestion quoted above don't have the problem we are discussing. Therefore, I think the most conservative change to RFC 6724 is to change the above from a suggestion to a mandatory and automatic feature. This really doesn't change how RFC 6724 operates, and I feel this change is completely consistent with RFC 6724. It's not likely to break anything, it is already part of RFC6724, and there are successful implementations of it.
> >      >>>
> >      >>> Whereas changing the priority for the whole ULA prefix (fc00::/7) seems like a much larger change to me, fraught with much more uncertainty, and I'm much more worried about unintended consequences. It's quite common to fix one bug and create three others. However, if the authors of RFC 6724 are comfortable with changing the priority of the whole ULA prefix (fc00::/7) and essentially eliminating the need for section 10.6. I guess I'd be ok with that.
> >      >>>
> >      >>> Nevertheless, the concern that "arbitrary ULA is not necessarily reachable" stated in RFC 6724 or that I've been calling remote ULAs, still rings true for me, and I need to understand why that isn't a problem if we change the priority of the whole ULA prefix (fc00::/7), as you are suggesting.
> >      >>>
> >      >>> Thanks
> >      >>>
> >      >>> On Fri, Sep 23, 2022 at 7:31 AM Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org <mailto:40huawei.com@dmarc.ietf.org>> wrote:
> >      >>>>
> >      >>>> Hi David, thanks. But it is not enough for an explanation.
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>> Section 2.2.2 RFC 5200 example is just not relevant to the current situation, it was relevant to RFC 3484.
> >      >>>>
> >      >>>> It is solved by default because the separate label has been attached to ULA in RFC 6724.
> >      >>>>
> >      >>>> Now, IPv4_DA/IPv4_SA would be prioritized above GUA_DA/ULA_SA because of rule 5 (label match).
> >      >>>>
> >      >>>> No problem.
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>> If you have any other scenario that may affect static ULA prioritization above anything else – please show it.
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>> Why do you believe that address expansion above 2000::/3 would be affected?
> >      >>>>
> >      >>>> If people would continue to use ::/0 as the default and RFC6724 has it in the RC6724 table
> >      >>>>
> >      >>>> Then how the problem could happen?
> >      >>>>
> >      >>>> I do not understand this use case too.
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>>> Let’s only fix the problem and not make new problems for the next generation of network engineers and operators.
> >      >>>>
> >      >>>> I claim that the ULA problem is very small. It may be treated as a pure configuration problem. Just add static:
> >      >>>>
> >      >>>>       fc00::/7               45    13
> >      >>>>
> >      >>>> to gai.conf. Hence, the draft in v6ops is enough.
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>> PS: it does not solve MHMP but it is a problem that possible to separate
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>> Eduard
> >      >>>>
> >      >>>> From: ipv6 [mailto:ipv6-bounces@ietf.org <mailto:ipv6-bounces@ietf.org>] On Behalf Of David Farmer
> >      >>>> Sent: Friday, September 23, 2022 2:17 PM
> >      >>>> To: Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org <mailto:40huawei.com@dmarc.ietf.org>>
> >      >>>> Cc: 6man WG <ipv6@ietf.org <mailto:ipv6@ietf.org>>
> >      >>>> Subject: Re: RFC6724-bis?
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>> Please read the first paragraph of RFC6724 section 10.6 and all it’s references very carefully. In particular, read 2.2.2 of RFC 5220.
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>> Your argument contradicts the conclusions of 2.2.2 of RFC 5220. In short, your argument is only true today while we are using 2000::/3 for GUA. When that eventually changes, and it will some day, we would have to yet again rejigger the table.
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>> RFC 6724 is almost correct, the only thing it got wrong is that the section 10.6 modifications must be mandatory and automatic, and not optional, otherwise ULA is broken and dysfunctional.
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>> Let’s only fix the problem and not make new problems for the next generation of network engineers and operators.
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>> Thanks
> >      >>>>
> >      >>>>
> >      >>>>
> >      >>>> On Fri, Sep 23, 2022 at 02:27 Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org <mailto:40huawei.com@dmarc.ietf.org>> wrote:
> >      >>>>
> >      >>>> I still do not understand why Ted and David care about "remote ULA".
> >      >>>> If this ULA has been delivered to the local host by
> >      >>>> Then it has been done intentionally.
> >      >>>> Such a type of misconfiguration does not make sense to optimize.
> >      >>>> Hence, it is possible to operate FC/7 as a whole, no need to split it for /48s.
> >      >>>>
> >      >>>> Hence, why not install permanent precedence to FC/7 in gai.conf?
> >      >>>> It would not play any role on the host till the local router would deliver ULA PIO.
> >      >>>> And even after this, it would not be used till DNS would show the ULA destination
> >      >>>> Because rule 5 (matching labels) would make GUA_DA/ULA_SA a low priority, GUA/GUA would be chosen.
> >      >>>>
> >      >>>> What is the problem with permanently changed FC/7 precedence even above GUA?
> >      >>>>
> >      >>>> Eduard
> >      >>>> -----Original Message-----
> >      >>>> From: ipv6 [mailto:ipv6-bounces@ietf.org <mailto:ipv6-bounces@ietf.org>] On Behalf Of Brian E Carpenter
> >      >>>> Sent: Friday, September 23, 2022 4:47 AM
> >      >>>> To: Ted Lemon <mellon@fugue.com <mailto:mellon@fugue.com>>; David Farmer <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>>
> >      >>>> Cc: 6man WG <ipv6@ietf.org <mailto:ipv6@ietf.org>>
> >      >>>> Subject: Re: RFC6724-bis?
> >      >>>>
> >      >>>> On 23-Sep-22 12:50, Ted Lemon wrote:
> >      >>>>> Op do 22 sep. 2022 om 20:40 schreef David Farmer <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org> <mailto:40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>>>
> >      >>>>>
> >      >>>>>      I think leaving unknown, most likely remote, ULA at a lower priority and adding the /48 or other known local ULA to the table at a higher priority automatically should help mitigate ULA in the public DNS and the possible response of turning off IPv6.
> >      >>>>>
> >      >>>>>      In someways those that put ULA in the public DNS get what they deserve, I’m just worried about the remote user’s response to the brokenness, causing even more brokenness.
> >      >>>>>
> >      >>>>>
> >      >>>>> Hm, okay. I think we are all actually in agreement then, since I heard Brian admitting earlier that it might be better to dynamically update the table.
> >      >>>>
> >      >>>> Indeed, which was exactly why I wrote gai_wrap.py as a userland proxy for that approach.
> >      >>>>
> >      >>>>      Brian
> >      >>>>
> >      >>>>> I must have misunderstood what you meant by optimizing for the uncommon case—sorry about that!
> >      >>>>>
> >      >>>> --------------------------------------------------------------------
> >      >>>> IETF IPv6 working group mail <https://www.google.com/maps/search/Pv6+working+group+mail?entry=gmail&source=g>ing list
> >      >>>> ipv6@ietf.org <mailto:ipv6@ietf.org>
> >      >>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
> >      >>>> --------------------------------------------------------------------
> >      >>>>
> >      >>>> --
> >      >>>>
> >      >>>> ===============================================
> >      >>>> David Farmer Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
> >      >>>> Networking & Telecommunication Services
> >      >>>> Office of Information Technology
> >      >>>> University of Minnesota
> >      >>>> 2218 University Ave SE        Phone: 612-626-0815
> >      >>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> >      >>>> ===============================================
> >      >>>
> >      >>>
> >      >>>
> >      >>> --
> >      >>> ===============================================
> >      >>> David Farmer Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
> >      >>> Networking & Telecommunication Services
> >      >>> Office of Information Technology
> >      >>> University of Minnesota
> >      >>> 2218 University Ave SE        Phone: 612-626-0815
> >      >>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> >      >>> ===============================================
> >      >>> --------------------------------------------------------------------
> >      >>> IETF IPv6 working group mailing list
> >      >>> ipv6@ietf.org <mailto:ipv6@ietf.org>
> >      >>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
> >      >>> --------------------------------------------------------------------
> >      >>
> >      >> --------------------------------------------------------------------
> >      >> IETF IPv6 working group mailing list
> >      >> ipv6@ietf.org <mailto:ipv6@ietf.org>
> >      >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
> >      >> --------------------------------------------------------------------
> >      >
> >      > --------------------------------------------------------------------
> >      > IETF IPv6 working group mailing list
> >      > ipv6@ietf.org <mailto:ipv6@ietf.org>
> >      > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
> >      > --------------------------------------------------------------------
> >
> > --
> > ----
> > nb

v2.23.0 | Report a Bug | By Email