Re: Last Call: <draft-ietf-6man-rfc4291bis-07.txt> (IP Version 6 Addressing Architecture) to Internet Standard

Alexandre Petrescu <alexandre.petrescu@gmail.com> Thu, 23 February 2017 12:25 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A21A1296E8 for <ipv6@ietfa.amsl.com>; Thu, 23 Feb 2017 04:25:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.332
X-Spam-Level:
X-Spam-Status: No, score=-0.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEyNJQi8znYm for <ipv6@ietfa.amsl.com>; Thu, 23 Feb 2017 04:25:35 -0800 (PST)
Received: from cirse-smtp-out.extra.cea.fr (cirse-smtp-out.extra.cea.fr [132.167.192.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D36331296E0 for <ipv6@ietf.org>; Thu, 23 Feb 2017 04:25:34 -0800 (PST)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by cirse-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id v1NCPW9B023496 for <ipv6@ietf.org>; Thu, 23 Feb 2017 13:25:32 +0100
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id D4129207545 for <ipv6@ietf.org>; Thu, 23 Feb 2017 13:25:32 +0100 (CET)
Received: from muguet1.intra.cea.fr (muguet1.intra.cea.fr [132.166.192.6]) by pisaure.intra.cea.fr (Postfix) with ESMTP id CACDD2073C1 for <ipv6@ietf.org>; Thu, 23 Feb 2017 13:25:32 +0100 (CET)
Received: from [10.8.34.184] (is227335.intra.cea.fr [10.8.34.184]) by muguet1.intra.cea.fr (8.15.2/8.15.2/CEAnet-Intranet-out-1.4) with ESMTP id v1NCPWSx000397 for <ipv6@ietf.org>; Thu, 23 Feb 2017 13:25:32 +0100
Subject: Re: Last Call: <draft-ietf-6man-rfc4291bis-07.txt> (IP Version 6 Addressing Architecture) to Internet Standard
To: ipv6@ietf.org
References: <20170221001940.GB84656@Vurt.local> <068ce975-8b1e-a7c5-abba-2bfc1d904d70@gmail.com> <20170221101339.GC84656@Vurt.local> <CAKD1Yr33oQb=gMGaEM++hLgmMtxMdihiDrUihEsjs63vy8qRbA@mail.gmail.com> <54c81141-e4f5-4436-9479-9c02be6c09bb@Spark> <CAKD1Yr28iQHt0iuLvR3ndrT3Hfct=4k9dxjJeu3MAjDjOogEvA@mail.gmail.com> <CAL9jLaZgTp++PJ9KGHEWuPoVm6t3b8QfVDCEhz5h4fv-0fuUAA@mail.gmail.com> <CAKD1Yr3SbR=xt3RPu7+q1o14wKuUuwUc6oG+BgZtEK1O+m5sWw@mail.gmail.com> <4936e96b-fc82-4de0-9188-ced9547deb2f@Spark> <CAKD1Yr3K+SJb_4ksZ96yNypVKJE-fXopuVaXNhhKp1gkh1=QEg@mail.gmail.com> <20170222144147.GC89584@hanna.meerval.net> <7960ff2d-359f-429c-6e82-ef592f90bf53@gmail.com> <CAKD1Yr1W+AVt4Dixo9epB5VazxBsVMD+mrshwaE=n7SuX6eGDw@mail.gmail.com> <m1cgqW5-0000MkC@stereo.hq.phicoh.net> <fb53226a-f798-5a61-afaa-99456d7e9000@baanhofman.nl>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <b79fbd80-c38c-fb1a-3b4d-4fada5b30e4e@gmail.com>
Date: Thu, 23 Feb 2017 13:25:24 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <fb53226a-f798-5a61-afaa-99456d7e9000@baanhofman.nl>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/FpW3OsPlEJeMltXYziBQebtwXg0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 12:25:36 -0000


Le 23/02/2017 à 12:43, Wilco Baan Hofman a écrit :
>
>
> On 23/02/17 11:20, Philip Homburg wrote:
>>>> Nobody is saying that /64 isn't extremely widely used where
>>>> it's appropriate to have a portable fixed length IID. Set the
>>>> default at 64 and trust operators to change it where they need
>>>> to. That's realistic.
>>> As a host developer I strongly oppose that. It will make life
>>> easier for network operators but make life harder for host OS
>>> developers, host operators, and host users.
>>>
>>> And it is absolutely inappropriate to change this now in given
>>> that the /64 boundary has been the standard for the last 20
>>> years. It will break deployed code that relies on the current
>>> standard. (That includes concrete code I can point to that I
>>> know runs on tens of millions of devices.) That's not acceptable
>>> to do in a standard reclassification.
>>
>> I'm curious about the issues the host developer faces.
>>
>> For DHCP IA_NA, the host should not care about the length of the
>> IID. The host just configures the address as a whole. Not need to
>> look at the prefix length.
>
> For stateful DHCPv6 the prefix length should also be /64

In DHCPv6-for-addresses (not for prefixes) the prefix length field is
absent.

Some of the DHCPv6 Client code sets a 64 (hardcoded in C language) in
the source code when assigning that address to the interface.

That is completely wrong.

I suppose programmers having written this thought to themselves that
since SLAAC/Ethernet does that, and since RFC4191 reinforces it, then
why not DHCPv6 too?

They miss that DHCPv6 spec does not include a prefix length in their
messages.

> and should allow multiple addresses, at least in my opinion.

Yes, DHCPv6 should allow for multiple addresses.  It is the case.  But
no plen.

Also DHCPv6 Prefix Delegation is made to be able to request a prefix (a
P1/64, or a P2/63 or even a P3/3 - the plen is a parameter).  With that,
the Client is free to form addresses out of maybe P1 by setting an
Interface ID of a parametrable length, and delegate further something
out of a P3.

> And I have seen several devices that only allowed configuration of
> /64 prefixes (printers, etc) for even static addresses, which is a
> perfectly valid assumption right now.

It is a wrong assumption even right now to assume a /64 plen for a
manually configured address.  This has strong consequences on routing.

A host on a /120 subnet MUST NOT set /64 for manually configured
addresses, but /120; otherwise it can eat out of a subnet of someone else.

This is simply covered in the 4191 IPv6 Architecture by the statement
sayint that the Interface ID length plus the prefix length must equal
128.  120 plus 64 equals 184 which is different than 128.

> So we see SLAAC, ILNP and NPT66 requiring 64-bit prefix length.

Again, 64-bit in SLAAC is a side effect of using Ethernet with that
SLAAC.  SLAAC per se uses a parametrable prefix length.

As such, it is SLAAC/Ethernet requiring 64-bit prefix length.

For ILNP and NPT66 I dont know, but I thought I saw /48 in some Network
Prefix Translator implementation on linux.

> But these cases all cover edge networks, with hosts, printers and
> similar nodes. Keeping the requirement (or moving to SHOULD) for
> edge networks seems reasonable to me.

I would disagree, because we want these edge networks to further grow.

I would agree with a statement that says Ethernet can only work with
SLAAC if it has an IID of length 64.  One can not make an Ethernet
subnet with SLAAC and plen 65.  That is a problem of Ethernet - RFC2464
- and try to update it.  Otherwise it wont grow.

> However, this does not make the carrier use case any less relevant.
> The main problem with /64 is TCAM exhaustion through ND attacks.
> Because NDP follows a multicast discovery model, it simply does not
> scale up to 2^64 addresses in a subnet when being scanned/attacked.
> A subscription model (like WiFi proxyNDP does) would scale a lot
> better. This is something that needs to be addressed as well,
> separately.

I agree.

> Another problem carriers face is that /127 can not be configured on a
> lot of routers, because of the subnet router anycast requirement that
> was only lifted for /127 with rfc6164 in 2011. That means that
> operationally people go out-of-spec, because frankly, going
> out-of-spec works more reliably and consistently.
>
> And because /64s don't really work for inter-router-links because of
> the attack surface, and /127s don't really work because of older
> routers, people will start configuring /126 for inter-router-links
> and /125 and (slightly) shorter for VRRP and for BGP sessions with
> multiple routers.
>
> In my opinion, there should at least be some room in the IPv6
> standard for arbitrary prefix lengths for interconnects.

I agree.

Alex

>
> -- Wilco
>
>
>
>
> --------------------------------------------------------------------
>  IETF IPv6 working group mailing list ipv6@ietf.org Administrative
> Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>