IETF Logo Mail Archive

RE: [v6ops] Possible issue with source address selection for ULAs...

Vasilenko Eduard <vasilenko.eduard@huawei.com> Mon, 10 January 2022 16:14 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FA303A13F9; Mon, 10 Jan 2022 08:14:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8QaDPnMhMRUU; Mon, 10 Jan 2022 08:14:06 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CDB83A1420; Mon, 10 Jan 2022 08:14:04 -0800 (PST)
Received: from fraeml712-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4JXf5g2ZvQz688NM; Tue, 11 Jan 2022 00:13:59 +0800 (CST)
Received: from mscpeml100002.china.huawei.com (7.188.26.75) by fraeml712-chm.china.huawei.com (10.206.15.61) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Mon, 10 Jan 2022 17:14:00 +0100
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by mscpeml100002.china.huawei.com (7.188.26.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Mon, 10 Jan 2022 19:13:59 +0300
Received: from mscpeml500001.china.huawei.com ([7.188.26.142]) by mscpeml500001.china.huawei.com ([7.188.26.142]) with mapi id 15.01.2308.020; Mon, 10 Jan 2022 19:13:59 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: 6man WG <ipv6@ietf.org>
CC: IPv6 Ops WG <v6ops@ietf.org>
Subject: RE: [v6ops] Possible issue with source address selection for ULAs...
Thread-Topic: [v6ops] Possible issue with source address selection for ULAs...
Thread-Index: AQHX9vvvL+2CykGFBkehBNPC1FNlZaw+CgAAgABR1ACAAAaKgIAUpcsAgABEbQCAAC28AIAA/EaAgABEdoCAB8M9MA==
Date: Mon, 10 Jan 2022 16:13:59 +0000
Message-ID: <4e185b93fe494122a05c9ac5b0bd5473@huawei.com>
References: <4DD59CC3-1BDB-4A1C-A33B-8CC3EDE622A8@chinaunicom.cn> <550d1375e15941199e23f3d7a309cb4d@huawei.com> <CAPt1N1mXK1nsJ=1wyKm-ToqLj=+j2hXrywAyNZmE0X67ipT89g@mail.gmail.com> <73353834-0DFD-4542-95B1-06BAD1F32D41@employees.org> <D4C144D3-4227-4102-A00C-10C2CB686AAE@gmail.com> <22084.1641333602@localhost> <16560b6f48ab4eb09a01ce2c64b423bc@boeing.com> <11213.1641397599@localhost> <641ed285-38bc-0789-d5b4-cab942da756a@gmail.com>
In-Reply-To: <641ed285-38bc-0789-d5b4-cab942da756a@gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.171.242]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/IC1AmyR_7iyhqe1YFlYPJki0euY>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jan 2022 16:14:11 -0000

Hi all,
ULA is different from private IPv4 in the Telco environment
Because for any additional functionality in the data plane on the transit (like SRv6)
IPv6 needs to layer another IPv6 data plane: IPv6 should be encapsulated into IPv6 by RFC 2473.
This outer IPv6 data plane effectively shields the address type used inside the Telco environment.
If ICMP would happen then it would be destined to the source of the outer IPv6 data plane (Carrier PE), not to the source of the inner data plane (user host).
Hence, even for the case of IPv4 in the inner data plane, ICMP PTB would be properly processed on ingress IPv6 PE.

Anyway, I vote against ULA for Telco infrastructure.
Because ULA would impose Carrier to have double IPv6 data plane (and only IPv6 for outer data plane) forever for all services
to shield ULA from the external audience.

The tunneling story is broken when the outer data plane is MPLS over v6. MPLS does not have its own ICMP staff to handle it properly.

Reminder, that the majority of IPv4 traffic is carried in GRT (Global Routing Table), not inside VPN.
Because many features are not developed for VPNs. And because of additional scalability requirements to routers in a VPN case.
It would be not good if RFC 2473 tunnels would become mandatory for plain IPv6 Internet traffic.

RFC 2473 tunnels for inter-domain services would request ULA routing between Carriers
That looks like a violation of ULA specification and a low-probable address collision.

Maybe a need to connect infrastructure from the Internet
That would be blocked with ULA numbering.

Hence, I see just a list of limitations. I do not understand the advantage.
The story of better security is not viable. If somebody would like such type of filtering on the perimeter then filter GUA block. It would be possible to reverse if one would change his mind or stumble upon some limitations.
ULA is a one-way ticket, not flexible. Some limitations are already evident.

Eduard
-----Original Message-----
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Brian E Carpenter
Sent: Wednesday, January 5, 2022 10:52 PM
To: Michael Richardson <mcr+ietf@sandelman.ca>; Manfredi (US), Albert E <albert.e.manfredi@boeing.com>
Cc: IPv6 Ops WG <v6ops@ietf.org>; 6man WG <ipv6@ietf.org>
Subject: Re: [v6ops] Possible issue with source address selection for ULAs...

> If I can avoid using ULA, I would always do that.

All the same, it seems that we really need a document that characterises use cases for ULA usage and suggests guidelines.
We've tried and failed to do that it in the past, so the issue keeps coming up.

Regards
    Brian

On 06-Jan-22 04:46, Michael Richardson wrote:
> 
> Manfredi (US), Albert E <albert.e.manfredi@boeing.com> wrote:
>      > What about air-gapped networks? I'm considering doing just this. 
It
>      > avoids involving any other organization, in the assignment of IPv6
>      > addresses, number of subnets, subnetting architecture, or any 
> of
that.
> 
> It also leaves you with no whois or rDNS for when the airgap fails, 
> your packets get out, and someone ponders who to tell.
> (I see this *REGULARLY*)
> 
> IPv6 is beyond plentiful.
> If I can avoid using ULA, I would always do that.  No technical entity 
> with more than 1000 people should be without their own assignment in my opinion.
> 
>      > Use the ULA prefix rules, to keep the addresses unique in each
>      > platform, document this, and no one else needs to be involved.
> 
> Exactly.  Nobody else is involved, so nobody can ever help you.
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>             Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
> 
> 
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
> 

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.46.0 | Report a Bug | By Email | System Status