IETF Logo Mail Archive

Re: [IPv6] Second Working Group Last Call for <draft-ietf-6man-rfc6724-update>

Jared Mauch <jared@puck.nether.net> Mon, 15 April 2024 17:39 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B837C14F600 for <ipv6@ietfa.amsl.com>; Mon, 15 Apr 2024 10:39:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=puck.nether.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eHhibLDhkmzI for <ipv6@ietfa.amsl.com>; Mon, 15 Apr 2024 10:39:28 -0700 (PDT)
Received: from puck.nether.net (puck.nether.net [IPv6:2602:fe55:5::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7377DC14F74E for <ipv6@ietf.org>; Mon, 15 Apr 2024 10:39:28 -0700 (PDT)
Received: from smtpclient.apple (nat.nether.net [23.138.112.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: jared) by puck.nether.net (Postfix) with ESMTPSA id 00467540168; Mon, 15 Apr 2024 13:38:36 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 puck.nether.net 00467540168
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=puck.nether.net; s=default; t=1713202716; bh=3xv0SrU2A5gigKYWelsJr046rpDRW6ObwBSnilsgOBo=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=GLFvql4SkR2OyNqlq0/MBZSDV01k8sSvPMCqmcG7I+06cRuV4C9Ey/TbKmP7KEkNd uHvhDFTXYbpgm0FdnoWUBmdmlfEb8vmJ11yoVPbGwO7K8qkqpQga0rhEbR0P56eYjT KkfyIEjhF2mjJ2Y59V+sPdn7nkA+PmsZoPXESV4YXGu4kM8GkOcOmI6kBfhIBVGd0u TEyKx4e9VpW2Zckq1DnBo68o2yHRwi9VryZSFbdDTjPtKC3J+diZksQ8XR/7Q2i9Oj +prKHaVmT78mksdQ4mjKnFcCXxWF0CjxSa2shbdIU466gzMjfEaWiBiuEc1NmRtf/U M9kp9PiFYWouQ==
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAPt1N1mESFzHsK3XyE8DD_mhZjWvMuh=pf9RMmT6BgyO6LryWQ@mail.gmail.com>
Date: Mon, 15 Apr 2024 13:39:14 -0400
Cc: Kyle Rose <krose@krose.org>, Tim Chown <Tim.Chown=40jisc.ac.uk@dmarc.ietf.org>, Bob Hinden <bob.hinden@gmail.com>, Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>, 6man WG <ipv6@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2FC2FAA0-FD92-4DAB-96F7-81BDBA90C879@puck.nether.net>
References: <6A5E5F35-B35F-4358-8EE1-3BD82329141E@jisc.ac.uk> <6FBC1B5A-BF28-4B05-B2B2-A60DA4707755@gmail.com> <CAPt1N1m-Ye8vfOVnsPesFshLMV5QuVoxWqM=HVZiJ37zaBg6AA@mail.gmail.com> <CAKD1Yr1NTvFj0zB0=+nnUKck7TBtwHFz2XoFkD1smx4yCuZohQ@mail.gmail.com> <1EFB11CD-544F-4AD7-B414-6A626075975D@employees.org> <CAPt1N1kJFgu6FhFaVhhkPnEY2dofcLF2ZuKDBHJFF5UU6R+x2g@mail.gmail.com> <F301BC19-2D6D-42F5-9C94-0516A765B97C@jisc.ac.uk> <CAPt1N1k4FGbTVVk1QTw0-or0PxkhSPqGda8fHrJKb2t4shNGkw@mail.gmail.com> <CFFA3926-583D-4DA0-B981-3D58048DE894@jisc.ac.uk> <CAJU8_nXpC4ZmcbpuVoTxykf2KEO1zpdThA=VQKM8iXRjTAgHiQ@mail.gmail.com> <CAPt1N1mGn2E2-d9PkvTWePSPUkVik7UO-75ryTa2EkjfR_4ZmQ@mail.gmail.com> <CAJU8_nXXSsJa6ycMZuSmTeNoma1HrBdQ5bD1feb7DDDK5b_dVA@mail.gmail.com> <CAPt1N1mESFzHsK3XyE8DD_mhZjWvMuh=pf9RMmT6BgyO6LryWQ@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/J3pQc0ABWJCr8_HZ7B9LORG-mKM>
Subject: Re: [IPv6] Second Working Group Last Call for <draft-ietf-6man-rfc6724-update>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2024 17:39:32 -0000


> On Apr 15, 2024, at 1:32 PM, Ted Lemon <mellon@fugue.com> wrote:
> 
> First of all, remember that the point of this is to improve the behavior of the stack. What we have works now, but has some issues we want to resolve. We do not need to achieve perfection here—we just need to make things better than they were.
> 
> Regarding your VPN setup, I would expect one of two things to be true: either the VPN is giving the device connecting through it a prefix on the known ULA, or it doesn't expect the device to try to use the ULA, and hence it should not be treated as known. If there are cases where it's expected that some other ULA on the known-ULA list would work as a source address in communicating with the ULA from which no source address configuration is provided, then the VPN configuration could include that ULA prefix as "known." This seems straightforward and not experimental. Of course it would require some work in the stack.
> 
> As for the table size question, your VPN setup seems unusual and extreme. Is this a real use case, or something you pulled out of your hat? I think it's perfectly reasonable to have three /48s in your known-ULA table, but I agree that hosts shouldn't have to support arbitrarily large ULAs. The question I have is, when does this happen in practice? Given how ULAs are allocated, we can't expect an enterprise that needs more than a /48 to be able to aggregate, but how often is it the case that we need ULA<->ULA to work well for multiple /48s? What is the downside to it not working well?
> 
> If your point is that there are still unknowns here, I think you're right; my point in saying that this problem is well-understood is that for most use cases, it really is. There are of course some cases where we will need different behavior that is as-yet undescribed. I will point out though that the worst-case scenario is that a particular enterprise just declares all of fc00::/6 to be "known-local" and then gets the behavior we all previously agreed was "good enough." This can already be accomplished (in our proposed model) by publishing an RIO for fc00::/6 in addition to the default route.


I worry about how we standardize these things then make gripes about uRPF not working when the devices can’t have knowledge of the prefixes that are in-scope.  (Eg: savnet)

The multiple on-link prefixes and link-local do provide the option to keep traffic there, but not all applications bind to * AF_ANY and could source from GUA, ULA or otherwise.

- Jared

v2.23.0 | Report a Bug | By Email