IETF Logo Mail Archive

Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05

David Farmer <farmer@umn.edu> Tue, 07 May 2019 23:50 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D233120235 for <ipv6@ietfa.amsl.com>; Tue, 7 May 2019 16:50:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLzb1Zsgu-fU for <ipv6@ietfa.amsl.com>; Tue, 7 May 2019 16:50:54 -0700 (PDT)
Received: from mta-p7.oit.umn.edu (mta-p7.oit.umn.edu [134.84.196.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E77A12027C for <ipv6@ietf.org>; Tue, 7 May 2019 16:50:54 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 3F3CC9BE for <ipv6@ietf.org>; Tue, 7 May 2019 23:50:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XxZjGTYdiToY for <ipv6@ietf.org>; Tue, 7 May 2019 18:50:53 -0500 (CDT)
Received: from mail-vs1-f72.google.com (mail-vs1-f72.google.com [209.85.217.72]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id D69057CA for <ipv6@ietf.org>; Tue, 7 May 2019 18:50:52 -0500 (CDT)
Received: by mail-vs1-f72.google.com with SMTP id f5so3460280vsq.15 for <ipv6@ietf.org>; Tue, 07 May 2019 16:50:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D/CJu6AY4utNXLENpBP3LgvP0wh18LbKBNPVRvDd/30=; b=DWwMfyVq/GD3h1tP90GwdzP320BUofErbTOjBxZS5wwsgDWodjPOAByJtQzXvC+Pdo seURLB9vULVorfsZ5R8PKwpRA9g6DQ1FqBqSWIFXek/eCQmgk2J6+/D++PfAQPc/AniO XInN3NRtCiIlkgLFDR+djw5rCXu/1TJdQkwm4ZlkEOOjQ5orTS0Dy7kwMOq3AG4ctQd5 sbe0CnnvObjXbIPp0Rq+yUB4SQCbXc00dEb8OcTzZXkqps6fDwHPCh928loOLn2Ot3oj YQArsSafU2ZeTdhASvkvG3EB5dXIAzRLXguhkRx72WF54/XaUg0fviG5on2qWAdr+xRB +94A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D/CJu6AY4utNXLENpBP3LgvP0wh18LbKBNPVRvDd/30=; b=DevGAvQz5uHdWwG4Z+XbLErCGIlUiOoAT1NjT9bdigCZLa/7Ph6DF9+WHhZEdwnLvV /ariA7s1PnMMbbp1+LtCAGR/7IVuU6tY4iGCydRGJESGIn/SwQZFMflM352GfaDkQEiQ W1elBuqM6gncQU1FZTHwwjrJFTqlxafCqPs0+vLr46pz7HU1SxXALQB9fsDdMqy2k12d ULk+idBO25rsuR4tu4JWQNNxDWuE9f6hA20tqry6e+uKhgb6rXsfExAR0hsZAVK5/hO/ cVIByAwQ7SwJ77ZhH0pxsv3Wfubro80oUOFk7YndgCLNuV2QH5cIBY46RGJ6GyR97kbx 907A==
X-Gm-Message-State: APjAAAXBKfKpqYwJBuZQ+KQTSasBfmYsV7npi0bso4SR+JItN9jvPXSa rfyGo7TRWckV32x4S2cTbSlpF6awg5tI56av+jeM2gFaS+Aqi9YZw7V4KMEa2wNvUnYS3mxF3hQ pO4XxH0RB8IxcOMz5LMUEJo13
X-Received: by 2002:ab0:644c:: with SMTP id j12mr11154785uap.61.1557273051829; Tue, 07 May 2019 16:50:51 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwb3WJ4SWl7LrC1M++VALIEH4WFRKvBUgDad76IMPoWOpydfIbiGPcdgNxDt2n3SLfY4mWbTcE9uQaHVBl/rNo=
X-Received: by 2002:ab0:644c:: with SMTP id j12mr11154777uap.61.1557273051330; Tue, 07 May 2019 16:50:51 -0700 (PDT)
MIME-Version: 1.0
References: <F8BFFCAD-E58E-4736-8A1C-56579B6F6032@employees.org> <a2465e81-a17f-ab48-efda-20fe12a70077@foobar.org> <30239E0C-C444-4A7E-8342-AEE47BF8A2BB@employees.org> <20190505200449.GB7546@vurt.meerval.net> <80073906-c3c0-1f22-9e7f-c2b349063936@gmail.com> <CAO42Z2xzVW3m0mN7jEn8SYyYCYhrufVnkfp3rBjJcijBkvucNQ@mail.gmail.com> <CACWOCC-35yVYXSRR0sRL-MBMHyOFZtJx9E9h14G8qqVh5T7qGA@mail.gmail.com> <232c1a43-0fd9-4eae-737b-260a3906f72a@gmail.com> <51F2BD2A-A590-4AF1-B8C1-FE62C9416340@steffann.nl> <8C63324F-FEF6-40BD-B918-B413CDEF9186@gmail.com> <478d5dc5-af00-4ab0-d8ef-75e41cd501d4@foobar.org> <9eb009ba-234f-ea62-779b-469255543f91@gmail.com>
In-Reply-To: <9eb009ba-234f-ea62-779b-469255543f91@gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Tue, 07 May 2019 18:50:34 -0500
Message-ID: <CAN-Dau1ALcDwZ-JdcrCTXm5qK835HGMkEcNYSHXZjn9Yggce8g@mail.gmail.com>
Subject: Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000b17cb058854e300"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/JBsMXfjffZNyHo5VmllHbEYZVok>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 23:51:04 -0000

Furthermore, on a mobile device, you can't just turn off IPv4 on the device
unless anywhere it goes will not have IPv4.  In this case want to turn off
IPv4 on certain networks, not all networks, not even all dual-stack
networks, but only some that we designate as IPv6-Only networks. This is an
important distinction, and it means turning off IPv4 on the host isn't
really an option.

The potentially bad side effects of the flag are a valid concern, but If
the meaning of the flag is changed to be similar to RFC2563, then I think
that mitigates the bad side effects completely.  Basically, the flag has no
meaning or effect by itself, it only has meaning if the host also doesn't
receive a DHCPv4 response. This way you set the flag in the IPv6 RA and you
also have to either layer 2 filter ether types 0x0800 and 0x0806 or
otherwise ensure there are no DHCPv4 responses on the network.

Thanks


On Tue, May 7, 2019 at 6:19 PM Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> Nick, excuse top posting but it seems to me that you are
> assuming that in a managed network, the hosts are all
> managed too. That's certainly a false assumption in my
> experienced: managed routers and access points with
> BYOD hosts is a very common scenario.
>
> It remains true that even so, in many cases the managed
> network could be configured to block IPv4 at layer 2.
> I can't argue against that argument.
>
> Regards
>    Brian
>
> On 08-May-19 07:13, Nick Hilliard wrote:
> > Bob Hinden wrote on 07/05/2019 17:31:
> >> Enterprise networks are an important use case for this proposal.
> >>
> >> The draft seems to me to be clear it is focused on managed networks.
> >> It uses the word “administrator” 12 times.   There is, of course, no
> >> administrator on unmanaged networks.
> >>
> >> Would it help if the draft said the focus is for managed networks?
> > Not really, no, because when you look at it more closely, it becomes
> > apparent that the flag is redundant on managed networks.
> >
> > What's important about managed networks is that they're managed.  I.e.
> > that whatever policy is put in place by the administrator can be
> > enforced.  v6only does not and cannot enforce anything, which means that
> > from the point of view of policy or enterprise management, it fails
> > before it leaves the block.  It fails because all it does is provide an
> > advisory hint to the operating system about the intentions of the
> > network administrator.
> >
> > Drilling down further and looking at the issue from the point of view of
> > an enterprise network, management would encompass either device
> > management or fine-grained network access control, or both.  In each
> > case, the management will be enforced because if it's not enforced, it's
> > not management: it's hand-waving.
> >
> > For device management, it might be e.g. Windows group policy, or macos
> > workgroup manager, or some orchestration tool (puppet / saltstack /
> > etc), or some COTS product to do all this - there are plenty out there.
> > The point is that the management of the devices on the network will be
> > centralised and will give the administrators of the network the ability
> > to enable or disable ipv4 by application of enforced policy.
> >
> > No sane operating system manufacturer will leave the v6only option
> > enabled by default on an out-of-the-box installation because the
> > possibility of mischief is far too great. This means that if the
> > administrator wants to change this default, they will need to touch the
> > configuration of each installation.
> >
> > But here's the thing: if they already have to change the default
> > configuration to enable v6only, why wouldn't they go the whole hog and
> > just disable v4 completely?  More to the point, if they need to delve
> > into this level of operating system protocol capabilities, their policy
> > management tools will be sufficiently fine-grained to enable or disable
> > any specific protocol on any specific network that they choose.  In
> > other words, the v6only flag is almost entirely irrelevant for managed
> > networks where the management capabilities are done on the host devices.
> >   The job can be done more simply and more reliably by using existing
> tools.
> >
> > The other type of managed network is where control of the network access
> > is managed.  I've gone into some detail on this scenario on several
> > occasions before, so please forgive me for quoting these URLs:
> >
> > https://mailarchive.ietf.org/arch/msg/ipv6/NIJ194PI8CLkuZT8U_jKEOY01QI
> > https://mailarchive.ietf.org/arch/msg/ipv6/a9KBvO88PlPrO0kLr83VOBlGmpw
> >
> > Summarising:
> >
> > - L2 ACLs provide vastly superior functionality, and work today.
> >
> > - even L2 ACLs on core links can reduce the problems assertions in the
> > v6only-flag problem statement to background noise.
> >
> > - gigantic l2 domains were busted about 30 years ago as being terrible
> > network design and the ietf has no responsibility to create workarounds
> > for people who implement terrible network designs.  And if you really
> > need to implement gigantic l2 domains, you need kit which is fit for
> > purpose.
> >
> > I.e. if you want actual management, then you need to manage, and that
> > mandates enforcement.  The larger your network, the more effort you need
> > to put into designing it properly - and managing it using appropriate
> > equipment.
> >
> > I'm sure it would be possible to contrive scenarios where marginal gain
> > in functionality is achieved with the v6only flag, but in 18 months of
> > discussion (and draft-perreault-sunset4-noipv4 before it), not even a
> > single credible use case has come up where the alternatives weren't
> better.
> >
> > Nick
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
> >
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>


-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email