IETF Logo Mail Archive

Re: [IPv6] draft-ietf-6man-rfc6724-update might break current ULA+IPv4 hostnames

Mark Smith <markzzzsmith@gmail.com> Sun, 12 November 2023 05:14 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCFCCC15107F for <ipv6@ietfa.amsl.com>; Sat, 11 Nov 2023 21:14:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.603
X-Spam-Level:
X-Spam-Status: No, score=-1.603 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2-CBrQe1ITGc for <ipv6@ietfa.amsl.com>; Sat, 11 Nov 2023 21:14:28 -0800 (PST)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02660C14CE33 for <ipv6@ietf.org>; Sat, 11 Nov 2023 21:14:27 -0800 (PST)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-9e61e969b1aso297482366b.0 for <ipv6@ietf.org>; Sat, 11 Nov 2023 21:14:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699766066; x=1700370866; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NbH3t0zZ/y+pTpjO4P/GIL41Ttt0lRkSzwtGn/UFEfM=; b=BIFU74KVvUtgsVGrBhTETskdz22aNe+kkM04cCFpGsGdMWJZRxMQDI5FgHarBxgSqP OH/Cn/Cm6AjpDm7awCEx1LYT8tMpIEG6arxW5w5UxJh0s0ep8ymikDkc4JoAAOKxoJSY juM/54k2bH/ttTWH6i/LVr16AJVic1QGFfZRac1xOmaartTOAcrRVQ5sVfvgrTDvAbb+ yUm3A4Eupw6wbwlydiLicn1wrzRYQkqqOOJeAJzdqzYljmf9MV72rYmTo/Qpk1hKe16O 3OwSGS5mmL/msBNBQsBfIag85uzMRTACYYhEXClgSMZBqC+N5LKgVVhTMJTMF1HgGbCX CCcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699766066; x=1700370866; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NbH3t0zZ/y+pTpjO4P/GIL41Ttt0lRkSzwtGn/UFEfM=; b=s8Pa6q0Ix9a2/MgXqzBpzN5X3XgN3+OxeUaoMvjJq7c2OdTTQgcBZPUqXahAGul6xx 3BRVSmtZtCaR/qSdKOpY/5n4sN1QzQ6PqH5HkQ4RQKbJQYfO2EI1e4qE1ZlgbAlrXVOb Z1P7j3cg+bYQ1HoTj8kZQp3Te7u1snufPByaJFzF9Xyzjcc7h7LTOsySEGdtxTjonI2d gjg2/oI+hwZgPhuS59kPZB4qtehSlWASxS4dp789qcU58mw5VVWrZQhM0wSQJkFXcEWl ETNO4GlO9ulqPquHbi1X7AFRuL4+oAXqlR/EJTJqKlag2H6YXFhFBoEkRo0MChnT2Tcy q+kg==
X-Gm-Message-State: AOJu0YyhXyX5H/Dx0hOiPN81+qbHUEe6FZmqlsm1RiYwGbIQT1+EDTR0 vnjCZP9cc/xag1unYQpfjcmgT9sEt68muKwVIPy4zOy7m/Q=
X-Google-Smtp-Source: AGHT+IEm6UFF8h0En5JuMaNFTkh/Q5MwAseccMHoTybJ7BqBvDTG+gxp892D+FN0icOqvSCAuzMyb45SmCmIAXYpuzc=
X-Received: by 2002:a17:906:1342:b0:9c4:54c6:8030 with SMTP id x2-20020a170906134200b009c454c68030mr2353755ejb.6.1699766065739; Sat, 11 Nov 2023 21:14:25 -0800 (PST)
MIME-Version: 1.0
References: <CAKD1Yr2uD+XE+HA6vs3BfEchpWr5H2NEeoXLrXm7-U9_ckw1sA@mail.gmail.com> <CAN-Dau2Nw21wUm-mjxq3bnYczPJbApVhcZZ6oie+HiB4yvr_PQ@mail.gmail.com> <CAKD1Yr1z2x8iKXYQtPVifj-XkP7MeRq=NWe0gdWBGC1aS_j0Mg@mail.gmail.com> <CAN-Dau1mJJRX6Y78Lo-vN7YFxafWBpkeNRw6Ak1ZBbXXEr0hHA@mail.gmail.com>
In-Reply-To: <CAN-Dau1mJJRX6Y78Lo-vN7YFxafWBpkeNRw6Ak1ZBbXXEr0hHA@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sun, 12 Nov 2023 16:13:59 +1100
Message-ID: <CAO42Z2wxK8uF1854UYt+Qf+TPcQJZoejEKV0qXs29ZruSsHOog@mail.gmail.com>
To: David Farmer <farmer@umn.edu>
Cc: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>, IETF IPv6 Mailing List <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008cbe670609eda04c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/MjMUF4KmLTs-fMhlKLUIYzu0xYU>
Subject: Re: [IPv6] draft-ietf-6man-rfc6724-update might break current ULA+IPv4 hostnames
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Nov 2023 05:14:31 -0000

Hi David,

On Sun, 12 Nov 2023, 13:59 David Farmer, <farmer@umn.edu> wrote:

> Lorenzo and Mark,
>
> The reality is that most systems today would use IPv4 instead of ULA if
> they didn't have GUA unless they implemented the advice in Section 10.6 of
> RFC 6724, which is rare and why we need this draft.
>

I understand completely why we need a draft to fix the problem with ULAs
being below IPv4. Since I think of ULAs as site-locals+a random number, I
assumed RFC 6724 just effectively replaced site-locals with ULAs,
preferring them over GUAs, as site-locals had been.


>
> We could make the advice in Section 10.6 mandatory, but RFC 4193 also
> anticipates merging ULA networks. Therefore, the advice in Section 10.6
> needs to be mandatory and expanded to allow for an arbitrary number of
> /48s, not just the /48 covering the PIO used for ULA. I suggested using
> PIOs to add additional ULA prefixes to the policy table dynamically.
> However, others felt such a dynamic table would be too complicated and
> preferred the simplicity of raising the preference of the ULA label above
> IPv4 yet remaining below GUA in a static table.
>

For an internal destination, that could be reached by either a ULA or GUA
address, ULA should be preferred over GUA. Otherwise, one of the key
benefits and uses of ULAs disappears:

RFC 4193:

"4.2.  Renumbering and Site Merging

   The use of Local IPv6 addresses in a site results in making
   communication that uses these addresses independent of renumbering a
   site's provider-based global addresses."




> This is relatively safe as long as Happy Eyeballs is implemented, as HE
> will try ULA against IPv4 if there is no GUA. Otherwise, if there is GUA,
> HE will try it against IPv4 instead.
>
> As Mark points out, this still leaves GUA preferred over ULA. However,
> raising all ULA above GUA in a static table is unsafe, as any remote ULA
> would be preferred over GUA.
>

Yes.



> Then, Happy Eyeballs would try the remote ULA against IPv4 instead of GUA,
>

Which is why HE should prefer ULA over GUA (and all IPv6 is preferred over
all IPv4).

Note that it needs to be Happy Eyeballs version 2, which works differently
and better to HEv2 regarding IPv6 verses IPv4.




> with the likelihood of using IPv4 instead of GUA as expected.  A dynamic
> table that prefers known local ULAs above GUA is the only safe way to
> prefer ULA over GUA.
>

I disagree.

Hosts have to be able to cope with DNS providing unreachable destinations
regardless of ULA/GUA/IPv4 etc. preference, because DNS isn't normally
tightly coupled to the state of reachability of the network. (DNS caching
would be hard if not impossible to do if DNS records were coupled to the
state of OSPF, BGP and ultimately ND/ARP reachability for DAs.)

So imagine your "safe" scenario where a host has a dynamic table such that
the host knows of the local ULA /48.

DNS returns the ULA and GUA DAs for an internal host.

I think you're saying with your dynamic table that is a safe scenario,
which I think means you're assuming then ULA will always be 100% available
because now you're comfortable preferring ULA over GUA. (For completeness,
does "unsafe" mean encountering long TCP connection timeout delays?)

That may not be the case. Perhaps the ULA address of a host is on one
network card, and the GUA address of the host is on a different network
card (i.e. it's a multihomed host), and the link to the ULA network card is
down. The ULA address is now unreachable, whereas the GUA is reachable. I
think that would be an "unsafe" result in your "safe" scenario.

DNS does not provide an assurance of current reachability. Hosts have to
test reachability by actively trying to reach the DNS supplied DAs, and
move on quickly to the next DA in the set somehow (e.g., via HEv2) when the
current DA is determined to be unreachable.

Once you accept that DNS may return unreachable DAs, and hosts will and
have to deal with it in a user friendly manner (HEv2 or similar), you then
optimise for the common and likely cases (via preferences such as ULA over
GUA), not error and uncommon cases like remote and unreachable ULAs in
global DNS.


Regards,
Mark.


> Therefore, the advice in Section 10.6 is still valid and should be
> expanded to allow for an arbitrary number of /48s. With a static table, ULA
> should have a lower preference than GUA to remain safe.
>
> Mark's agreement, based on site-local, is valid as far as it goes, but
> since there is only one site-local prefix, there is no such thing as a
> remote site-local, where there can be unreachable remote ULAs.
>
> Thanks.
>
> On Sat, Nov 11, 2023 at 3:57 AM Lorenzo Colitti <lorenzo=
> 40google.com@dmarc.ietf.org> wrote:
>
>> Why is is a misconfiguration to put a ULA AAAA record in the DNS? Because
>> it is never preferred over anything, adding it won't break anything, and it
>> will work on IPv6-only networks when global IPv6 connectivity is down. I
>> could totally see someone doing the following:
>>
>> server.smallcompany.com AAAA fd73:4899:2a7f:a93a::53
>> server.smallcompany.com AAAA 2001:db8:4923::1
>> server.smallcompany.com A 192.0.2.1
>>
>> This would work well today. The server would be reached:
>>
>> - over global IPv6, if the client has it
>> - over ULA, if the client is v6-only and is within small company's
>> network but there is no global connectivity (e.g. ISP link down and
>> addresses deprecated)
>> - over IPv4, otherwise
>>
>> People might well have done this today because it works for them. If we
>> change the rules as proposed in this draft, it will stop working for any
>> home network that has a ULA and IPv4, but no IPv6 (and there are lots of
>> these).
>>
>> This is a fundamental property of ULA: it doesn't provide reachability.
>> If we give all of ULA the same label, and prefer it over other addresses,
>> we'll always end up with problems.
>>
>> What happened to the idea of treating "same /48" ULA differently from
>> "rest of ULA space"?
>>
>> On Fri, 10 Nov 2023, 15:57 David Farmer, <farmer=40umn.edu@dmarc.ietf.org>
>> wrote:
>>
>>> In this scenario, a ULA source with a non-local ULA destination can only
>>> occur from a misconfiguration that includes both a ULA and Global IPv4
>>> addresses in the Global DNS, contradicting Section 4.4 of RFC4193.
>>>
>>> Nevertheless, even if this misconfiguration happens, Happy Eyeballs, if
>>> implemented, will try the non-local ULA destination with the ULA source and
>>> the IPv4 destination and source pairings. The likely result is IPv4 being
>>> used in practice since the ULA source will typically fail to communicate
>>> with the non-local ULA destination, and IPv4 will succeed if IPv4 Internet
>>> connectivity is available.
>>>
>>> If Happy Eyeballs is not implemented, the non-local ULA destination with
>>> the ULA source is preferred, and the ULA source will typically fail to
>>> communicate with the non-local ULA destination; however, if the operational
>>> guidelines in Section 4.3 of [RFC4193] are followed. In that case,
>>> recognizing this failure can be accelerated, and transport layer timeouts
>>> (e.g., TCP) can be avoided. These guidelines will cause a Destination
>>> Unreachable ICMPv6 Error to be received by the source device, signaling the
>>> next address in the list to be tried, as discussed in Section 2 of RFC 6724;
>>>
>>> Well-behaved applications SHOULD NOT simply use the first address
>>> returned from an API such as getaddrinfo() and then give up if it fails.
>>> For many applications, it is appropriate to iterate through the list of
>>> addresses returned from getaddrinfo() until a working address is found. For
>>> other applications, it might be appropriate to try multiple addresses in
>>> parallel (e.g., with some small delay in between) and use the first one to
>>> succeed.
>>>
>>>
>>> Should this also be discussed in the draft?
>>>
>>> Thanks
>>>
>>> On Fri, Nov 10, 2023 at 3:35 AM Lorenzo Colitti <lorenzo=
>>> 40google.com@dmarc.ietf.org> wrote:
>>>
>>>> I don't know how common this is, but it's probably worth thinking about.
>>>>
>>>> Many home routers assign ULAs, even if they don't have native IPv6. On
>>>> such networks, a hostname that has ULA and IPv4 (or ULA and global and
>>>> IPv4) will currently work using IPv4.
>>>>
>>>> If hosts update to follow the new rules in
>>>> draft-ietf-6man-rfc6724-update, that will break because new hosts will
>>>> prefer ULA over IPv4. This won't work, because the ULA is actually a
>>>> different ULA and the home router will drop the packets.
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6@ietf.org
>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> --------------------------------------------------------------------
>>>>
>>>
>>>
>>> --
>>> ===============================================
>>> David Farmer               Email:farmer@umn.edu
>>> Networking & Telecommunication Services
>>> Office of Information Technology
>>> University of Minnesota
>>> 2218 University Ave SE        Phone: 612-626-0815
>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>> ===============================================
>>>
>>
>
> --
> ===============================================
> David Farmer               Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
>

v2.23.0 | Report a Bug | By Email