Re: [v6ops] Scope of Unique Local IPv6 Unicast Addresses (Fwd: New Version Notification for draft-gont-6man-ipv6-ula-scope-00.txt)

Fernando Gont <fgont@si6networks.com> Sat, 13 February 2021 07:10 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A890C3A0FEC; Fri, 12 Feb 2021 23:10:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MivWfEM2y0Ie; Fri, 12 Feb 2021 23:10:38 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99A4B3A0FEB; Fri, 12 Feb 2021 23:10:36 -0800 (PST)
Received: from [IPv6:2800:810:464:2b9:1c77:acfc:e6a8:1311] (unknown [IPv6:2800:810:464:2b9:1c77:acfc:e6a8:1311]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 2D74F283BA7; Sat, 13 Feb 2021 07:10:21 +0000 (UTC)
Subject: Re: [v6ops] Scope of Unique Local IPv6 Unicast Addresses (Fwd: New Version Notification for draft-gont-6man-ipv6-ula-scope-00.txt)
To: Ted Lemon <mellon@fugue.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>, IPv6 Operations <v6ops@ietf.org>, "6man@ietf.org" <6man@ietf.org>
References: <160989494094.6024.7402128068704112703@ietfa.amsl.com> <6fe3a45e-de65-9f88-808d-ea7e2abdcd16@si6networks.com> <F4E00812-E366-4520-AE17-7BB46E28D575@gmail.com> <b2e51a89-e8a7-9ddb-643d-63a98569b03c@si6networks.com> <CB9EA5F4-A241-46A4-A371-B2A1BFB8C72F@fugue.com> <dff93a2e-f4f8-01c9-ce88-c2dbb20a04f1@si6networks.com> <759637FF-77C7-41EA-8671-73988AD48873@fugue.com> <9877D352-E9BB-453B-A676-D2B5C546C1C2@gmail.com> <11035C3E-BA75-4B9D-A047-B2AA1DE23BEA@fugue.com> <b3f1c53f-c22d-c9fb-6094-9a15d79fcd43@si6networks.com> <b9972eb4-b4db-e82d-12ec-1cfcc75a9e45@gmail.com> <6488.1613188541@localhost> <e0fec02c-a284-fbe1-2067-ca7f59f54853@gmail.com> <e2f45fba-dd1e-3cb6-b929-ab03e321020a@si6networks.com> <46888959-FE01-49E8-9E54-9A3B1E07B97E@fugue.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <5d757dc5-7db5-d5e9-f8c2-f5c15499a789@si6networks.com>
Date: Sat, 13 Feb 2021 03:54:49 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <46888959-FE01-49E8-9E54-9A3B1E07B97E@fugue.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/NuA8SHPlxEkbTK2ZdBNRJIxIpxU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Feb 2021 07:10:42 -0000

Hi, Ted,

On 13/2/21 02:46, Ted Lemon wrote:
> Okay. Consider the clarifications I suggested a while back:

Ok. I will comment on each of them.



> ---
> ULA addresses are, in principle, VALID in any scope.

This begs the question: what's a scope?



> They are not, in principle, UNIQUE to a particular link: it’s entirely 
> possible to have two instances of the same ULA referring to different 
> interfaces connected to different links.

This breaks the definition of scope and global scope from RFC4007.



> In principle, the set of all networks which can route a packet to a 
> particular instance of a ULA /48 MUST be DISJOINT from the set of all 
> networks which can route a packet to some other instance of that ULA /48.

Agreed. But this is at odds with the definition of global scope from 
RFC4007.



> In practice, the randomness of ULAs gives us some reasonable assurance 
> that the principle will hold.

Agreed.



> However, users of ULAs that are routed beyond an individual site had 
> better have some policies and procedures in place to make sure that this 
> is true.
> 
> Internet backbone routers should never accept BGP advertisements for ULA 
> prefixes.

Agreed on both.



> Sites connecting to the Internet should never, by default, route ULAs 
> northbound of their connection to their ISP.

I'd generally agree. But this is somewhat relative and, as Brian noted, 
it boils down to what you define as an administrative domain.

e.g. filtering all ULAs at my CPE router would break part of the 
tracereoute output I normally get, since my ISP employs ULAs in their 
infrastructure.

In any case, even if I wanted to block them, I'd need to treat them 
differently from GUAs.

In cases where you actually DHCPv6-PD ULAs (as I'm told some community 
networks do), it becomes even tricker.

(But yeah, there's probably no debate that, at the very least they 
shouldn't appear in the DMZ. And they also wouldn't survive your ISP if 
you sourced packets from your locally-generated ULAs, since your ISP 
won't have routes for them)

(Probably, all these considerations are exactly the same than for 
RFC1918 space --- which probably tells something).


I guess yet another question would be: If your ISP, for some reason, 
offered you a ULA prefix (along with a GUA prefix), should you also 
propagate it on the LAN-side? (i.e., advertise via SLAAC on the 
LAN-side). I guess you might argue (and I'd agree) that in general, you 
shouldn't. But then again ULAs would be a special case, and trated 
differently from GUAs.



> The last four lines are points of practice, not points of definition of 
> terms.

Agreed.



> But the bottom line is that if the term “global” is confusing as it 
> applies to ULAs, it shouldn’t be that hard to clarify what we mean by 
> global.

This is indeed the point I was trying to make.

I personally think that the definition of "scope" and "global scope" 
from RFC4007 is a good one. And, as per the above, I'm inclined to say 
that the problem is in flagging ULAs as "global scope" (rather than on 
the definition of "global scope" itself).

But, preferences aside, the bottom-line is that as long as it's clear 
what the terminology means, I don't mind a lot what we use.




> Do you think anything I’ve said here is wrong, not in the sense of 
> contradicting RFC 4007, but in the sense that it is incorrect?

The above seems indeed correct.



> I’m not trying to win an argument here—the reason I wrote the above is 
> that I think it’s correct, and I was trying to figure out whether it was 
> in any way consistent with the problem you have.

Indeed, we're on the same page regarding our idea of ULAs -- and 
probably most of us are.

The problems comes from the terminology and definitions that we employ, 
from current RFCs.



> I think Brian has said that the “scoped architecture” is just not how 
> things actually work in real life, with which I agree, so the fact that 
> you can’t explain it to anyone is not a big shock. I think RFC 4007 says 
> some interesting and useful things. It might be worthwhile to write a 
> new document that’s a sort of Talmudic commentary on RFC 4007.

I don't mind that. But that would still leave us with a Proposed 
Standard "IPv6 Scoped Addressing Architecture" (RFC4007) that is at odds 
with other specs (e.g., RFC4291/RFC4193).


> What I do not want to see is some kind of effort to rationalize ULAs 
> into something other than what they are at present, which is quite useful.

I do agree that ULAs are useful, indeed. And the intent is certainly 
*not* to change what ULAs are, but rather to have consistent terminology 
and documents.

Clarifying the terminology would probably also help e.g. direct 
libraries or language macros in how they should consider ULA's attributes.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492