Return-Path: X-Original-To: ipv6@mail2.ietf.org Delivered-To: ipv6@mail2.ietf.org Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 119673E63CB1; Fri, 4 Jul 2025 09:27:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at ietf.org X-Spam-Flag: NO X-Spam-Score: -2.567 X-Spam-Level: X-Spam-Status: No, score=-2.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.232, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fugue.com header.b="YD7qW+hO"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="VxtH4237" Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJDHfv3zXlap; Fri, 4 Jul 2025 09:27:03 -0700 (PDT) Received: from fhigh-a2-smtp.messagingengine.com (fhigh-a2-smtp.messagingengine.com [103.168.172.153]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4E22D3E63CAA; Fri, 4 Jul 2025 09:27:03 -0700 (PDT) Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfhigh.phl.internal (Postfix) with ESMTP id 349F71400234; Fri, 4 Jul 2025 12:27:03 -0400 (EDT) Received: from phl-imap-07 ([10.202.2.97]) by phl-compute-12.internal (MEProxy); Fri, 04 Jul 2025 12:27:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue.com; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1751646423; x=1751732823; bh=dRGIeclM+/ +Y8/i4TMxAhpwEXGKO5nxW2Hk1ifpgp0w=; b=YD7qW+hOxjIeJDPH0Lr5tOkUwT WrwrGB2UYJ/KbDnSTgfqp7jiiB6Y5O1JOFdW9Q+Kh0yzSWIKk3wS6DNjxeydIntQ Rat3MZaifza+/UuFs0BP2tV2DqRHcX1Vec+3Ck+Yz0Bps1oEpifDGbUyggKh7p8d 4U0SpyC0SNltv6qowqeDGw6kMpj1CnhjEG758JYIIwhNMK3nVQWCxa3QNihkAx2d zHDgcnG37NzDXgby/UZiKty4+7LeZiP+3pa2+1yOzzYPU4LE3jSBVLb0scIQZzfB ojp3+ryOfyQtRGe/fC1Ie6CTEVS2ZRKPYdjpsCEOyiNMZ7NUn1pNcNC3TUjQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1751646423; x=1751732823; bh=dRGIeclM+/+Y8/i4TMxAhpwEXGKO5nxW2Hk 1ifpgp0w=; b=VxtH4237T4kl5rSGLZ9WYDCMJrAxHdyLTxYhAdOY0PZbF02Zlqv vIxyykimlb8omf5hO2nS2OP3RPaGSDN7canw+5Z5pQPuEtajVx+4tgjJTsFfOFmv iHVRIOafRjVdEvcsw1WmhSrY3fZPyctrRDDVfffuvvyEb0XIseGAQMVUk8Bpsrqk gn3FZmpnDxwBI/wGezZ4rxJqILn4YGr3Ki3nmveJd6L+HdifVLFH027v086svBa9 ga9HZcSBJTO9nZnPP6cBU+TWN2NX4+l/0w/7BSmXvM7TGsD/Dx1mFkWBjTGV6gac iAFxw7WtqzgZZu5mOL9rn+BWy5TpOCgbakg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgddvfeeifecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefoggffhffvvefkjghfufgtsegrtderreertdejnecuhfhrohhmpedfvfgvugcunfgv mhhonhdfuceomhgvlhhlohhnsehfuhhguhgvrdgtohhmqeenucggtffrrghtthgvrhhnpe elleehfeeffffgleffveeigefffeekhfdvleethfejffdvheejieehgffgfefhteenucff ohhmrghinhepghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrg hrrghmpehmrghilhhfrhhomhepmhgvlhhlohhnsehfuhhguhgvrdgtohhmpdhnsggprhgt phhtthhopeekpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegsuhhrrghglhhioh esfhhorhifrghrughinhhgphhlrghnvgdrnhgvthdprhgtphhtthhopegsohgsrdhhihhn uggvnhesghhmrghilhdrtghomhdprhgtphhtthhopeeimhgrnhdqrggushesihgvthhfrd horhhgpdhrtghpthhtohepiehmrghnqdgthhgrihhrshesihgvthhfrdhorhhgpdhrtghp thhtohepughrrghfthdqihgvthhfqdeimhgrnhdqrhhftgeijedvgedquhhpuggrthgvrd gruhhthhhorhhssehivghtfhdrohhrghdprhgtphhtthhopehiphhvieesihgvthhfrdho rhhgpdhrtghpthhtohepshhnrggtsehivghtfhdrohhrghdprhgtphhtthhopehmtghrod hivghtfhesshgrnhguvghlmhgrnhdrtggr X-ME-Proxy: Feedback-ID: i1136489e:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id DCD7D1EA0066; Fri, 4 Jul 2025 12:27:02 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 X-ThreadId: Tc12f094cd6a71053 Date: Fri, 04 Jul 2025 18:26:42 +0200 From: "Ted Lemon" To: "Nick Buraglio" Message-Id: In-Reply-To: References: <175071730132.502784.5026151083314117768@dt-datatracker-6754d69b7c-p2xd7> <4AE1AC9E-5603-4EB2-AE40-F946AB60B1E9@gmail.com> <16856.1751464682@obiwan.sandelman.ca> <1D359801-41B8-410F-9AFE-9FFA92A69941@fugue.com> <32467.1751482387@obiwan.sandelman.ca> <62c4ec95-c647-474f-b2a6-1fcc6ab67193@app.fastmail.com> Content-Type: multipart/alternative; boundary=b356eb03ef5348dc932364c4849f86a2 Message-ID-Hash: QW3WPIMKVVXF7HLJFGRYROT3ETEWTEFE X-Message-ID-Hash: QW3WPIMKVVXF7HLJFGRYROT3ETEWTEFE X-MailFrom: mellon@fugue.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipv6.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Richardson , snac@ietf.org, Bob Hinden , draft-ietf-6man-rfc6724-update.authors@ietf.org, 6man Chairs <6man-chairs@ietf.org>, "6man-ads@tools.ietf.org" <6man-ads@ietf.org>, IETF IPv6 Mailing List X-Mailman-Version: 3.3.9rc6 Precedence: list Subject: =?utf-8?q?=5BIPv6=5DRe=3A_=5BSnac=5D_Re=3A_I-D_Action=3A_draft-ietf-6man-rfc?= =?utf-8?q?6724-update-21=2Etxt?= List-Id: "IPv6 Maintenance Working Group (6man)" Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --b356eb03ef5348dc932364c4849f86a2 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable LGTM. Thanks, Nick! On Fri, Jul 4, 2025, at 6:06 PM, Nick Buraglio wrote: > Before I submit a new draft, can folks take a look at the diff to conf= irm that these are what we want? The changes are in section 3.3 and addr= ess: >=20 > Erroneous re-import of rule 6 (now removed)=20 > SNAC generated GUA changed to ULA in rule 5 per Ted.=20 >=20 > https://github.com/buraglio/draft-buraglio-6man-rfc6724-update/pull/52= /files >=20 > On Wed, Jul 2, 2025 at 2:41=E2=80=AFPM Ted Lemon wr= ote: >> __ >> A network can have more than one non-SNAC subnet. On such a network, = if a device on an infrastructure link adjacent to the SNAC link treats t= he SNAC-advertised ULA prefix as known-local, it might attempt to use it= as a source address when communicating with a device on a non-SNAC-adja= cent link. This would fail because the SNAC ULA prefix can=E2=80=99t be = routed. Hence the prohibition on using SNAC router RAs when identifying = ULAs as known local.=20 >>=20 >> Regarding ULAs and PD on the local link, it is expected that CE route= rs will generate a ULA prefix, and that they will delegate /64s from it.= These /can/ and /should/ be treated as known-local. But since /64s fro= m this prefix will be advertised on non-SNAC links in the home network, = the ULA /64 prefix allocated to the SNAC router should also be treated a= s known-local, even if the SNAC router=E2=80=99s RA is ignored for the p= urposes of deciding which ULA prefixes are known-local. >>=20 >> On Wed, Jul 2, 2025, at 8:53 PM, Michael Richardson wrote: >>>=20 >>> Ted Lemon wrote: >>> > The fix is to just change SNAC-generated GUAs to SNAC-generate= d ULAs. >>>=20 >>> Glad to know I didn't get something wrong here. >>> I was like... wait... did I mis-understand SNAC in some fundamental = way? >>> Yes, change it to "SNAC-generated ULAs" >>>=20 >>> But, I'm still surprised any text needs to mention SNAC and the S-bi= t. >>>=20 >>> > That said, it's also true that if a SNAC router gets a ULA fro= m a DHCP >>> > prefix delegation, that _is_ provided by infrastructure, and _= could_ be >>> > treated as known-local. Hopefully infrastructure is advertisin= g a >>> > prefix in infrastructure-provided RAs that covers the delegate= d /64. I >>> > don't think we can really solve this problem in some other way= , but in >>> > practice I think it's unlikely to be a problem. >>>=20 >>> A home router could generate a RIO for the entire (GUA) prefix deleg= ated by >>> the ISP. I've never seen that done. More and more pubs in Ottawa = seem to >>> have v6 with PD. They likely don't have a stub network (yet). >>>=20 >>> I think that source address selection works fine when going to a GUA= prefix >>> not on the infrastructure link. The rules pick the GUA, and assumi= ng the >>> home router is doing the right hair-pin routing to get packets there= , there >>> should be no issue. >>>=20 >>> Now, you actually wrote, above, that the SNAC router gets a **ULA** = from DHCPv6. >>> This would be in the ULA that the home router has randomly allocated= to be >>> local. (as per 7804, etc.) >>>=20 >>> But, then you wrote "delegated /64", and I was confused, because the= ISP >>> didn't delegate a ULA, but you mean the /64 that the home router del= egated to >>> the SNAC Stub Router. >>>=20 >>> My understanding is that the overall effect of all this work is that= we'll >>> mark the entire /48 as local and higher priority than NAT44, so ever= ything >>> should just work even if there were v4-addresses for the STUB networ= k, which >>> there ought not to be. Again, I'm not sure why we had to exclude S-= bit RAs. >>> If a host (ignorant of these changes) picks its GUA to talk to the S= NAC >>> delegated ULA, then that also ought to work. >>>=20 >>> -- >>> Michael Richardson > . o O ( IPv6 I=C3=B8T consulting ) >>> Sandelman Software Works Inc, Ottawa and Worldwide >>>=20 >>>=20 >>> *Attachments:* >>> =E2=80=A2 signature.asc >>=20 --b356eb03ef5348dc932364c4849f86a2 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
LGTM. Thanks= , Nick!

On Fri, Jul 4, 2025, at 6:06 PM, Nick B= uraglio wrote:
Before I submit a new draft, can folks take a look= at the diff to confirm that these are what we want? The changes are in = section 3.3 and address:

Erroneous re-impo= rt of rule 6 (now removed) 
SNAC generated GUA chang= ed to ULA in rule 5 per Ted. 


On= Wed, Jul 2, 2025 at 2:41=E2=80=AFPM Ted Lemon <mellon@fugue.com> wrote:

A network can have more than one non-SNAC subnet. On such a = network, if a device on an infrastructure link adjacent to the SNAC link= treats the SNAC-advertised ULA prefix as known-local, it might attempt = to use it as a source address when communicating with a device on a non-= SNAC-adjacent link. This would fail because the SNAC ULA prefix can=E2=80= =99t be routed. Hence the prohibition on using SNAC router RAs when iden= tifying ULAs as known local. 

Regarding UL= As and PD on the local link, it is expected that CE routers will generat= e a ULA prefix, and that they will delegate /64s from it. These /can/ an= d /should/ be treated as known-local. But since  /64s from this pre= fix will be advertised on non-SNAC links in the home network, the ULA /6= 4 prefix allocated to the SNAC router should also be treated as known-lo= cal, even if the SNAC router=E2=80=99s RA is ignored for the purposes of= deciding which ULA prefixes are known-local.

O= n Wed, Jul 2, 2025, at 8:53 PM, Michael Richardson wrote:

= Ted Lemon <mell= on@fugue.com> wrote:
    > The fix is= to just change SNAC-generated GUAs to SNAC-generated ULAs.
Glad to know I didn't get something wrong here.
I= was like... wait... did I mis-understand SNAC in some fundamental way?<= /div>
Yes, change it to "SNAC-generated ULAs"

But, I'm still surprised any text needs to mention SNAC and the S-bit= .

    > That said, it's also = true that if a SNAC router gets a ULA from a DHCP
  =   > prefix delegation, that _is_ provided by infrastructure, and= _could_ be
    > treated as known-local. Ho= pefully infrastructure is advertising a
    >= ; prefix in infrastructure-provided RAs that covers the delegated /64. I=
    > don't think we can really solve this = problem in some other way, but in
    > prac= tice I think it's unlikely to be a problem.

A h= ome router could generate a RIO for the entire (GUA) prefix delegated by=
the ISP.   I've never seen that done.  More an= d more pubs in Ottawa seem to
have v6 with PD.  They like= ly don't have a stub network (yet).

I think tha= t source address selection works fine when going to a GUA prefix
not on the infrastructure link.   The rules pick the GUA, a= nd assuming the
home router is doing the right hair-pin routin= g to get packets there, there
should be no issue.
Now, you actually wrote, above, that the SNAC router gets a= **ULA** from DHCPv6.
This would be in the ULA that the home r= outer has randomly allocated to be
local. (as per 7804, etc.)<= /div>

But, then you wrote "delegated /64", and I was = confused, because the ISP
didn't delegate a ULA, but you mean = the /64 that the home router delegated to
the SNAC Stub Router= .

My understanding is that the overall effect o= f all this work is that we'll
mark the entire /48 as local and= higher priority than NAT44, so everything
should just work ev= en if there were v4-addresses for the STUB network, which
ther= e ought not to be.  Again, I'm not sure why we had to exclude S-bit= RAs.
If a host (ignorant of these changes) picks its GUA to t= alk to the SNAC


= --b356eb03ef5348dc932364c4849f86a2--