IETF Logo Mail Archive

Re: Re: “DHCPv6, SLAAC, Static Day X - 17 year interoperability issue” 2nd issue

Gyan Mishra <hayabusagsm@gmail.com> Tue, 10 November 2020 19:46 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE2943A0D96; Tue, 10 Nov 2020 11:46:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iIgxocBTnOKb; Tue, 10 Nov 2020 11:46:21 -0800 (PST)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C37463A0D22; Tue, 10 Nov 2020 11:46:21 -0800 (PST)
Received: by mail-ua1-x930.google.com with SMTP id g3so2669786uae.7; Tue, 10 Nov 2020 11:46:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QXEYGjyH9ON7o6cMdLHbWQQY96P/8R5NPP/9h+8zLPg=; b=WyAkPoQgMdo3aZkSFb9ArOHCq47CyJKMrDs6Nnkfhx7TgK0tHHnl4NaN2PwHLhM9C3 USrv3Mi+nvPPPFDEtYhvOgtoQRwGs3OxX3C3r1aBsTf80yeK88jkmJGE6H6D8g5E+cra GLc6u08lOdFdQr513UvSQ3/LYURojBQ3jiQ0FJohU3RgRkQRo5qD8Z4alWL9Xbh1OT4w tqhunBxWdOdAhSDoXRkJZ1ydp5xuGsQezBBtRkg7a7gOKHIpTHAVsUhAi+2xqLaPCIQM qdaV+l4R3GDXM5FADM5lmnt2me4kwC5JtzQreGAylmGSTjid1Z7xvA+fClJbQTnBTBfd W3nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QXEYGjyH9ON7o6cMdLHbWQQY96P/8R5NPP/9h+8zLPg=; b=WapNx8xdjOPMLSILMkBPx/PvYZT6hATkzDbDI03ofpckFbkfOlVQG85QQfyXFhCL5p TLLT1QzudO2qr43fm7TA0Jp6s8KqT/NHs9vIztS/Of/vO3CctjssmjrjNjfw1K30RP4f i6FEcxgA2whipCiWiMKfuSGsloQ21X0oj8IDWVAgeB2yrCrBtu9GNRDJj0zvKr8oDzjl O2RhBPdwSmT59XVDjgFwY7Qm8IpQj5+efW2JI6H2TLeOntRcyONFlUYKWzI+EE+FxjsQ eYicYOKHhlQDr5jYmNPN8/IplgbY8Mq09/3CVybiUoSKfsU9teDX/jN4ABDregc0yHeR n1xw==
X-Gm-Message-State: AOAM532pvsKtUmkDLOzeJGKBfiJcuEubg6O/3NdNaNQml52SjrtAj28F 27awXVY3CVYC+XAQNOy51eWGTL9WwU31l1EWR5iSkdHdjvv+kg==
X-Google-Smtp-Source: ABdhPJz8Bq4yj0ISJaHM3E/Jzr62IIJwp4MIhQ3roq9Eg58Zjzabt74UvhjQb/s0LK8CgXXN2dHLWmSkJQDiAf3ROLk=
X-Received: by 2002:ab0:2986:: with SMTP id u6mr11333846uap.118.1605037580610; Tue, 10 Nov 2020 11:46:20 -0800 (PST)
MIME-Version: 1.0
References: <3A94E3B6-EA5A-453A-8CB1-C11BBDF88B53@gmail.com> <0b83b083-7179-0277-d32e-ac48d9d6fe24@joelhalpern.com> <CABNhwV3HxouhWtWWihLBo7JOjKhOos-AZotGNtkUA5e5jgihiQ@mail.gmail.com> <6285.1604976903@localhost>
In-Reply-To: <6285.1604976903@localhost>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Tue, 10 Nov 2020 14:46:09 -0500
Message-ID: <CABNhwV12gcxU1jPYzNbDpf5rqs-vwR9YcOgpk9yMhOU+69X8Xw@mail.gmail.com>
Subject: Re: Re: “DHCPv6, SLAAC, Static Day X - 17 year interoperability issue” 2nd issue
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: 6man WG <ipv6@ietf.org>, "Joel M. Halpern" <jmh@joelhalpern.com>, draft-mishra-6man-variable-slaac@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d7efdf05b3c5ee97"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/OZ9ofMMrEhzUOepPJSq5WZd3lsc>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2020 19:46:24 -0000

In-line

On Mon, Nov 9, 2020 at 9:55 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Gyan Mishra <hayabusagsm@gmail.com> wrote:
>     > This issue exists with any deployments where the operator would like
> to
>     > deploy >64 prefix length host subnets at data center or access layer
> and
>     > this could be an enterprise or service provider use case where the
> router
>     > infrastructure is statically configured so no PD here.
>
> I would claim that the next useful prefix length after 64, is 128.
>
> In DC situations, there are really no LANs (i.e. no big yellow cables with
> vampire taps), just p2p TX or FX ethernet all over the place.
>
> It would be great to understand your DC use case better.


   Gyan> For operators worldwide from my experience the last 20+ years
working with IPv6 of what has been deployed and proliferated around the
globe as far as prefix lengths is as follows:

Defacto standard for operators both enterprises and service providers.

/128 for loopbacks
/127 per RFC 6164 for P2P
/126 for P2P prior to 6164

Infrastructure subnet sizing based on number of hosts on the subnet.

/64 - /125

-Firewall VLAN - This could be a shared firewall trusted or untrusted VLAN.
- Router to Router shared backbone
- Load Balancer VIP vlan
- Content engines
-VPNs clusters
- Proxies

The main best practice guidelines used by operators is to make the subnet
sizing manageable with hard limit on the number of allowed hosts on the
subnet, thereby creating a hard ND cache size limit, and not rely on
software soft knobs to manage the ND cache.  Also operators requirement as
part of ND cache management is to be able to easily scan critical
infrastructure subnets.

So this concept of hard limiting can be applied to Data Center subnets
creating ND cache hard limits on the subnet sizing using >64 prefix lengths.
>From a security and management perspective for operators having the
critical infrastructure secure and easily scannable as well as the hard ND
cache limit for operators provides the much needed and necessary data
center stability.  So this is all accomplished today by static
configuration on the servers as static allows any prefix length.

For access infrastructure same concept applies for hard limit on ND cache
management, and subnet scanning capabilities for stability by deployment of
>64 prefix length DHCPv6 scopes RFC 8415 which supports any prefix length.

So now the proliferation of >64 prefix lengths is out there deployed by
Verizon as well as other operators I have worked with worldwide.

My guess is when the original IPV6 addressing specification was written if
the founders did not want anyone to use >64 prefix lengths they should have
extended the 64 bit IID boundary restriction to static and DHCPv6 stateful.

The net-net end result of this predicament for operators worldwide that
would like to use >64 prefix, as long as the subnet is deployed to network
infrastructure and they can guarantee in their deployments that there will
never be slaac hosts that has the 64 bit IID boundary then the impact is
reduced to only those scenario where slaac devices are in the mix.

So network infrastructure can and does use without impact to routing as any
prefix length 1 to 128 is routable, so from an impact perspective,
infrastructure is fine and can continue to go crazy with vlsm as it has
been doing for 20+ years and design the IPv6 addressing schema with >64
prefix length however they desire.   No issues.

For Data Centers as long as static is the guaranteed only means of
addressing on data center subnets no impact to operators here as well using
>64 prefix lengths.

Data Centers may also have dedicated mix subnets that have servers with
slaac, as well as dhcpv6 stateful and static, but in these cases now have
to keep the subnet mask at 64.   So in this particular case for operators
hard ND cache rule and security scanning requirement is where if slaac
supported >64 prefix lengths comes into play, and  that would allow mix of
the 3 addressing types on the same subnet if RFC 4291 was updated
eliminating the 64 bit IID boundary.

Same goes for access layer where you have a mix of the three addressing
types static DHCPv6 and slaac and have to use /64 due to slaac fixed 64 bit
IID restriction.  So here also is the gap of not being able to support >64
prefix lengths.

I know there are surveys of the IPv6 deployments related to vlsm usage,
however as surveys go,  they are a random sampling and an extrapolation so
you have to take it with a grain of salt is my take.

I think talking to operators like myself and others on list is really the
best way to get a true feeling  and idea of what had been deployed and a
more realistic picture.


Gyan



>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
> --

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *



*M 301 502-134713101 Columbia Pike *Silver Spring, MD

v2.23.0 | Report a Bug | By Email