IETF Logo Mail Archive

Re: Adoption call for <draft-pref64folks-6man-ra-pref64-02>

Jen Linkova <furry13@gmail.com> Fri, 07 December 2018 08:56 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AECD124BF6; Fri, 7 Dec 2018 00:56:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbMa5-rAl53X; Fri, 7 Dec 2018 00:56:36 -0800 (PST)
Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F2DF12896A; Fri, 7 Dec 2018 00:56:34 -0800 (PST)
Received: by mail-qt1-x843.google.com with SMTP id r14so3692233qtp.1; Fri, 07 Dec 2018 00:56:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=+ytl/xTs7mB7GrgAuy6REq6Rg4myF/q/8NtpYw6Ei7A=; b=kA+Q1u32d1VyQmSjx1lK7BBFFxALPxcLqr+wvEWJBiYaVnpX5ByNjn8t/DkOo6am9V lQFf8EDm7DRQDz3TYdPs0XamA0ZrBZ8COQaoDwSed1vvJkbllxBuCEKAAPQCm+UVnadd 3Vh/5u3bZ10xXhcRyzUkKX3UqF2O4wON2MLbu+zRF8PvWmlov25YxU6fgDVGbzdgD6Ar 7GmN4uZxF8z9c0+C8C8GzFPQILv58MIouZOxmcaMKAj6xYgjGaCEHkGDgzQNM5NbYHgr 5a3/yH91FIN2B4WaO9RCwBaUyhqbLWyZNz/UDRv93ocFkGHuZJLo6xOIC9ipllSDLIX7 jd4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=+ytl/xTs7mB7GrgAuy6REq6Rg4myF/q/8NtpYw6Ei7A=; b=qB7Pj1pAE7MOO5u4p9gk2H3KUg1HGvcuZviMPwg/sOwVsYoyTq8CtfeOtHBFsdV0ob yu4MyRBB/P0vTBAmfTRPiLvLcK3NXw7hL0sbrApQviTcVnHIn6J1yDibIiHzU/wRA0ip 9xEHRJp8Q/qIV8GXQr2ueO2+JNAs+nNq0/TvqKYio/PK4cgyl6pHFcj/Sm+I5umctONF KZqxSWcO4XlMdah8jdgWQ5ECrh2hl3mkOVl2GXHQniHXPmC+RYbfjZSRgqwP2KqndiMY Mvp/O3dw1jMcVKPMXQzB5mN7WYKblYo/YDaZIu/t2pqC1UZlzrTCCGSusSmLMZwk3Da5 iTfA==
X-Gm-Message-State: AA+aEWaNMnKnmQdak5H/B9Upj9g3VVtx1WQ8NGHqLi1dEbmp6FbQnuQ9 EoRMOFAOi9Kq37YZXIGm815GuqRFrG2gGvnMdSg=
X-Google-Smtp-Source: AFSGD/XEH5UirgRJfEYM+tZ10LH1oI41evxdBRSDJUJMhldkM6UK7MmVwww8sDdiqtyNlaJ4od70M/vxZkS8KmPVW/E=
X-Received: by 2002:a0c:e5c1:: with SMTP id u1mr1154236qvm.113.1544172993022; Fri, 07 Dec 2018 00:56:33 -0800 (PST)
MIME-Version: 1.0
References: <BD1717B3-C013-4718-9140-283F312C1634@employees.org> <CAJE_bqd3eXQa4xK5t8fbNE+frHrUrAebrKK2=4-jeV1EiJGkWA@mail.gmail.com> <EEFE399E-A197-47FC-82DC-551819EBCE82@gmail.com> <787AE7BB302AE849A7480A190F8B93302E054BB2@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <CAFU7BARuKv-hAmpCeiusxqYsVYB1dr3POq8bB5D=g9_ksZ0WhA@mail.gmail.com> <787AE7BB302AE849A7480A190F8B93302E054CE8@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302E054CE8@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
From: Jen Linkova <furry13@gmail.com>
Date: Fri, 07 Dec 2018 19:56:20 +1100
Message-ID: <CAFU7BAQr-oxrvZ+RKx3SGs1gCRZsrjePx1mpucbBS++UJjNcCg@mail.gmail.com>
Subject: Re: Adoption call for <draft-pref64folks-6man-ra-pref64-02>
To: Mohamed Boucadair <mohamed.boucadair@orange.com>
Cc: Fred Baker <fredbaker.ietf@gmail.com>, 神明達哉 <jinmei@wide.ad.jp>, 6man <ipv6@ietf.org>, 6man-chairs@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/QwTVV3P-v3YBL4Pq3HcOBQzUQus>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 08:56:38 -0000

On Fri, Dec 7, 2018 at 6:41 PM <mohamed.boucadair@orange.com> wrote:
> > > The two other mechanisms in draft-ietf-v6ops-transition-ipv4aas-11#section-
> > 3.2.1 solve that issue anyway.
> >
> > Two other mechanisms have the following disadvantages:
> > - require deploying additional services just for providing devices
> > with information about NAT64 prefix (== operational costs);
>
> [Med] Not sure to understand this one. No one said that you need to deploy dhcp just because you need to learn pref64!!

Then it's my turn to be confused.
Let's make sure we are on the same page:
- I'm using SLAAC to configure devices;
- I want to use the same mechanism to provide devices with NAT64 prefixs;
- you are saying "there are two other mechanisms: DHCP option and PCP,
which solves your problem"

doesn't it mean that I need to deploy either DHCPv6 or PCP to solve my problem?

> > - signalling any changes are problematic;
>
> [Med] No sure to understand this one, too. The problem is more on the RA side rather than a centralized approach. RFC7051 says explicitly the following:
>
>    Compared to the DHCPv6 equivalent solution in Section 5.6, the
>    management overhead is greater with the RA-based solution.  With the
>    DHCPv6-based solution, the management can be centralized to a few
>    DHCPv6 servers compared to the RA-based solution where each access
>    router is supposed to be configured with the same information.

1) not necessary the *same*
2) if SLAAC is used, each access router is supposed to be configured
with the same information anyway (preferred lifetime, DNS, MTU etc).
Obviously if the choice towards SLAAC was made, this is not a problem
for the specific network (hint: automation)

> RA is more concerned with stale Pref64s vs. others.

How?

> > - some devices basically do not support those mechanisms;
>
> [Med] This would apply to any piece of configuration, not only the one discussed in this draft.

Any IPv6-enabled device supports SLAAC. This is a mechanism I'm using
to configure devices. I just need one more config option to be
propagated.

>If I want to provision a SIP proxy, a DOTS server, or DS-Lite AFTR using RA, would 6man let me do that?

This would be a question to the group. I probably would not object if
you have a use case to solve...

>> Also, the network is the authoritative source of information re: the
> > presence of NAT64 translators and the prefixes used. As NAT64 prefix
> > is the essential part of the network configuration information (it's
> > required to provide access to IPv4-only resources), RA seems to be
> > perfectly suitable to contain that information.
>
> [Med] RFC7051 already covered this:
>
>    -  The RA-based solution involves changes and management on network-
>       side nodes that are not really part of the NAT64/DNS64 deployment

My network-side nodes which need to be changed for enabling pref64 RA
option are *really* part of the NAT64 deployment. They are either
doing NAT64 themselves
or they have to have a route in their routing table pointing to the NAT64 boxes.

>       or aware of issues caused by NAT64/DNS64.

I read this as  "DHCPv6 servers and PCP boxes are fully aware of
issues caused by NAT64/DNS64"?

> > RFC7050 is a hack which has a fundamental problem: "to be able to use
> > DNSSEC, let's trust unverifiable DNS response". It's the best thing we
> > have currently but we can do better.
>
> [Med] Existing mechanisms already solve this.

I've explained above why it might not be desirable to deploy PCP just
for making devices aware of NAT64 prefix..

>
> s/xxx/RA in the text below would also be fine, but this is just yet another way of doing it.
>
> ==
>
>    The stub resolver on the host will try to obtain (native) AAAA
>    records, and if they are not found, the DNS64 function on the host
>    will query for A records and then synthesize AAAA records.  Using the
>    PREFIX64 xxx, the host's stub-resolver can learn the prefix
>    used for IPv6/IPv4 translation and synthesize AAAA records
>    accordingly.
>
>    Because synthetic AAAA records cannot be successfully validated in a
>    host, learning the Pref64::/n used to construct IPv4-converted IPv6
>    addresses allows the use of DNSSEC.  As discussed in Section 5.5 of
>    [RFC6147], a security-aware and validating host has to perform the
>    DNS64 function locally.
> ==
>
> >
> > > > -----Message d'origine-----
> > > > De : ipv6 [mailto:ipv6-bounces@ietf.org] De la part de Fred Baker
> > > > Envoyé : jeudi 6 décembre 2018 21:45
> > > > À : 神明達哉
> > > > Cc : IPv6 IPv6 List; 6man Chairs
> > > > Objet : Re: Adoption call for <draft-pref64folks-6man-ra-pref64-02>
> > > >
> > > >
> > > >
> > > > > On Dec 6, 2018, at 2:46 PM, 神明達哉 <jinmei@wide.ad.jp> wrote:
> > > > >
> > > > > As for the adoption call, I don't have a strong opinion but do share
> > > > > the concern of some others about introducing duplicate functionality.
> > > > > Since each mechanism is different, it's easy to come up with a reason
> > > > > of "why this" by pointing to a gap.  But IMO it should also justify
> > > > > the duplication (despite Section 3.2 of RFC1958) by explaining the
> > > > > benefits of filling the gap outweigh the disadvantages of having
> > > > > duplicates.  According to the current text of the draft and
> > > > > discussions on this list, I don't think we complete this homework.
> > > >
> > > > From my perspective, the value in the "why this" domain is that it sorts
> > out
> > > > some security issues. For example, with RFC 7050's approach, imagine that
> > > > you're using resolver X and your ISP is advertising ipv4only.arpa using
> > > > resolver Y under the assumption that you are or should be using resolver
> > Y.
> > > > Imagine that the advertised prefixes differ. The feature just broke for
> > you.
> > > >
> > > > Putting the prefix in the RA on a given LAN reliably identifies the
> > prefix
> > > > that folks on that LAN should use.
> > > >
> > > > I'd be very happy if the other mechanisms were deprecated, and software
> > and
> > > > configurations using them put on notice that they need to change
> > accordingly.
> > > --------------------------------------------------------------------
> > > IETF IPv6 working group mailing list
> > > ipv6@ietf.org
> > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > > --------------------------------------------------------------------
> >
> >
> >
> > --
> > SY, Jen Linkova aka Furry



-- 
SY, Jen Linkova aka Furry

v2.23.0 | Report a Bug | By Email