IETF Logo Mail Archive

Re: [IPv6] Variable IIDs

Martin Huněk <martin.hunek@tul.cz> Mon, 06 November 2023 03:07 UTC

Return-Path: <martin.hunek@tul.cz>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B600C1D2D77 for <ipv6@ietfa.amsl.com>; Sun, 5 Nov 2023 19:07:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tul.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uPA-EL6IKJ5F for <ipv6@ietfa.amsl.com>; Sun, 5 Nov 2023 19:07:49 -0800 (PST)
Received: from bubo.tul.cz (bubo.tul.cz [IPv6:2001:718:1c01:16::aa]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0629C17DC04 for <ipv6@ietf.org>; Sun, 5 Nov 2023 19:07:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at tul.cz
Received: from asclepius.adm.tul.cz (unknown [147.230.238.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bubo.tul.cz (Postfix) with ESMTPSA id 450BC18050A34 for <ipv6@ietf.org>; Mon, 6 Nov 2023 04:07:42 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 bubo.tul.cz 450BC18050A34
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tul.cz; s=tul2021; t=1699240062; bh=wBtDl7AIXxMie/fX18qaPQSa+nOzHOJnIdJ38v9ryNA=; h=From:To:Subject:Date:In-Reply-To:References:From; b=Wsidsqk1olY/tHvgNgrTUZqOLGT38ExJhVvvRhJXHTfWscnlxygN+YglK2cYRYJ2O 0NkPPecGaBIMKKNUsAu4UApfpew3ZNSo32nhe2FWdUkL3ydEtR3CTc3GRsds5Z7XHd ODEK664LSqQPyUYSc4uDXGRaQRVhBwtTW+WXokRcbLzJjdmJFSvg/b0MzGzNpljKAY +38KmTYHNJbqHlXRlpjHMwUc0zJehCsZgvEhnarVb91PnzqVFsDXN8SmIKlNS95OkB dE2RPbWfG86+dheYSm9GCrW+HA93RycRDWKvZ8aznRWGiqGX+a96QeQYwb7G0t6HpY /UXedF6+6xnzg==
From: Martin Huněk <martin.hunek@tul.cz>
To: ipv6@ietf.org
Date: Mon, 06 Nov 2023 04:07:36 +0100
Message-ID: <2943056.oIIdYi5bCB@asclepius.adm.tul.cz>
Organization: Technická univerzita v Liberci
In-Reply-To: <CAKD1Yr0ZBqdNnysBm3SmKRBjOZPM5totfzww_6mDdC94fDLx4A@mail.gmail.com>
References: <d935987f-7550-855a-c57f-7f8c2fc6e5cf@gmail.com> <CAKD1Yr0ZBqdNnysBm3SmKRBjOZPM5totfzww_6mDdC94fDLx4A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2794749.6007b0iTLj"; micalg="sha384"; protocol="application/pkcs7-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/ay2ryRsDFxFah1fX0O0QzeWeCQE>
Subject: Re: [IPv6] Variable IIDs
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 03:07:53 -0000

Hi Lorenzo,

Dne sobota 4. listopadu 2023 13:00:10 CET, Lorenzo Colitti napsal(a):
> Brian,
> 
> If we think /64 is too large, then I think it's OK to change 64 to
> something else. But making the IID length variable is the wrong solution.
> If we do that, we will create a race to the bottom that ends up at /128.
> 
> Here's why. Today SLAAC only works on a /64, and a /64 guarantees that
> there will always be enough address space to number unlimited devices.
> Pretty much every network operator uses that because it's the only thing
> that works on all devices. Some operators insist on assigning only a /128
> to each device using DHCPv6. This is for various reasons, most notably
> consistency with IPv4, the fact that DHCP clients and servers by default
> only assign one address, scalability of network entities such as ND caches,
> desire to charge for more addresses (yes; as the lead of a major OS network
> stack, we get this depressingly often). It's pretty clear from any reading
> of RFC 7934 that that is harmful, but those operators don't know or want to
> do it anyway. Fortunately (well, unfortunately for those operators), this
> doesn't work on a substantial percentage of devices due to lack of support
> for DHCPv6, so it's not really a practical solution on most networks. Those
> operators occasionally complain about OSes that don't support DHCPv6, but
> on the whole we're generally in a situation where devices can get as many
> IP addresses as they need, within reason.

So, do I understand it correctly that you are actually saying It is OK to force your ideas and design choices by a "substantial percentage of devices" onto other people's networks? I would call it taking network administrators hostages. Not OK at all. It negatively impacted our network at the university, and I'm not happy about it.

> 
> However: if we define SLAAC to variable length, as you are proposing here
> then those operators will pick the minimum length accepted by
> implementations. Today that's /64. If implementations change to accept
> fewer addresses (say, /80), then those networks will move to providing the
> new minimum. And so on. This starts a race to the bottom that ends at /128.
> If you don't believe this, consider: many residential ISPs provide a
> reasonably-sized subnet to users, such as a /56. But some provide only a
> /60. Some - like mine! - only provide a /64. In my case I could only get a
> /56 by signing up for the business offering, which costs 3 times as much.
> Now, obviously this example is about prefix sizes, but if we make SLAAC
> variable, you can bet that operators will do this within subnets as well.

Yeah, there might be some operators that would decrease assignment size, sure. But those reasonable would still maintain /56s, at least for legacy hosts' reasons. At the ISP I'm working for, we give /56 for residential and /48 for business clients (or residential after request when there is a technical reason for it). I'm not planning to change that.

> Consider even during the v6ops discussion of
> draft-ietf-v6ops-dhcp-pd-per-device, some participants (Martin, I remember)
> asserted that the subnet must be made small enough to prohibit devices from
> extending the network.

Not really. In my case, it is not desirable to extend our university network by any host without approval. This is due to the network policy based on local law. So, I would gladly provide any device with a prefix that would not allow network extension, but I cannot allow /64 PDs, so the host could become routers easily.

This is a special case of the network whose policy does not allow network extension, and all users had to agree with a policy before joining. Not even an IETF document should force any network to allow such an extension if it is forbidden by network policy, much less any OS vendor engineer.

> 
> Note, I am not saying that most or even many networks will do this. But
> some will. The consequence of that is that OS vendors like ours will act in
> their users' interests, and allow those users to evade those restrictions
> by implementing NAT66. At that point everybody loses. The networks don't
> get paid more. App developers have to implement NAT traversal and
> keepalives. OS vendors have to implement hardware offload APIs for
> keepalives. Users have to deal with lower battery life and brittle apps due
> to NAT timeouts.

We do it because we must. We are required to do so by law. We are required to be able to identify any user connected to our network by IP + port and keep those records for 6 months. So it is either IEEE 802.1x or WPAx-EAP on the border of a network with user identity (and not allowing to extend the network). Or to do DPI to extract the user identity from its traffic. I would not want to do the latter as it is more intrusive.

Stop playing God, the ultimate arbiter of good/bad, and pretend that all you do is in the best interest of your user. We all know that this is hardly the case. Network policy is made by the organization running the network, by the law of the country it is running in, and enforced by the network administrator. There is no place for OS vendors to decide if it is good or bad practice and if it should or should not be done. In the same way, I, as a network administrator, have no place in what law should be obeyed.
> 
> Why do this? If we really think /64 is too wasteful, then we can change it,
> once. But we can't make it variable without creating a race to the bottom.
> The only way to do that is to pick one size.

Personally, I have no preference considering this idea. It was your idea of "draft-ietf-v6ops-dhcp-pd-per-device" that is causing the pressure on addressing architecture to accommodate it. Variable IID length doesn't necessarily mean only SLAAC, as it could also mean local address generation in the host itself (from the PD prefix - for example). Then it would make sense. For an SLAAC, it would take several years until all the legacy hosts and routers would disappear, and we could see the results. It would be far more practical to mandate DHCPv6 IA_NA support for all OS vendors that claim IPv6 support.

Regards,
Martin
> 
> Cheers,
> Lorenzo
> 
> On Sat, Nov 4, 2023 at 2:06 AM Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
> 
> > If anyone wants to turn this into an I-D, please feel free.
> >
> > title: Variable Length Interface Identifiers
> > abbrev: Variable IIDs
> > docname: draft-tbd-6man-variable-iids-00
> >
> > # Introduction
> >
> > The lowest common denominator method of configuration for IPv6 nodes is
> > SLAAC {{!RFC4862}}, which is carefully designed to allow any prefix length
> > and any interface identifier (IID) length, provided that they do not total
> > more than 128 bits. Until now, specifications of "IPv6 over foo" mappings,
> > starting with {{!RFC2464}}, have specified an IID length of 64 bits,
> > consistent with the value specified by {{!RFC4291}}.
> >
> > This document allows a router to announce an IID length other than 64 on a
> > given link, and updates RFC 4291, RFC 2464 (and numerous other "IPv6 over
> > foo" documents TBD), and RFC 4862 accordingly. It extends {{!RFC4861}} by
> > defining a new "IID length" mechanism in RA messages.
> >
> > Terminology: a "modified" host or router supports this spec. An
> > "unmodified" host or router supports RFC 4861 and 4862 precisely.
> >
> > # Modified procedures
> >
> > The predefined IID length specified by RFC 4291, RFC 2464, etc. is used to
> > configure the link-local IPv6 address of a node exactly as described in RFC
> > 4862.
> >
> > On a link where variable IID length is not supported, the predefined IID
> > length will continue to be used to configure all other addresses using
> > SLAAC.
> >
> > On a link where variable IID length is supported, each modified router
> > will include an "IID length" indication in every RA/PIO message with the A
> > bit set. This will override the value defined in RFC 2464 (etc.) and in RFC
> > 4291, for the prefix concerned.
> >
> > Suggestion: put the IID length in 6 bits of the Reserved2 field of the
> > PIO. 0b000000 would mean 64, i.e. no change and backwards compatible. Any
> > other value would define an IID length in bits. Values less than 48
> > (0b110000) are NOT RECOMMENDED. Values greater than 64 are impossible.
> >
> > (Note: Reserved1 is not available - see {{?RFC8425}}.)
> >
> > When a modified node receives an "IID length" less than 64, it will use
> > that value instead of the default for all unicast address autoconfiguration
> > under that prefix, except link-local.
> >
> > # Deployment issues
> >
> >   - Unmodified hosts and unmodified routers: no change, all use 64-bit
> > IIDs.
> >
> >   - Modified hosts and unmodified routers: no change, all use 64-bit IIDs.
> >
> >   - Modified hosts and modified routers: configure to use longer prefixes
> > and shorter IIDs if desired.
> >
> >   - Modified routers and mixture of modified and unmodified hosts on a
> > link:
> >
> >     - The modified hosts will use a shorter IID and longer prefix if that
> > is announced.
> >
> >     - The unmodified hosts, according to RFC 4861, MUST ignore the
> > Reserved1 field. So, according to section 5.5.3 clause d) of RFC 4862, they
> > will ignore any PIO advertising a shorter IID. Therefore, the operator has
> > two choices:
> >
> >       1. Decide that unmodified hosts will not be supported (i.e. will not
> > be able to configure an address using SLAAC).
> >
> >       2. Announce (at least) two prefixes on the link - a /64 and a longer
> > one, with a shorter IID. For that to make sense, we need an extra rule for
> > modified hosts: if a host receives several PIOs from the same router, it
> > prefers all those with the shortest IID and ignores the others.
> >
> >   - Mixture of modified and unmodified routers on a link: don't do that!
> >
> > # IANA Considerations
> >
> > Maybe a registry for the Reserved2 field, like RFC 8425?
> >
> > # Security Considerations
> >
> > Nothing new?
> >
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
> >
>

v2.23.0 | Report a Bug | By Email