IETF Logo Mail Archive

Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 07 May 2019 23:18 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F221A1200C4 for <ipv6@ietfa.amsl.com>; Tue, 7 May 2019 16:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6JuxqNx2jmto for <ipv6@ietfa.amsl.com>; Tue, 7 May 2019 16:18:55 -0700 (PDT)
Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48AC2120098 for <ipv6@ietf.org>; Tue, 7 May 2019 16:18:55 -0700 (PDT)
Received: by mail-pg1-x533.google.com with SMTP id w22so7753446pgi.6 for <ipv6@ietf.org>; Tue, 07 May 2019 16:18:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=U+REQTx5MMagqfaKOCl5x0ZXlOXGojX4AuZcHwtf4wY=; b=Y+1pqK10fr4g0F5XT0k1B1UQspcqOrcnUP+lxmzXFkqkQeO1GcoxFRVOG0UTCRBBd7 9RDzxUH/PG/pXr34zkmHAFRnm6y/fnnbZ3PZ4C527e6bqc4pOBWJjrV/9jlwJFaM6anW uBqcMvRKi81JnSNvPBH0NxrOpN9BJzChfTZhCPHvnoPNt2RZOJnKcYcl8uddL+vh1kfu 7X2NNp60sjUJ9mFWcZ2t97UQYAfh8ColJtecHkdSO9I/Hbs6UsNMXwqL8Gohm1W6JUF5 MK4YRpCBEGP8uUExKP5UWuKwugeDBuWgU25himI0izWjw+4rIEwN/VVW2LzD/mtBV/Ae keYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=U+REQTx5MMagqfaKOCl5x0ZXlOXGojX4AuZcHwtf4wY=; b=Z0OhXSOcfZKy+L4QfFhUjKG4x44PXrImwZIX9x8tXtIt8d//vfbPlufQ3wPqglUQ0Y 0/IBPaZSwKTjRJ1t5lTPqnpUqPpV41jQj4yUPKwICYDZY7z2HrZSQFC/HIC1QoAGvZhj eKAixMpPjP8dn1fsOoFlmopaiCtCJlcLd5arnJmFLOChnX6bEKHfxaZ26ZpjxohzW8Ma aLD3babgJ5c9j3EZPoD5UL1rKN5Cg94cK4mmovxN2voj+MWRiJU0b8Bluqb8PTIbArUl izdF4efpxb5MFVhtfB29UaZUFzFcf+xkHAmt+s3fb2/tyYu38s6XUX+mORKEr+3apl6u beBQ==
X-Gm-Message-State: APjAAAUSIM5hQsm8wOzNGPtgLWVNFHVcvyXVxQIaIT3bk0fRPKpqSmpP bwdStrRdd3IBpp6jBxMAlQHazkqS
X-Google-Smtp-Source: APXvYqyg3zxx+sB4DVKPnlu60uYe40NGek2UO7aswx4fVRE6PqAzjQYhOxWA/tY7SKqf0eiRYMAlvg==
X-Received: by 2002:a62:6842:: with SMTP id d63mr45506576pfc.9.1557271134383; Tue, 07 May 2019 16:18:54 -0700 (PDT)
Received: from [130.216.36.6] (sc-cs-567-laptop.uoa.auckland.ac.nz. [130.216.36.6]) by smtp.gmail.com with ESMTPSA id r8sm18740811pfn.11.2019.05.07.16.18.52 for <ipv6@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 May 2019 16:18:53 -0700 (PDT)
Subject: Re: Confirmation to advance: draft-ietf-6man-ipv6only-flag-05
To: ipv6@ietf.org
References: <F8BFFCAD-E58E-4736-8A1C-56579B6F6032@employees.org> <a2465e81-a17f-ab48-efda-20fe12a70077@foobar.org> <30239E0C-C444-4A7E-8342-AEE47BF8A2BB@employees.org> <20190505200449.GB7546@vurt.meerval.net> <80073906-c3c0-1f22-9e7f-c2b349063936@gmail.com> <CAO42Z2xzVW3m0mN7jEn8SYyYCYhrufVnkfp3rBjJcijBkvucNQ@mail.gmail.com> <CACWOCC-35yVYXSRR0sRL-MBMHyOFZtJx9E9h14G8qqVh5T7qGA@mail.gmail.com> <232c1a43-0fd9-4eae-737b-260a3906f72a@gmail.com> <51F2BD2A-A590-4AF1-B8C1-FE62C9416340@steffann.nl> <8C63324F-FEF6-40BD-B918-B413CDEF9186@gmail.com> <478d5dc5-af00-4ab0-d8ef-75e41cd501d4@foobar.org>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <9eb009ba-234f-ea62-779b-469255543f91@gmail.com>
Date: Wed, 08 May 2019 11:18:50 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <478d5dc5-af00-4ab0-d8ef-75e41cd501d4@foobar.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/ci_chvoG3yvLkHiaUhICmtsg2DA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 23:18:58 -0000

Nick, excuse top posting but it seems to me that you are
assuming that in a managed network, the hosts are all
managed too. That's certainly a false assumption in my
experienced: managed routers and access points with
BYOD hosts is a very common scenario.

It remains true that even so, in many cases the managed
network could be configured to block IPv4 at layer 2.
I can't argue against that argument.

Regards
   Brian

On 08-May-19 07:13, Nick Hilliard wrote:
> Bob Hinden wrote on 07/05/2019 17:31:
>> Enterprise networks are an important use case for this proposal.
>>
>> The draft seems to me to be clear it is focused on managed networks.
>> It uses the word “administrator” 12 times.   There is, of course, no
>> administrator on unmanaged networks.
>>
>> Would it help if the draft said the focus is for managed networks?
> Not really, no, because when you look at it more closely, it becomes 
> apparent that the flag is redundant on managed networks.
> 
> What's important about managed networks is that they're managed.  I.e. 
> that whatever policy is put in place by the administrator can be 
> enforced.  v6only does not and cannot enforce anything, which means that 
> from the point of view of policy or enterprise management, it fails 
> before it leaves the block.  It fails because all it does is provide an 
> advisory hint to the operating system about the intentions of the 
> network administrator.
> 
> Drilling down further and looking at the issue from the point of view of 
> an enterprise network, management would encompass either device 
> management or fine-grained network access control, or both.  In each 
> case, the management will be enforced because if it's not enforced, it's 
> not management: it's hand-waving.
> 
> For device management, it might be e.g. Windows group policy, or macos 
> workgroup manager, or some orchestration tool (puppet / saltstack / 
> etc), or some COTS product to do all this - there are plenty out there. 
> The point is that the management of the devices on the network will be 
> centralised and will give the administrators of the network the ability 
> to enable or disable ipv4 by application of enforced policy.
> 
> No sane operating system manufacturer will leave the v6only option 
> enabled by default on an out-of-the-box installation because the 
> possibility of mischief is far too great. This means that if the 
> administrator wants to change this default, they will need to touch the 
> configuration of each installation.
> 
> But here's the thing: if they already have to change the default 
> configuration to enable v6only, why wouldn't they go the whole hog and 
> just disable v4 completely?  More to the point, if they need to delve 
> into this level of operating system protocol capabilities, their policy 
> management tools will be sufficiently fine-grained to enable or disable 
> any specific protocol on any specific network that they choose.  In 
> other words, the v6only flag is almost entirely irrelevant for managed 
> networks where the management capabilities are done on the host devices. 
>   The job can be done more simply and more reliably by using existing tools.
> 
> The other type of managed network is where control of the network access 
> is managed.  I've gone into some detail on this scenario on several 
> occasions before, so please forgive me for quoting these URLs:
> 
> https://mailarchive.ietf.org/arch/msg/ipv6/NIJ194PI8CLkuZT8U_jKEOY01QI
> https://mailarchive.ietf.org/arch/msg/ipv6/a9KBvO88PlPrO0kLr83VOBlGmpw
> 
> Summarising:
> 
> - L2 ACLs provide vastly superior functionality, and work today.
> 
> - even L2 ACLs on core links can reduce the problems assertions in the 
> v6only-flag problem statement to background noise.
> 
> - gigantic l2 domains were busted about 30 years ago as being terrible 
> network design and the ietf has no responsibility to create workarounds 
> for people who implement terrible network designs.  And if you really 
> need to implement gigantic l2 domains, you need kit which is fit for 
> purpose.
> 
> I.e. if you want actual management, then you need to manage, and that 
> mandates enforcement.  The larger your network, the more effort you need 
> to put into designing it properly - and managing it using appropriate 
> equipment.
> 
> I'm sure it would be possible to contrive scenarios where marginal gain 
> in functionality is achieved with the v6only flag, but in 18 months of 
> discussion (and draft-perreault-sunset4-noipv4 before it), not even a 
> single credible use case has come up where the alternatives weren't better.
> 
> Nick
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email