IETF Logo Mail Archive

Re: [IPv6] I-D Action: draft-ietf-6man-rfc6724-update-04.txt

Mark Smith <markzzzsmith@gmail.com> Mon, 27 November 2023 23:57 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FFBDC14CF13; Mon, 27 Nov 2023 15:57:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.604
X-Spam-Level:
X-Spam-Status: No, score=-1.604 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJSR7x4jlqNI; Mon, 27 Nov 2023 15:57:51 -0800 (PST)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EA0EC15108C; Mon, 27 Nov 2023 15:57:51 -0800 (PST)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a00a9c6f1e9so693649666b.3; Mon, 27 Nov 2023 15:57:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701129470; x=1701734270; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=6nNV5/goyx60lKfU3FbBQze22nbqFW+PG/HPn5XSZIw=; b=hFQKe9TJbVHOSkh+OCwlM5/qxOQWcMoIpG1cA3fmoDrmpl+sG2VTxXwO+CAB/5Wu6L 8r2ab4NfHUQYpBUwRUESN7kZgOeRJVsAoyBVxcN35nmsazdDxiYPi/lJu86ZDtzjaZ0d zyaGENrR/unfzmllKEnYTokH9AFxealUg/G7xhU/8QI1DZ4I/hLYLFOwyW4GWbDoyg0s K0RAsVlPbZTH3G3o+GHkTs8o1XHkfrq6/lNy4iMkoZH0qDHi4jF3mJJEox6rlXR8bw1y MuGnpm4nCcHy4Jbach/Fm64nycGNuxRsvqXbWIZLgHiBjIFtiovM/q+VEn6Qu1aqxvld FBTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701129470; x=1701734270; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6nNV5/goyx60lKfU3FbBQze22nbqFW+PG/HPn5XSZIw=; b=GiKnStd05siSLKxcWzhNoHTh7ixIhcnCXlanyI1EXJH8YDM3OkkUJBrdpLRdYlJnhn NjqkGeBzoVm/4kZ6SoCdMyDhYcVcCeA291647EyAoYhiMIkHfNI3KRlHCpxb3KJTckEJ PlkrLvoYp3puhvAsczkfIa7hGGSBubqvqSDlmLVtuwPjBU/G/jgD1IpsjU39htWH5Jlc uJDiNzDgyP8FvXlBpDdCHDct8WEFlnS8OfI5PSwOT+Af7Us1Ahb8Yjk9EU/U+8NtdSbz G+peeTpMg3jXlMdbsLCblMx7dlsU6GB+ag/0LuSibiQ1H4LeQX+sh6gHYn0BthM1Ogal OOAw==
X-Gm-Message-State: AOJu0Yx0puUFlyU1hldInCbE71sq4JbmXOGaqQk/ncELA8S8qc9GyFss 7FhsfBW6mUEjVxpTfqr0cl9x47d7M0DY6s8pJ2k=
X-Google-Smtp-Source: AGHT+IF2A8D+OVrVbqsyZF4sGvQg8PcHWL4mi/GrfJ0QxdQJ8wmizCpg8+/2poJ4wb84ISZamh6OIYv8hW1Nq154Swg=
X-Received: by 2002:a17:906:27d9:b0:9e3:f97b:239e with SMTP id k25-20020a17090627d900b009e3f97b239emr10274177ejc.29.1701129469506; Mon, 27 Nov 2023 15:57:49 -0800 (PST)
MIME-Version: 1.0
References: <170059183545.4282.16453796503536671445@ietfa.amsl.com> <CACMsEX_RhsLq1eX5d6m0w93zjLdTNOmuK1-FqVvN3DRCoQkpVQ@mail.gmail.com> <3C840B68-1C34-44C9-9803-7C9468AC98C8@jisc.ac.uk> <CAO42Z2zQORo08vFV34BAKKu+vK6t8GnHLLTSiBUsERNK0zHV8Q@mail.gmail.com> <CAJgLMKuk+_GhymY3cEJvTW+UC=Eo+xtC3dhPVhNkviT1Qg2v4A@mail.gmail.com> <CAJU8_nV4fdXHxGY2zEjW5PLeLjJ6YfU58tJ+PKt8PHQbCfKr-Q@mail.gmail.com> <CAO42Z2xYJsZ+VS0bm6C-idXDOBTdavb6NTAnNbx9SCRfbmgvpw@mail.gmail.com> <CAJU8_nXFisr+hYBPvADkuWPZtKbpcAz7Pd_F4ZJ40=+eBPQR9Q@mail.gmail.com> <CAO42Z2yst7zJKeznwywews9it=yCEQs6RNPPCLM8a4LwKdogJQ@mail.gmail.com> <CACMsEX_mViOUfkGhY=1JgipnnumJbDKUBxFoMy35sEsrtZHfzA@mail.gmail.com>
In-Reply-To: <CACMsEX_mViOUfkGhY=1JgipnnumJbDKUBxFoMy35sEsrtZHfzA@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Tue, 28 Nov 2023 10:57:22 +1100
Message-ID: <CAO42Z2xFAnUtiOKGDaNGGdXrnt0yw4i+rY68hEG8PROttWwU_Q@mail.gmail.com>
To: Nick Buraglio <buraglio@forwardingplane.net>
Cc: Kyle Rose <krose@krose.org>, 6man WG <ipv6@ietf.org>, Tim Chown <Tim.Chown=40jisc.ac.uk@dmarc.ietf.org>, 6man Chairs <6man-chairs@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/jH1XkOw6QwrSA6xH-WqDSgn_qoA>
Subject: Re: [IPv6] I-D Action: draft-ietf-6man-rfc6724-update-04.txt
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2023 23:57:55 -0000

On Tue, 28 Nov 2023 at 05:04, Nick Buraglio
<buraglio@forwardingplane.net> wrote:
>
>
>
> On Mon, Nov 27, 2023 at 11:24 AM Mark Smith <markzzzsmith@gmail.com> wrote:
>>
>>
>>
>> On Tue, 28 Nov 2023, 03:56 Kyle Rose, <krose@krose.org> wrote:
>>>
>>> On Mon, Nov 27, 2023 at 11:46 AM Mark Smith <markzzzsmith@gmail.com> wrote:
>>>>
>>>> I think more in an enterprise/service provider context and scale by default, so for robustness and end-user friendliness (technical and non-technical), I would put both ULA and GUA addresses for hosts in internal DNS for the same DNS name.
>>>>
>>>> Robustness means if the ULA or GUA address is unreachable, the alternative address becomes a fall back.
>>>>
>>>> End-user friendliness means end-users use the same domain name to reach a host regardless of if they're internal or external to the network. The less end-users have to remember special or different cases the better.
>>>
>>>
>>> All valid justifications for offering both address classes under the same names, but it occurs to me that what you proposed doesn't actually solve any problems. The actual issue is the GUA PD changing: no matter what DNS says, if the GUA prefixes change, connections using those addresses break and need to be reestablished. If you offer only GUA, that means 100% of such connections. If you offer ULA in addition to GUA, that means either 0% are broken (if ULA->ULA is preferred)
>>
>>
>> Which is why I say ULAs need to be preferred over GUAs
>>
>> Which is why RFC 4193 implies ULAs are preferred over GUAs.
>>
>> Which was why site-locals were preferred over GUAs.
>>
>>
>>> or 100% are broken (if GUA->GUA is preferred).
>>
>>
>> Yes, which is why I have such a big problem with preferring GUAs over ULAs.
>>
>> If GUAs end up being preferred over ULAs, then I'm going to write up a draft that ultimately will remove a huge amount of complexity from SA and DA selection.
>>
>> - LLAs can only be used for ICMPv6 and DHCPv6, not any applications (sorry Dentists).
>>
>> - ULAs are only for private, isolated, non-Internet connected networks such as IoT networks e.g. electricity smart meter networks.
>>
>> GUAs are used for networks that are connected to the Internet.
>>
>>
>> A much simpler model of IPv6 addressing would have saved months of discussion about this ULA preference update and 100s of emails.
>>
>> Given some recent IPv6 deployment experiences, it'll also be easier for people coming from IPv4 to understand.
>>
>> It would have also likely avoided the issue that RFC 6724 created because it would have been even more obvious that ULA addresses should not be put in global DNS, and nor would people now be trying to optimise for an error case of ULA in global DNS - the only reason to prefer GUA over ULA.
>>
>> It will also simplify RFCs that have had to deal with multiple candidate SAs or DAs e.g. ND if I recall correctly.
>
>
> This I agree with, there should be a smarter SA/DA selection process and we should work on that, for sure.

I'm saying the opposite above. SA/DA selection should be much
*simpler* as a better alternative to breaking a main use case of ULAs
with this ID.

> This change is far more tactical

Tactical would be to update RFC 6724 to how it should have updated RFC
3484 and nothing more - effectively replace site-locals with ULAs and
leave it as that, because the use case of ULA is the same as
site-locals (so global GUA renumbering doesn't disrupt internal
communications).

I don't entirely understand why ULAs ended up with a global scope,
however they really have a "local-network" scope, and that local
network scope is smaller than global scope. The DA scope comparison
step, Rule 8: Prefer smaller scope, would prefer the local-network
scope (ULA) over global scope (GUA).

> and opportunistic. Anything more is a very large lift outside of the scope for this draft (by design). In whatever this next selection process becomes, it should appropriately and elegantly address the addressing differences in a less rigid way allowing for "best value" rather than class based selections.
>
> Circling back to the draft, much of this discussion seems to come down to how DNS is implemented in a given network, which I strongly believe is a parallel problem space, and even more subjective than the address selection process.
>
> Under the proposed model in the update:
>
> * Operator deploys ULA and GUA
> ** Operator chooses to use split DNS - no problems. All works as designed internal hosts use ULA, external connections use GUA as those are the only options presented to them

That needs to be specifically articulated in the ID if that is the
case. In other words, there need to be *specific* instructions on how
to operate DNS in the context of default IPv6 address selection if
default address selection is going to rely on the deployment model
you've documented.

As I said before I'd both ULA and GUA addresses in the internal split
DNS domain for connectivity robustness, and rely on this text in RFC
6724 (an expansion on what is in RFC 3484) to provide this robustness:

   Well-behaved applications SHOULD NOT simply use the first address
   returned from an API such as getaddrinfo() and then give up if it
   fails.  For many applications, it is appropriate to iterate through
   the list of addresses returned from getaddrinfo() until a working
   address is found.  For other applications, it might be appropriate to
   try multiple addresses in parallel (e.g., with some small delay in
   between) and use the first one to succeed.


> ** Operator uses the same names *internally* for GUA and ULA. Source tries w/ IPv6 ULA -> ULA first. All works.

Well it wouldn't be trying ULA first, there is no GUA DA to try second
in your deployment model. It would be *only* trying ULA.

> ** Operator uses different domain names for ULA and GUA on the same server / resource. Either user chooses manually or a search domain fills in per policy. Clients connect as designed.

So again we now have the possibility of an unreachable DA. Isn't that
what almost everybody is trying hardest to avoid?

> ** Operator puts ULA and GUA in global DNS. - External connectivity will fail to either GUA or IPv4. I assert this is a broken model and a misconfiguration and we should not try to policy around edge case misconfigurations.

I certainly agree it is a broken model and a misconfiguration, however
unreachable DAs do not only occur because a private/local network
address is put in global DNS.

They can also occur because of network faults, such as link or device
failures, or network misconfigurations.

That's actually the origin of Happy Eyeballs. It was created because
one IPv6 CPE implementation (Fritzbox) at the time didn't return
ICMPv6 Destination Unreachables to hosts at all when IPv6 wasn't
available or enabled on the CPE WAN link, yet was available on the LAN
(via LLAs by default, or ULA prefix being advertised as well). End
users encountered long transport layer connection delays in that case.

I was doing quite a lot of testing of IPv6 CPE back at that time,
other IPv6 CPE that did return IPv6 Dest Unreachables in this
situation did cause hosts to fall back to using IPv4 within less than
a few 100 milliseconds - I could detect the delay in a web browser,
however it wasn't a bad user experience with long, 10s of seconds
switchover delay. (AusNOG Presentation on it -
https://www.ausnog.net/sites/default/files/ausnog-05/presentations/ausnog-05-d02p02-mark-smith.pdf)

Hosts have to deal with transient failures of the network, meaning
packet loss, via timeouts and retransmissions. An unreachable DA in
global DNS is really just a form of transient packet loss until the
unreachable DA is removed from global DNS.

> ** Operator forces all users to use IPv4/IPv6 literals - all works as designed.
> ** Operator has only GUA on hosts and only ULA on servers / resources - works as designed host resolves AAAA and connects from GUA to ULA
>
> Obviously all of these problems are solved by using GUA everywhere, which for whatever reason may simply not be an option. Perhaps I am mis-understanding, but I don't believe we should be trying to solve DNS policy here.
>

"** Operator chooses to use split DNS - no problems. All works as
designed internal hosts use ULA, external connections use GUA as those
are the only options presented to them"

That's DNS policy to make DA/SA selection work. It is tightly coupling
how DNS is operated and configured to work with default IPv6 address
selection.

That hasn't been a requirement since RFC 3484 and then RFC 6724,
because of the "Well-behaved applications SHOULD NOT simply use the
first address returned from an API such as getaddrinfo() and then give
up if it fails ..." dealt with broken and unreachable DAs being
provided by DNS. Happy Eyeballs is a more advanced parallel
implementation of that RFC 3484/6724 advice.

Multicast DNS can return LLA, ULA and GUA addresses of another host on
the network (link). mDNS will need to be updated too to avoid
returning both a ULA and GUA DA if you want to follow that internal
DNS, ULA only; global DNS, GUA only model.

Regards,
Mark.

>>
>>
>> Regards,
>> Mark.
>>
>>
>>
>>> Telling operators to deprecate all ULA prefixes when a valid GUA is available and GUA->GUA is preferred over ULA->ULA does nothing to improve the situation.
>>>
>>> If I misunderstood, then please help me to understand what problem you're trying to solve with that proposed recommended practice.
>>> Kyle
>>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email