IETF Logo Mail Archive

Re: [IPv6] Adoption call for draft-bctb-6man-rfc6296-bis

Ted Lemon <mellon@fugue.com> Thu, 28 March 2024 19:44 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53EA8C1519A7 for <ipv6@ietfa.amsl.com>; Thu, 28 Mar 2024 12:44:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NimDvF7swPGp for <ipv6@ietfa.amsl.com>; Thu, 28 Mar 2024 12:43:59 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 534CBC151551 for <ipv6@ietf.org>; Thu, 28 Mar 2024 12:43:33 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-dcc71031680so1329209276.2 for <ipv6@ietf.org>; Thu, 28 Mar 2024 12:43:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1711655012; x=1712259812; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SZ7QCGgT3xCV77WJFSHuN/XOFuJNUQgnQXwHVMGAqGg=; b=KC2tuPRBqpVc6Ufj7mfyiB/jBIo9JMc2xnQgXgFDpommcEwczThpILdetnSUqo7zBr OqiwGOvPRMFNrINrFnWiOVYkkX0gITC9Wy4oAE/zlUM5b0kc42StfMChMqcG+gcEibEb XJh6Nm2MjDn7BL26XbAYwrm8bO0pNhXGP1GlzeasZZRikhNrGdChcKghYpKket6vN28F 6ale/N1rRKjFQKRYNefFq9OO7GQUqlOnaKPMq3hzjWI0Sw3GZ9ixiyZxhWp2gEkodQBz 91gwVV5O+NI/8+0y/gadoQ/mKB1n+X3e/eZOB8Dvk8yR56rfwDRaqVRb76OrIhNia1iP csVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711655012; x=1712259812; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SZ7QCGgT3xCV77WJFSHuN/XOFuJNUQgnQXwHVMGAqGg=; b=JF79YwoWn3Zz7kupKHuRB3Vkeql29bSPTeuZQdhIBLW+ffEI+O7skFWFBasuYrjPzI LVKOR+Zaor3ZFFJdZD+OXlBZy7B3ATwgK/bTwAl6kirTQ8yhuKo2DnlDMwreyeMm2lcP KVm8pB6+5dTc73gcvHeRtoDgJKSvgsywpK1ahJN3Hcn4nvbkOYPHIB2ygpmrM+XqFH5p HjCI19I23zInktpfBWh49OGvfMTilADqXhO9/d5tUaI7REQurogB584BUekN4Xs9qCFd 2F/P3/T+lNnOLF5dRQRxNsSZ4YJGueSGPP2MYAebMnPwLg3J1XHxwZfpKfy9MD1xTzY4 D/Pg==
X-Forwarded-Encrypted: i=1; AJvYcCVXFGKxVWQtZdpsOxOZ6dHFjN0gVRf3Ee99XJBvuhXIgd/0W8l5TkuWUGAquT8NILf0Luq9HwKfHznzLNk2
X-Gm-Message-State: AOJu0YxquO7nYWA5Un5u4t76HgXa1lFAadJMsLTHRVNwlrtJRhb8/NRW eNZb+fOKWYDn6rqaRtDGDEA6CbNUlnNpRbP1xUlbVLQP06Q4EWfiw6k2/GHNzz2eQ1MwwnCL7od 3xyVuXAkjw2v2dTJFb4s+W0pBp2z+atlae4g0jwdO0/of2hySPsU=
X-Google-Smtp-Source: AGHT+IETgWRI8aZVM3Om/PBCA+jto2o/Tq99x017En+kvp3S+690C2LTzrww/RsI769MRwIZn5x66z+780Y5un+ipcQ=
X-Received: by 2002:a25:9a89:0:b0:dcc:7af5:97b4 with SMTP id s9-20020a259a89000000b00dcc7af597b4mr313603ybo.12.1711655012449; Thu, 28 Mar 2024 12:43:32 -0700 (PDT)
MIME-Version: 1.0
References: <CADmxuPF1AReQCSY13HjqXE+8Jofy_uoo1wmnzs8+whG7Tdc+UQ@mail.gmail.com> <836E3A12-FAAF-4C19-91A1-322203645AAA@employees.org> <CADmxuPEBXYeTPrJqfPEGaxmUM75iKQx6kfCcpHHjxyekZy0xuQ@mail.gmail.com> <2DB6E450-9EE4-438A-9D3B-78DDFF0CA78F@employees.org> <CAKD1Yr0+ArFfn7uZddMAGpxYroSxw-u=cpti4mwp_7-yRBSRSA@mail.gmail.com> <CACMsEX_Can2Uc4dEvC+9B_zG3OuP0YwQnGr=4uQyrFcjjgLHjA@mail.gmail.com> <CAO42Z2yghAZdk_ZO8nzufkJXsgsJMhUNi_Fm+SpUUQ1b7GLCuQ@mail.gmail.com> <CACMsEX8S26NMaseCfepBzoHHyN68k5aApSwG4nSKwJWk4mMKOA@mail.gmail.com> <CACMsEX-hmi+PqvdykmTGA_+Jq7cK+TwZiWWFhEkeOHgFgSr=Rg@mail.gmail.com> <6283d492-41c1-4ebe-9974-a891f797b02f@gmail.com>
In-Reply-To: <6283d492-41c1-4ebe-9974-a891f797b02f@gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 28 Mar 2024 15:42:55 -0400
Message-ID: <CAPt1N1=Dv6e98gLAKToEpWHdFPwB2O4BxpeF1uqKTJP0TUdTfw@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Nick Buraglio <buraglio@forwardingplane.net>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fedf240614bdbcb7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/kk2MZJMxukKl9xC7PdnsYJkLDKY>
Subject: Re: [IPv6] Adoption call for draft-bctb-6man-rfc6296-bis
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2024 19:44:01 -0000

Part of the problem here is that the camel's nose is sticking under the
tend and we have to ask ourselves if we really want the camel in the tent.
Clearly if NPTv6 is operational on a network, and we want devices on the
network to be able to set up listeners, then we may need extensions to PCP
to make that work. Or possibly PCP already does what we need—I'm not sure.
But if we need to extend PCP, now NPTv6 is being further legitimized by yet
another bit of standards work done to support it.

This isn't a problem if this is a niche solution that doesn't impact most
general use cases, but if we standardize it and it starts seeing wider
deployment, now we're stuck having to do more protocol work to support it.
IMO this is a bad outcome.

One of the things that worries me about this is that there is always an
economic tension between peer-to-peer and client-server. Toll collection is
a lot easier for the client-server case than for the peer-to-peer case. And
so there is a clear economic incentive to create solutions that make
peer-to-peer impossible. You may have heard the term "over the top" used by
ISPs. I always found this scandalous—this is the ISP saying "I want to
collect a toll from the provider of a service on top of the money I'm
charging for the service I'm actually providing, simply because I'm on-path
and so I can." To me this is security issue, which the IETF should be
working to prevent, not to facilitate.

Of course this is completely orthogonal to the stated use case, and I am
not suggesting that the proponents of the stated use case here at the IETF
are secretly plotting to block over-the-top services. Really I am not. But
that's one of the things that this standard will do, and if you are getting
pressure to do this from people who can't state a clear use case, you might
want to ask yourself what /their/ motivation is.

On Thu, Mar 28, 2024 at 2:36 PM Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> On 29-Mar-24 06:02, Nick Buraglio wrote:
> >
> >
> > On Thu, Mar 28, 2024 at 9:45 AM Nick Buraglio <
> buraglio@forwardingplane.net <mailto:buraglio@forwardingplane.net>> wrote:
>
> <snip>
>
> >      >>>>
> >      >>>> The benefit of NAT class mechanisms, is that cost and benefit
> are aligned. Only one side needs to deploy it.
> >      >>>
> >      >>>
> >      >>> Actually, the benefit of NAT class mechanisms is that one party
> deploys them and another party incurs the costs. NAT is great for the
> network operator, because it moves a number of problems out of the network
> operator's domain. But it doesn't do that by solving the problem, it does
> so by making the application's job more difficult.
> >      >>
> >      >>
> >      >> I don't think that is typically true.
> >      >
> >      >
> >      > For client/server applications, where the client is on the inside
> of the NAT with a private address, and the server is on the outside with a
> public address, that wouldn't be typically true.
> >      >
> >      > However, for applications where the communications model is
> peer-to-peer, or a mix of client/server and peer-to-peer, the application
> developer has to implement RFC 8445 ICE using STUN and TURN for NAT
> traversal, incurring additional development, debugging and testing costs.
> >
> >     Is that still accurate for a device behind NPTv6? RFC3235 section
> 3.1.5 points out that statically configured NAT bindings are largely exempt
> from the problems of port mapping, and NPTv6 is only a non-stateful
> translation that does not require the transport header to be re-written,
> simply translating the first 64 bits, so unless the communication embeds an
> address, which is problematic for all of the obvious reasons we see with
> things like legacy FTP, the peer-to-peer applications should work -
> assuming no security policy is in place to prevent it.  In fact, vendor
> documentation specifically calls out one of the advantages of NPTv6 as
> keeping peer-to-peer networking accessible:
> >
> >     /The NPTv6 support allows you to redirect or forward packets from
> one network to another in an IPV6 environment. The NPTv6 support on is an
> algorithmic translation function which provides a 1:1 relationship between
> the addresses within the inside and outside network. When NTPv6 is used,
> you can interconnect different networks and support multihoming, load
> balancing, peer-to-peer networking. The NPTv6 does not create any state in
> the data plane and hence can operate using minimal memory and also supports
> high availability by default./
> >
> >     Of course, it's vendor documentation so take it with a grain of
> salt, but I would not expect that to remain in published documentation
> unless it actually had some validity.
> >
> >      >
> >      > Alternatively the application developer adopts a client/server
> communications model for the application, even though a peer-to-peer model
> would be more scalable and more robust against a centralised server failure
> and server performance problems.
> >      >
> >      > This is why I say that NAT (of any type) imposes a default client
> (inside NAT) /server (outside NAT) communications model at the IPv4 or IPv6
> network layers, rather than the default peer-to-peer model that can then
> accommodate both client/server and peer-to-peer applications communications
> models.
> >      >
> >      > NPTv6 may be stateless, however since hosts behind the NPTv6 will
> have to discover their public addresses via ICE if they want to be peers,
> NPTv6 still imposes those ICE costs on application developers and the
> applications' end-users.
> >
> >     Do they need to discover that? If the mapping is 1:1 it is
> functionally the same address unless there is an embedded address in the
> protocol communications, right? Or am I missing something obvious?
> >
> >
> > I talked to some developer friends that helped me understand this a bit
> better, thanks for giving me the terms to build from to dig deeper.
> Specifically, the need for determining the actual address for a peer to
> peer application is required because there may be peers both inside and
> outside of the translation boundary and a given application needs to know
> what those are in order to avoid things like tromboning traffic or
> blackholing connectivity. This makes much more sense now that I have had
> someone walk me through it.
> > My question back which I think is still a valid question and is couched
> in a dichotomy of ideal vs pragmatic debate is "does this extra work
> implementing the overhead of the ICE/STUN/TURN impose significant overhead
> compared to existing application development requirements to support how
> networks work on average today?"
> > I am not knowledgeable enough to answer that question. At face value it
> *seems* that there will be a need to support these tools (ICE/STUN/TURN)
> already in order to support port address translation that is likely
> required for the foreseeable future for environments that are devoid of
> public addressing and are behind some kind of a port address translation
> device for v4. And, how does that map into a NPTv6 deployment using one of
> the specific use cases? Does the lack of state make that easier or harder
> or make no difference?
> > Myself and others have pointed out very clear and very specific use
> cases where NPTv6 solves a real operational problem, and has been in
> operation for quite some time.
> >
> > As an aside, I don't think we should "what if" about ISPs deploying
> NPTv6 at their edges or all home users insisting on using it as they are
> functionally forced to do with NAPT, those use cases for NAPT are a forced
> function caused be a problem we don't currently have (address exhaustion)
> and any guessing about exploding use is all speculation. Operators are
> going to do what they are going to do, but what we could do is be very
> clear about the problems that this solves, and the places where it does not
> add value and is discouraged.
>
> Which is exactly why changing NPTv6 from experimental to informational
> status, with information added about which scenarios this assists and which
> scenarios it damages, based on experience, is the right thing to do.
>
>      Brian
>
> >
> >
> >      >
> >      > Network engineers who deploy NATs aren't directly exposed to or
> pay any of these additional application development costs (other than when
> they're the application users), which is why it appears that NAT is a
> simple and low impact technology to deploy.
> >
> >     Given that nearly every application must be written to support
> dual-stack, and therefore must implement these techniques for port address
> translation, is that cost not already incurred by default? I understand
> that it may take some work to add IPv6 support to applications that require
> ICE/STUN/TURN, however, assuming (and that's a big assumption on my part),
> that the 1:1 stateless nature of NPTv6 and a lack of an embedded address,
> what is the surface area of applications that need to incur that cost
> specifically for IPv6 where it does not currently exist?
> >     Is it 90% of applications? Is is 10%? I don't actually know but
> would like to. Likelihood of occurrence is a key in making design
> decisions, at least in my world.
> >
> >     I fully admit that I am not an application developer, and there are
> undoubtedly aspects here that I do not understand, so pardon my potentially
> basic questions - I simply don't have the background but would like to
> fully understand. Knowing the likelihood and actual need at an application
> level where it does not already exist as part of a normal development
> workflow to support existing environments, and specifically where it is
> required where NPTv6 is a valid design model  would be very, very useful,
> especially with the use cases for NPTv6 being fairly specific.
> >
> >      >
> >      > Regards,
> >      > Mark.
> >      >
> >      >>
> >      >> I will definitely say from experience that there is a
> significant operational cost to deploying any translation tool, and more so
> when there is active state tracking and overload involved. There are often
> (but not always) logging requirements to do these things at scale, and
> there are definitely operational costs in dealing with state table tracking
> and scaling. These don't exist at the same level for mechanisms that do not
> track state and that do not masquerade using port address translation. They
> may still incur application cost, or they may not, that is always going to
> be based on the application stack and is more likely in real time
> applications that don't use a third party intermediary, as you have stated.
> >      >>
> >      >> There are similarities in the translation toolkits, yes, they
> all perform translation at some level. However, what is generally referred
> to as "NAT" in the general term is typically PAT or NAPT or Masquerading,
> depending on the nomenclature. That said, *because* it is significantly
> easier to deploy NAPT, I do not believe that it is an apples to apples
> comparison. They're all tools in the "translation" category, but they're
> definitely not all created equally. NPTv6 does a 1:1 translation, the NAT
> that folks seem to be referencing in the IPv4 world does not, and I do not
> believe it is a reasonable comparison.  It's a far better comparison to say
> that NPTv6 is like a traditional one-to-one NAT (which does still have
> notable, albeit significantly fewer considerations, which I believe are
> noted in the draft).
> >      >>
> >      >>
> >      >> nb
> >      >>
> >      >>
> --------------------------------------------------------------------
> >      >>>
> >      >>> IETF IPv6 working group mailing list
> >      >>> ipv6@ietf.org <mailto:ipv6@ietf.org>
> >      >>> Administrative Requests:
> https://www.ietf.org/mailman/listinfo/ipv6 <
> https://www.ietf.org/mailman/listinfo/ipv6>
> >      >>>
> --------------------------------------------------------------------
> >      >>
> >      >>
> --------------------------------------------------------------------
> >      >> IETF IPv6 working group mailing list
> >      >> ipv6@ietf.org <mailto:ipv6@ietf.org>
> >      >> Administrative Requests:
> https://www.ietf.org/mailman/listinfo/ipv6 <
> https://www.ietf.org/mailman/listinfo/ipv6>
> >      >>
> --------------------------------------------------------------------
> >
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email