IETF Logo Mail Archive

Re: Extending a /64

Mark Smith <markzzzsmith@gmail.com> Mon, 16 November 2020 19:17 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 691DA3A0779 for <ipv6@ietfa.amsl.com>; Mon, 16 Nov 2020 11:17:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.597
X-Spam-Level:
X-Spam-Status: No, score=-0.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ak3tagq4mLaT for <ipv6@ietfa.amsl.com>; Mon, 16 Nov 2020 11:17:13 -0800 (PST)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C9CB3A067A for <ipv6@ietf.org>; Mon, 16 Nov 2020 11:17:13 -0800 (PST)
Received: by mail-ot1-x32f.google.com with SMTP id f16so17061475otl.11 for <ipv6@ietf.org>; Mon, 16 Nov 2020 11:17:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SehbWTbWdle6Y3Ef80qfg0Nrsty069gC+vzn5e+ypH0=; b=ogpFkHcMSHQT3XXo2CbhcW6X9h1uhBYOc1AS6EQBd/dqf2TpkHirRe18Fdnhvse3wZ Lc9IJYlW+HF3lNLCxG26ni5gTh3bAfwrFcOnKpVt3J4ZX1l46iuD4/swmzh1Zrb2W4qu kjhCxmPr+tHDAi18cac8fKr3+buqx2HYoa669pnZpXi70kdY70Gqi1IAfSKPIGJIDbkr IWIPyeqqYs+ZS9tll459c6pfUt4195vWJrAe3+NOYzkh5ZFXmbMM1UDI290BhZ/AuLY5 zDa9mxzSSQx51t6lFSyAqRTPZsBPc6JS1NGw69nOfkgeJL3tYP4tEFkcjG+P5TDiGEZX jYrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SehbWTbWdle6Y3Ef80qfg0Nrsty069gC+vzn5e+ypH0=; b=lZBXJNsCDeqgM+JYnwSJ61NbtczeFRM6QyClYaAGD7RDP+bsVyHSs6sbGiSuiCXHPQ W6gYXktmXc1/kGN+fxaXvxAbSLccvzvYmm8RGI+Vznz9RSlHQnW8NWF48JOHNbTipIvy 8OGoVZJ5Q3Wvn8NnB3MhwqDhADUaaapP6YNAXf5WKU6YbOqiXXq4shsriJETU7mHYJzr 07LyzRTuCIOQpGD6w0BvcLphYXnoq+Ui1eJmxbMvoQ9WtScwozRaXPxn6GmJNwv+paup 0EqHVokWhZp1L35nM13mNG2wlpLcB5s3/fl7tdOCU1XcaJnPfcMO1TxBJwlwr7IMaDVd FQvw==
X-Gm-Message-State: AOAM530BQuhqk7k5jrbJzUityJRFue2s34e+4hMGaQMH+I+wFVP8diqM SUCVdXIT63U/n2GuqjamzJqlxpDWdqwJLPeqR+A=
X-Google-Smtp-Source: ABdhPJz33jLBCWlfh7FD97oOUC7vcGVVIo9akSI2HSOKlk2s5Tas/CZmYhfdKFkSVndwetgkAaA2vqGyGzsBRvPY3w4=
X-Received: by 2002:a9d:a0d:: with SMTP id 13mr539664otg.348.1605554232626; Mon, 16 Nov 2020 11:17:12 -0800 (PST)
MIME-Version: 1.0
References: <202011151920.0AFJKN9U003337@mail2.mwassocs.co.uk> <3d26bffe-b6c9-4ed7-6135-a515f9902fd7@gmail.com> <m1keOTi-0000EGC@stereo.hq.phicoh.net> <CAO42Z2wZkXryhw1u5WAFdtCvXHyyz1zeM22FP_gRxjurjsG-Jw@mail.gmail.com> <29299.1605477799@localhost>
In-Reply-To: <29299.1605477799@localhost>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Tue, 17 Nov 2020 06:17:00 +1100
Message-ID: <CAO42Z2yS9gL9wQcfPb7Bes+ao=an2Lp2r5eJo97kcb4y2si=gg@mail.gmail.com>
Subject: Re: Extending a /64
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b4111505b43e3927"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/o8orDH9_a_QmxkO_3CK1hXvIIPM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2020 19:17:15 -0000

On Mon, 16 Nov 2020, 09:03 Michael Richardson, <mcr+ietf@sandelman.ca>
wrote:

>
> Mark Smith <markzzzsmith@gmail.com> wrote:
>     > On Mon, 16 Nov 2020, 07:19 Philip Homburg, <
> pch-ipv6-ietf-6@u-1.phicoh.com>
>     > wrote:
>
>     >> > Again, there are 35 trillion /48s in 2000::/3. How many would you
>     >> > need?
>     >>
>     >> It gets tight when you want the prefix to contain 39 bits to number
> around
>     >> half a million planes.
>     >>
>
>     > Why are half a million planes going to be on the Internet?
>
> No, not "Internet"
> "internet" --- as in, uses IPv6.
>

Asking for GUA space implies attached to the big-I Internet when the ULA
space exists for non-Internet connected devices.

If a single /48 ULA isn't big enough, generate more.


How and if it connects to the DFZ is not really any of our business.
>


It is when GUAs are being requested, and the RFC4291 address format is
being ignored. It's not IPv6 and can't be called "IPv6" if it doesn't
comply with the IPv6 specifications.

GUAs have two properties:

- globally unique address
- provide potential global reachability to any and all global Internet
destinations

ULAs only have the first property.

If a device doesn't need the second property, the device doesn't need a GUA.

The security principle of least privilege demands that devices aren't given
the second property when they don't need it.


> Because thinking that you can put ALG gateways and NATs and other crap in
> the
> way to keep stuff off the internet is IPv4 think.


A management platform or system that controls and aggregates data from ULA
addressed devices is perfectly compliant with the IPv6 architecture,
because the management system is built with hosts. No NAT, no ALGs, the
transport connections are end host to end host within the distinct network.

Outside access to that would be via multi-homing one or more of the hosts
in the management system. Specifically, forwarding between the hosts'
interfaces is not enabled. The multihomed host(s) are relaying data between
these two networks at the application layer and as part of the application
architecture.

This is how the IPv6 smart meter network I've seen works - and actually,
were IPv6 only on the meter side, and only IPv4 on the outside.

The reason NATs and ALGs cause problems is they're not proper and distinct
RFC8200 hosts or routers. They're a mutant half way between - do more than
dumb packet forwarding (routing), but don't properly do all of what the
host and application processing does. They "half" participate in the end to
end protocols.

If you can't or don't want to for security reasons provide direct host to
host connectivity within a single network, you partition the network into
two with a multihomed host or hosts and have an application architecture
that suits that. Anything less than that i.e. NATs or ALGs, doesn't comply
with the device roles in RFC8200, and suffers from the well known problems
caused by "more than routers, but not full hosts".

Regards,
Mark.


> If our answer to requests for IPv6 address space involves IPv4-style
> justification, then we might as well give up and go for triple-NATed CGN.
>
> Now, I don't understand how 39bits are needed to number log_2(10^6) =
> 20bits
> of airplane.  It seems to leave more than 16-bits for subnets on each
> airplane, which is still a lot.
>
> Remember that it might be 2^19 concurrent airplanes, but the address plan
> would be expected to last a hundred years or so.
>
>
>     > Supposedly only some drones needed (really?) to be on the Internet.
> How did
>     > that turn into every plane?
>
> Because every plane has electronics that speak IPv6.
>
>     > Can somebody post a link to the draft that tries to justify this
> idea?
>     > Has a security threat model been done?
>
> Who cares?  Firewalls work regardless of what address space is used.
>

I



> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email