IETF Logo Mail Archive

Re: [IPv6] Second Working Group Last Call for <draft-ietf-6man-rfc6724-update>

David Farmer <farmer@umn.edu> Fri, 12 April 2024 02:42 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91AD3C14F694 for <ipv6@ietfa.amsl.com>; Thu, 11 Apr 2024 19:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aU9iyAVbknp for <ipv6@ietfa.amsl.com>; Thu, 11 Apr 2024 19:42:41 -0700 (PDT)
Received: from mta-p5.oit.umn.edu (mta-p5.oit.umn.edu [134.84.196.205]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7708FC14F689 for <ipv6@ietf.org>; Thu, 11 Apr 2024 19:42:41 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 4VG17j0NfGz9vCFr for <ipv6@ietf.org>; Fri, 12 Apr 2024 02:42:41 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hTRGYpJI_FK for <ipv6@ietf.org>; Thu, 11 Apr 2024 21:42:40 -0500 (CDT)
Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 4VG17h3FqQz9v90G for <ipv6@ietf.org>; Thu, 11 Apr 2024 21:42:40 -0500 (CDT)
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p5.oit.umn.edu 4VG17h3FqQz9v90G
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p5.oit.umn.edu 4VG17h3FqQz9v90G
Received: by mail-ed1-f72.google.com with SMTP id 4fb4d7f45d1cf-56e678f6d81so1622216a12.0 for <ipv6@ietf.org>; Thu, 11 Apr 2024 19:42:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; t=1712889758; x=1713494558; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=++yQLMwDc60do2H2cUHvWbah4ZM4tZZmsVsUR1sq8as=; b=Ezrym4zkCHXTirKMOL01zlwB3nhm2PxNkafn/7h/M2ZfgvrjP6xiPsSh9cWOxlpSgf yXpUQKElR1rsOfZ+Es//v1RdgEO1hcb17xWD9kuQgZBHFj6sbGHaHAtUjW6lffG7GYcU BN2v70xH3PY7UJgyhqiIPrd/WX7gF5HCdFXc/6e+6FuQLQWTKMPTsa4WaeawqxxsAAtn +WAUpkIhuZ8uGt5RgMaUUbPDW1/oKNMzdC9+lS8HLS1WhutTHAMJV5kSXPmcZxqMj6e+ /MjM8L1APPsEzatzYjCNkqVum3aZaCPlOTMFtjPcXr0IVJJ8uVpoEqWVQnsQGlgNToA2 TpIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712889758; x=1713494558; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=++yQLMwDc60do2H2cUHvWbah4ZM4tZZmsVsUR1sq8as=; b=nKIVHz1Gb8PXwp2lF2B+zygTTUoerj4wj8a3ITRUI5PMi3dgWWj/J0kMkTlq0PFcBs gI8QjRB6Jojlntdy+aJYICo5oLeiZ7hsDQApGDym/MBVo/CXHhOzkOmzZrz1VFbq7FoG Ci/r80SdFJYuqsQ+6ohZ9jackqpjL2U6gBxjNmw0176Vmvj+fKyhXQa5LFs55+2PHeDP oAluKBw7dS/TV8IfUxtsE5L7pDhDx1Ts+ZHAow6PUqE/oBjgKrY5afmDpQHIG53GJ9h6 KpI3FirEvH1UMvOKS6eMNJ6JhmtKPPBPLIGx6tzrDC5Br+VHwKeLOM90ByVf2je2QGkI v0Pg==
X-Forwarded-Encrypted: i=1; AJvYcCUXLu50oIXG2IA99SS3SPnGRzbk5VbDkvxvSsrUSRRcBJ5P76O2HRm4PGkyjPAjzBUgybB+s1g6B21CrosZ
X-Gm-Message-State: AOJu0YziWoGBuwqieNsybKTSAXbYg+lnYtdJIYdPWqizXFVdlfSkcAU1 HVVtA6Jk+agLAP/wYpwGP38W1LseJTf4d1krp2y7v0HhAyZ4kJF0pTBnr2uzUzuUHIyL9ETNpTm VucJLT5EFxkihvi4mjclWK39gcyHOSjga0isgv3Ly1DAbRq7T/2MKjqvetELNQmhpdtbaKUL1V6 wJyzARtzCz9/3LvDJInJOa
X-Received: by 2002:a05:6402:194d:b0:56f:ef0f:9268 with SMTP id f13-20020a056402194d00b0056fef0f9268mr1577228edz.6.1712889758679; Thu, 11 Apr 2024 19:42:38 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEW6n1IXu/SqrOlGe6/MBUQWfpYgLLaNXEzSM+2cMEjAjCC25uzhbM2oPjT7oGQP0v2F2RI4sKM87hOk0uWLQ8=
X-Received: by 2002:a05:6402:194d:b0:56f:ef0f:9268 with SMTP id f13-20020a056402194d00b0056fef0f9268mr1577217edz.6.1712889758289; Thu, 11 Apr 2024 19:42:38 -0700 (PDT)
MIME-Version: 1.0
References: <6A5E5F35-B35F-4358-8EE1-3BD82329141E@jisc.ac.uk> <6FBC1B5A-BF28-4B05-B2B2-A60DA4707755@gmail.com> <CAPt1N1m-Ye8vfOVnsPesFshLMV5QuVoxWqM=HVZiJ37zaBg6AA@mail.gmail.com> <CAKD1Yr1NTvFj0zB0=+nnUKck7TBtwHFz2XoFkD1smx4yCuZohQ@mail.gmail.com> <CAJU8_nWyE5TqBTXB9wfSkn6refaqYNVN967YAtCp-0VMk-5qWQ@mail.gmail.com> <CAPt1N1mqszfafMMY=54ezpoRymoy=bBjeVnWzxj6A27smR1eig@mail.gmail.com> <CAJU8_nWDDfwWEoahU4dqTEh3_HCq2UfpkFjefnXohb+5DAbjew@mail.gmail.com> <CAPt1N1nTJ1sDEQrn1iNUbvreu5bt0BweWgX7iOw6fmPgNBvUqw@mail.gmail.com> <CAJU8_nWsg=eGxu59akfB0+pOTJ-TYud-a_wGhtgnpp1RizVhrw@mail.gmail.com> <CAPt1N1nbTuSH4GGrimFAxe3YqTLbhiTX5KVjYsw+JRjoadzzrw@mail.gmail.com> <CAN-Dau36qjfT5YCPWAhko-RKjj3Cqeo-r9csM0fOadcdehvhBQ@mail.gmail.com> <CAPt1N1kTv189Binap2r6PT-w2VbW31KGibSf_iPGPnnQ90CdYA@mail.gmail.com>
In-Reply-To: <CAPt1N1kTv189Binap2r6PT-w2VbW31KGibSf_iPGPnnQ90CdYA@mail.gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Thu, 11 Apr 2024 21:42:26 -0500
Message-ID: <CAN-Dau0CS9=mHTMPQf6BHfkhEUGEbVdcUBeQpE=DhUqVj4=N1w@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>, Kyle Rose <krose@krose.org>, Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009526370615dd3900"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/quOZ6Gv8A9xuwilp1n5lQHOrx0A>
Subject: Re: [IPv6] Second Working Group Last Call for <draft-ietf-6man-rfc6724-update>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 02:42:45 -0000

I’ll agree local scope naming or addressing doesn’t need to be visible from
the global scope, and most people don’t intend it to be such. Nevertheless,
it is a daily fact that local scope naming and addressing leaks into the
global scope, regardless of and in spite of all intentions to the contrary.
This is again because there is no real concept of local vs. global scope as
part of the DNS protocol or on the wire, therefore the protocol provides no
help preventing this leakage.

We all know which road is paved with good intentions. Therefore, It is my
belief regardless of the intent for local naming and addressing to be local
and not visible globally, we need a design that is robust to this leakage.

I believe that requiring a preference for known-local ULAs, with GUA and
IPv4 preferred over other ULAs, is the robust solution to the leakage of
local naming and addressing into the global scope that we need.

Even this heuristic isn’t perfect, there is no way to know if a particular
known-local ULA is actually reachable until we try communicating with it,
but this is true for all address types. However, the contrary is almost
certain, a non-local or remote ULA is almost certainly unreachable and GUA
or IPv4 addresses are more likely to be reachable than a non-local or
remote ULA.

As for your VPN example, if the VPN uses ULA, then you would expect the
host will have an address from the VPN and would be a known-local ULA, and
this heuristic will work as intended.

On Thu, Apr 11, 2024 at 15:33 Ted Lemon <mellon@fugue.com> wrote:

> Hm. In general I suspect that most of the time the stuff that's going to
> get both a ULA and a GUA in the DNS doesn't need to be visible from outside
> of a firewall. Like, the name isn't needed. I think it's very unlikely that
> any resource that's ever going to go through a CDN would make sense to
> advertise with a ULA. So I am not particularly attached to using ULAs in
> names that are globally reachable.
>
> But as you say, this is not a distinction that exists in the protocol
> specification. So I agree with Kyle that it doesn't make sense to advertise
> internal stuff globally with ULAs, and I agree with you that there are
> plenty of domain names that are going to have AAAA records on them
> containing ULAs as well as GUAs. I don't think this is quite contradictory.
> Like, it's hard for me to imagine a situation where it would make sense for
> the name www.google.com, even if it had AAAA records on it, to have AAAA
> records containing ULAs.
>
> On the other hand, names under internal.example.com might well have ULAs
> on them. If these are discoverable from the Internet, that doesn't really
> matter, because they are only intended for internal users. But generally
> speaking internal resources are only accessible through a VPN anyway, so
> it's a moot point—you're probably never going to see that delegation
> answered on the Internet, and even if you did, there would be no real point
> to putting GUAs in the delegation because anybody who needs to reach one of
> those hosts has the VPN up, and if they don't we don't want those hosts to
> be reachable.
>
> On Thu, Apr 11, 2024 at 2:27 PM David Farmer <farmer@umn.edu> wrote:
>
>>
>> On Thu, Apr 11, 2024 at 8:29 AM Ted Lemon <mellon@fugue.com> wrote:
>>
>>> On Thu, Apr 11, 2024 at 8:51 AM Kyle Rose <krose@krose.org> wrote:
>>>
>>>> On Thu, Apr 11, 2024 at 8:41 AM Ted Lemon <mellon@fugue.com> wrote:
>>>>
>>>>> But this is counterfactual. Rght now if you publish a ULA in the
>>>>> global DNS, it will not cause a delay because no host with IPv6
>>>>> connectivity will try to connect to it. We only run into a problem if we
>>>>> decide to prefer all ULAs over all IPv4 addresses. That /will/ in fact
>>>>> cause delays.
>>>>>
>>>>
>>>> Because something is misconfigured. Right now, that misconfiguration is
>>>> hidden, and becomes visible only when IPv4 connectivity is broken for
>>>> whatever reason. Fix the glitch, which is the ULA in global DNS.
>>>>
>>>
>>> Kyle, I don't know if you can see this from where you're sitting, but
>>> you are making a religious argument here. It is not a misconfiguration to
>>> put a ULA in the DNS right now in the sense that it causes a problem. It's
>>> a misconfiguration because it doesn't match your mental model of How Things
>>> Should Be.
>>>
>>> I don't entirely disagree with you about this—I don't think that we
>>> ought to put ULAs in the global DNS. But I don't actually have a solid
>>> argument against Lorenzo's position—I just don't happen to agree with it.
>>>
>>
>> I disagree with both of you. The distinction between local and global DNS
>> only exists in the human mind. It doesn't exist in the DNS protocol or on
>> the wire, except for the relatively recent availability of the .local
>> zone.  And even with .local, there is no way to distinguish between
>> different instances of .local. You don't know if a .local query is for or
>> if the response is from your instance or my instance of .local. Except for
>> the .local zone, there is no way to know if a query is intended to be
>> global or local or if a response is global or local. The protocol on the
>> wire is identical, and any distinction is a fiction of the human mind.
>>
>> Furthermore, ULAs are global in scope, and if implemented correctly, they
>> are effectively unique globally. The only real question is whether they are
>> reachable or not, and preferring known-local ULAs and not other ULAs speaks
>> directly to the reachability question. Whether or not the ULAs belong in
>> the DNS or not, and how the DNS is configured, is irrelevant. The real
>> question is only if they are reachable or not, and again, known-local ULAs
>> resolve this question.
>>
>> Thanks
>>
>
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email