IETF Logo Mail Archive

Re: Generic anycast addresses...

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 03 June 2019 14:49 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD99A1202A1 for <ipv6@ietfa.amsl.com>; Mon, 3 Jun 2019 07:49:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYa6-rgVTkaR for <ipv6@ietfa.amsl.com>; Mon, 3 Jun 2019 07:49:47 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C3BD1202CE for <6man@ietf.org>; Mon, 3 Jun 2019 07:49:23 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id C20B93808A for <6man@ietf.org>; Mon, 3 Jun 2019 10:48:10 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id C1DD4107E; Mon, 3 Jun 2019 10:49:20 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id C07BE7E4 for <6man@ietf.org>; Mon, 3 Jun 2019 10:49:20 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: 6MAN <6man@ietf.org>
Subject: Re: Generic anycast addresses...
In-Reply-To: <alpine.DEB.2.20.1906030910010.19892@uplift.swm.pp.se>
References: <1DD451A7-D898-4105-974C-53776A3DA9F2@fugue.com> <20190530152902.l2nmyhadr4e4kt7x@faui48f.informatik.uni-erlangen.de> <0FF19D6D-1A45-41EF-BE34-CC35B5E51E1E@steffann.nl> <D91629F6-73AC-4A80-80EF-16644F73DA36@fugue.com> <701687d4-842c-6a16-3c97-349125324e3f@gmail.com> <D648647D-60E1-4DCE-B0BE-11002E0AE5A4@fugue.com> <25631.1559317738@localhost> <CAO42Z2x9iTrbvZuCxqSpDX-CQ9MtY8V1yyb-hg+XYtXXYn7LKg@mail.gmail.com> <9021.1559397908@localhost> <CAO42Z2xDUYOZqQ2_gjApifaPO3uG-kzjHpzND3nBD=hzw1TW2A@mail.gmail.com> <20190602130300.ebqbmvhb47r7pdog@faui48f.informatik.uni-erlangen.de> <CAO42Z2z9JkczxvYb09d4Fp7O17nnd0RHjPGnTaG26RPxPVa+Xw@mail.gmail.com> <alpine.DEB.2.20.1906030910010.19892@uplift.swm.pp.se>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Mon, 03 Jun 2019 10:49:20 -0400
Message-ID: <19028.1559573360@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/sB0tRUA94DfudBa5kJvUjYWS-0Q>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2019 14:49:52 -0000

Mikael Abrahamsson <swmike@swm.pp.se> wrote:
    >> https://tools.ietf.org/html/draft-smith-6man-form-func-anycast-addresses-00

    > I have now read RFC1546 and now I understand some of the confusion. Did the
    > concept of "send SYN to anycast address and get SYN-ACK back from actual
    > unicast address" ever get implemented anywhere?

I don't think so.
Maybe some BSD 4.0 could support it, but it would be fly in the face of most
firewalls.  It would rely only on the sequence number to match things up.
That would be pretty weak, particularly at the time RFC1546 was published!

If IPsec was ubiquitous in the way imagined once, I believe that we could
make IKEv2 to anycast, respond from unicast work well securely enough.
If well integrated with the stack, the SYN would go out with the correct
unicast destination learnt from IKEv2.  Alas, IPsec is not ubiquitous like
this :-(

    > Now, if we're going to do the whole "functional anycast addresses", is the
    > expectation that it's going to add the example RFC1546 behaviour for TCP
    > sessions, thus needing changes to all stateful L4 protocols in the host
    > stack? That's a huge change, and I'm pretty sure the security requirements
    > section would be huge? If not, what does the whole scoping actually add? What
    > does all this information actually add over well-known addresses out of
    > regular unicast space that we're already using?

It means that we can effectively drop them when they get to the edge of the
scope.   It means that a scoped anycast can be used in the home network for
something, and then *also* used at the ISP for a similar use without
confusing things.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email