IETF Logo Mail Archive

Re: Generic anycast addresses...

Mark Smith <markzzzsmith@gmail.com> Thu, 30 May 2019 23:21 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1CDC12006E for <ipv6@ietfa.amsl.com>; Thu, 30 May 2019 16:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.497
X-Spam-Level:
X-Spam-Status: No, score=-0.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rOP5xFAjJNmq for <ipv6@ietfa.amsl.com>; Thu, 30 May 2019 16:21:25 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4546120048 for <6man@ietf.org>; Thu, 30 May 2019 16:21:25 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id r10so7374358otd.4 for <6man@ietf.org>; Thu, 30 May 2019 16:21:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=n3aac1qrqS4d0PFSAwv62KMitIJCAUwNN/ZB8ZaXhQ4=; b=Ue5zzw2+UWafRuaQ6zxXUwJzFHifRvxYRNIAqT+jsFQeMHqq6IcklU7Pya+f17mcdh RHdCJMsg7BQIrEF2RiioqjObDUrGW7aW409ERI83uM+T1q5kzGArWdMYkCVI8hYiJkOq +OLn2S4ezVT+OQ7TZtcBnMPofqlNbmP12g/CI3lPNUKhsM2Z+1jssDPln81Uo6bPpGH+ 9uzVqZEMU9iwp/T9JGmczo9wgqMcB36fUoYmG3m2l0eS5bZY+qEIwgdSZzGZF9fiiWvO UK0lZz5rI1OxQ7EBpOTTxtESK3XlmhIRDKfLIdfmHzf635dP6dzoKbo3uaEAyRLIq77o /ECw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=n3aac1qrqS4d0PFSAwv62KMitIJCAUwNN/ZB8ZaXhQ4=; b=H1xuAPErK43TUexpeboByb4qpYlOvN7q+KH4ZwdP4Ubl1uEn+dFCU4j4WAq0853fHe MNjNt3ZR6Kx1+naf+d3wHgz2fWn7Gwlt23/LjKGf67W9EcI6+T5XxlaUHGuRUOZUskB6 qEUQGzvc4dPGIsTu9u+pufzbVnbhBM4G9DAqBFtq3Fi9763A9gmb33KHWPEWtE0CptWu aQHPUB6ZlWgm69xpYLBqsSbAyMnJ0pA5W0tH2DAikt+H0fbO6XcdGyzOGnnWpCoMvP6v qO0I5YAe3AHRk+oipg+dDhl1z7ngeBYVFp4c9nVRY4uxdBYz+ZDhQ5od22vnO0+IbZRd HcDA==
X-Gm-Message-State: APjAAAXwYR6nn/IkKLTK0GfmZfkR4RLAsnOZmSYGCp9XW+nFTrrBqPPP eoz/4ZTqiT0QqemUKnXKA4bvMf6PePZ7VKFwLIQ=
X-Google-Smtp-Source: APXvYqw/Vn9i5JcGicDnNvyEjD1rHFqcVOMXv6GsEPs66EzmsYjRiJxjBhPFUB0wj3kz1+WaCfaiYuX4ibpnDvJK27s=
X-Received: by 2002:a9d:12a9:: with SMTP id g38mr4936067otg.74.1559258485099; Thu, 30 May 2019 16:21:25 -0700 (PDT)
MIME-Version: 1.0
References: <7A9560FC-0393-45DF-8389-B868455AC6DD@fugue.com> <20190530005734.7d2alod2zoaemmhc@faui48f.informatik.uni-erlangen.de> <D6E27B45-437F-45BE-A305-47DD460BCE02@fugue.com> <26144.1559226966@localhost> <1DD451A7-D898-4105-974C-53776A3DA9F2@fugue.com> <20190530152902.l2nmyhadr4e4kt7x@faui48f.informatik.uni-erlangen.de> <0FF19D6D-1A45-41EF-BE34-CC35B5E51E1E@steffann.nl> <D91629F6-73AC-4A80-80EF-16644F73DA36@fugue.com> <701687d4-842c-6a16-3c97-349125324e3f@gmail.com> <D648647D-60E1-4DCE-B0BE-11002E0AE5A4@fugue.com> <20190530220838.g2hshonsjxmfnd55@faui48f.informatik.uni-erlangen.de> <632BE7EC-26A6-44E9-9CCD-F0AE143D4256@fugue.com> <AF1967FC-526D-47FB-98BE-F9B949F26796@steffann.nl>
In-Reply-To: <AF1967FC-526D-47FB-98BE-F9B949F26796@steffann.nl>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Fri, 31 May 2019 09:21:13 +1000
Message-ID: <CAO42Z2yY=z-wKCUaCYZqJLHfT+LdyDOWz9bLG8QTh9C8sJCx3g@mail.gmail.com>
Subject: Re: Generic anycast addresses...
To: Sander Steffann <sander@steffann.nl>
Cc: Ted Lemon <mellon@fugue.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "6man@ietf.org" <6man@ietf.org>, Dave Thaler <dthaler@microsoft.com>
Content-Type: multipart/alternative; boundary="0000000000001e127f058a23288e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/wXjInKXfVugNhLTQmRltJXw9QyE>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2019 23:21:28 -0000

On Fri., 31 May 2019, 08:54 Sander Steffann, <sander@steffann.nl> wrote:

> Hi Ted,
>
> >> To me, a non-fuzzy boundary is one where you do something like ACL on
> >> a set of links completely isolating some area of the network. Fuzzy
> >> could vbe absence of default route causing ULA to stop. Not sure if
> >> these are good examples of any actual definition, but both ae possible
> with
> >> ULA.
> >>
> >> I'd mostly be concerned about non-fuzzy boundaries wrt. security,
> >> so not sure if i'd always want to avoid non-fuzzy boundaries.
> >
> > The question is, what’s different about the proposed application versus
> typical ULA usage?
>
> I like the scope aspect of Mark's draft. ULA is always organisation or
> site scoped, and should be filtered as such. Anycast that have a different
> scope should have different boundaries. Anycast addresses that have ISP
> scope can cross from the customer's network to the ISP's network, while
> there should be a boundary between that customer's ULA addresses and that
> ISP's ULA addresses (let's assume they both use ULA for this example).
>

An example use case for a Network Service Provider scope is anycast DNS
resolvers.

You can't use ULA because customers don't send their ULA prefixes to you,
and you don't really want them to, as that makes your ISP network part of
their network.

Ideally you don't want to use GUA DNS resolver anycast addresses because
that makes the DNS resolver vulnerable to DoS attacks from the Internet.

When I first ran up anycast DNS resolvers, I ideally wanted to use IPv4
addresses that had these property of globally unique, not globally
reachable, yet reachable from all customers' networks. Internet DoS attacks
on DNS resolvers were common at the time.

RFC1918 didn't suit, nor did normal RIR public address space, because APNIC
expected it to be globally reachable. IX space suites, but we weren't an
IX. We could have probably lobbied harder for it, however we needed to get
them going.


This is also part of my realisation that the forwarding scopes of our
unicast address spaces are quite coarse - global (GUA), organisation (ULA)
and link (Link-Local), and that's it.

The much more fine grained multicast scopes used with anycast addresses
would be much more flexible for anycast scenarios.

I think reintroducing the Site-Locals as a unicast address space, just to
create Site-Local scope anycast addresses, isn't really properly solving
the problem in a general enough way.

People will also use them for unicast addressing because they're more
similar to RFC1918s that ULAs - and we also have problems with people not
making ULA unique, despite the word Unique in the name.


No mention of generating unique ULAs, so people are being trained to use
ULAs that are not unique:

https://github.com/leblancd/kube-v6/blob/master/README.md#set-up-node-ip-addresses

A CPE vendor got this wrong too in the past:

Residential IPv6 CPE - What Not To Do and Other Observations
https://www.ausnog.net/sites/default/files/ausnog-05/presentations/ausnog-05-d02p02-mark-smith.pdf


Regards,
Mark.


> Cheers,
> Sander
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email