Re: Generic anycast addresses...
Mark Smith <markzzzsmith@gmail.com> Thu, 30 May 2019 23:21 UTC
Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1CDC12006E for <ipv6@ietfa.amsl.com>; Thu, 30 May 2019 16:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.497
X-Spam-Level:
X-Spam-Status: No, score=-0.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rOP5xFAjJNmq for <ipv6@ietfa.amsl.com>; Thu, 30 May 2019 16:21:25 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4546120048 for <6man@ietf.org>; Thu, 30 May 2019 16:21:25 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id r10so7374358otd.4 for <6man@ietf.org>; Thu, 30 May 2019 16:21:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=n3aac1qrqS4d0PFSAwv62KMitIJCAUwNN/ZB8ZaXhQ4=; b=Ue5zzw2+UWafRuaQ6zxXUwJzFHifRvxYRNIAqT+jsFQeMHqq6IcklU7Pya+f17mcdh RHdCJMsg7BQIrEF2RiioqjObDUrGW7aW409ERI83uM+T1q5kzGArWdMYkCVI8hYiJkOq +OLn2S4ezVT+OQ7TZtcBnMPofqlNbmP12g/CI3lPNUKhsM2Z+1jssDPln81Uo6bPpGH+ 9uzVqZEMU9iwp/T9JGmczo9wgqMcB36fUoYmG3m2l0eS5bZY+qEIwgdSZzGZF9fiiWvO UK0lZz5rI1OxQ7EBpOTTxtESK3XlmhIRDKfLIdfmHzf635dP6dzoKbo3uaEAyRLIq77o /ECw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=n3aac1qrqS4d0PFSAwv62KMitIJCAUwNN/ZB8ZaXhQ4=; b=H1xuAPErK43TUexpeboByb4qpYlOvN7q+KH4ZwdP4Ubl1uEn+dFCU4j4WAq0853fHe MNjNt3ZR6Kx1+naf+d3wHgz2fWn7Gwlt23/LjKGf67W9EcI6+T5XxlaUHGuRUOZUskB6 qEUQGzvc4dPGIsTu9u+pufzbVnbhBM4G9DAqBFtq3Fi9763A9gmb33KHWPEWtE0CptWu aQHPUB6ZlWgm69xpYLBqsSbAyMnJ0pA5W0tH2DAikt+H0fbO6XcdGyzOGnnWpCoMvP6v qO0I5YAe3AHRk+oipg+dDhl1z7ngeBYVFp4c9nVRY4uxdBYz+ZDhQ5od22vnO0+IbZRd HcDA==
X-Gm-Message-State: APjAAAXwYR6nn/IkKLTK0GfmZfkR4RLAsnOZmSYGCp9XW+nFTrrBqPPP eoz/4ZTqiT0QqemUKnXKA4bvMf6PePZ7VKFwLIQ=
X-Google-Smtp-Source: APXvYqw/Vn9i5JcGicDnNvyEjD1rHFqcVOMXv6GsEPs66EzmsYjRiJxjBhPFUB0wj3kz1+WaCfaiYuX4ibpnDvJK27s=
X-Received: by 2002:a9d:12a9:: with SMTP id g38mr4936067otg.74.1559258485099; Thu, 30 May 2019 16:21:25 -0700 (PDT)
MIME-Version: 1.0
References: <7A9560FC-0393-45DF-8389-B868455AC6DD@fugue.com> <20190530005734.7d2alod2zoaemmhc@faui48f.informatik.uni-erlangen.de> <D6E27B45-437F-45BE-A305-47DD460BCE02@fugue.com> <26144.1559226966@localhost> <1DD451A7-D898-4105-974C-53776A3DA9F2@fugue.com> <20190530152902.l2nmyhadr4e4kt7x@faui48f.informatik.uni-erlangen.de> <0FF19D6D-1A45-41EF-BE34-CC35B5E51E1E@steffann.nl> <D91629F6-73AC-4A80-80EF-16644F73DA36@fugue.com> <701687d4-842c-6a16-3c97-349125324e3f@gmail.com> <D648647D-60E1-4DCE-B0BE-11002E0AE5A4@fugue.com> <20190530220838.g2hshonsjxmfnd55@faui48f.informatik.uni-erlangen.de> <632BE7EC-26A6-44E9-9CCD-F0AE143D4256@fugue.com> <AF1967FC-526D-47FB-98BE-F9B949F26796@steffann.nl>
In-Reply-To: <AF1967FC-526D-47FB-98BE-F9B949F26796@steffann.nl>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Fri, 31 May 2019 09:21:13 +1000
Message-ID: <CAO42Z2yY=z-wKCUaCYZqJLHfT+LdyDOWz9bLG8QTh9C8sJCx3g@mail.gmail.com>
Subject: Re: Generic anycast addresses...
To: Sander Steffann <sander@steffann.nl>
Cc: Ted Lemon <mellon@fugue.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "6man@ietf.org" <6man@ietf.org>, Dave Thaler <dthaler@microsoft.com>
Content-Type: multipart/alternative; boundary="0000000000001e127f058a23288e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/wXjInKXfVugNhLTQmRltJXw9QyE>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2019 23:21:28 -0000
On Fri., 31 May 2019, 08:54 Sander Steffann, <sander@steffann.nl> wrote: > Hi Ted, > > >> To me, a non-fuzzy boundary is one where you do something like ACL on > >> a set of links completely isolating some area of the network. Fuzzy > >> could vbe absence of default route causing ULA to stop. Not sure if > >> these are good examples of any actual definition, but both ae possible > with > >> ULA. > >> > >> I'd mostly be concerned about non-fuzzy boundaries wrt. security, > >> so not sure if i'd always want to avoid non-fuzzy boundaries. > > > > The question is, what’s different about the proposed application versus > typical ULA usage? > > I like the scope aspect of Mark's draft. ULA is always organisation or > site scoped, and should be filtered as such. Anycast that have a different > scope should have different boundaries. Anycast addresses that have ISP > scope can cross from the customer's network to the ISP's network, while > there should be a boundary between that customer's ULA addresses and that > ISP's ULA addresses (let's assume they both use ULA for this example). > An example use case for a Network Service Provider scope is anycast DNS resolvers. You can't use ULA because customers don't send their ULA prefixes to you, and you don't really want them to, as that makes your ISP network part of their network. Ideally you don't want to use GUA DNS resolver anycast addresses because that makes the DNS resolver vulnerable to DoS attacks from the Internet. When I first ran up anycast DNS resolvers, I ideally wanted to use IPv4 addresses that had these property of globally unique, not globally reachable, yet reachable from all customers' networks. Internet DoS attacks on DNS resolvers were common at the time. RFC1918 didn't suit, nor did normal RIR public address space, because APNIC expected it to be globally reachable. IX space suites, but we weren't an IX. We could have probably lobbied harder for it, however we needed to get them going. This is also part of my realisation that the forwarding scopes of our unicast address spaces are quite coarse - global (GUA), organisation (ULA) and link (Link-Local), and that's it. The much more fine grained multicast scopes used with anycast addresses would be much more flexible for anycast scenarios. I think reintroducing the Site-Locals as a unicast address space, just to create Site-Local scope anycast addresses, isn't really properly solving the problem in a general enough way. People will also use them for unicast addressing because they're more similar to RFC1918s that ULAs - and we also have problems with people not making ULA unique, despite the word Unique in the name. No mention of generating unique ULAs, so people are being trained to use ULAs that are not unique: https://github.com/leblancd/kube-v6/blob/master/README.md#set-up-node-ip-addresses A CPE vendor got this wrong too in the past: Residential IPv6 CPE - What Not To Do and Other Observations https://www.ausnog.net/sites/default/files/ausnog-05/presentations/ausnog-05-d02p02-mark-smith.pdf Regards, Mark. > Cheers, > Sander > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- Generic anycast addresses... Ted Lemon
- RE: Generic anycast addresses... Dave Thaler
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... George Michaelson
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Bob Hinden
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... George Michaelson
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... George Michaelson
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... JORDI PALET MARTINEZ
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Sander Steffann
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Sander Steffann
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Fred Baker
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... STARK, BARBARA H
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Brian E Carpenter
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Sander Steffann
- Re: Generic anycast addresses... George Michaelson
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Brian E Carpenter
- Re: Generic anycast addresses... Brian E Carpenter
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Fred Baker
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Mikael Abrahamsson
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... Mikael Abrahamsson
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... joel jaeggli
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Fred Baker
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Nick Hilliard
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Joel Jaeggli
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Ole Troan
- Re: Generic anycast addresses... Brian E Carpenter
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Sander Steffann
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Nick Hilliard
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... joel jaeggli
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Mikael Abrahamsson
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... Mikael Abrahamsson
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Christian Huitema
- Re: Generic anycast addresses... Toerless Eckert
- Re: Generic anycast addresses... Michael Richardson
- Re: Generic anycast addresses... Brian E Carpenter
- Re: Generic anycast addresses... Mikael Abrahamsson
- Re: Generic anycast addresses... Sander Steffann
- Re: Generic anycast addresses... Christian Huitema
- Anycast to unicast resolution (was: Re: Generic a… Toerless Eckert
- Re: Anycast to unicast resolution (was: Re: Gener… Christian Huitema
- Re: Anycast to unicast resolution (was: Re: Gener… Brian Haberman
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Alexandre Petrescu
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Bob Hinden
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Bob Hinden
- Re: Generic anycast addresses... Ted Lemon
- Re: Generic anycast addresses... Mark Smith
- Re: Generic anycast addresses... Erik Kline
- Re: Generic anycast addresses... Mark Smith