IETF Logo Mail Archive

Re: [OPSEC] [v6ops] ULAs [was WGLC for draft-ietf-opsec-v6]

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 20 April 2017 00:10 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B271E12EAC7; Wed, 19 Apr 2017 17:10:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D-l0QNLey6Bu; Wed, 19 Apr 2017 17:10:41 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B6F112EAC9; Wed, 19 Apr 2017 17:10:41 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id k87so44229524ioi.0; Wed, 19 Apr 2017 17:10:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=qRBkmVlojpaC+zC9sQ6BJdIGagwKnd2/TW+vRijJ9kg=; b=nD0YNrldyPrnH/7BO20sXQedBRpcCcukGgrN6pdwFvhfjnvSISucqEw9rFPl7Nx+Ri S7ltn7yyM/Rjx/gXNDNXKF1XHomGbKEw3BCVI/SI0agPml4eaUYSDMPT52WoCx5864kw ruCpNwb7cemvkssacRV9bZbepPZDg0ofWJhj5x7vEbMql6FE7LBFvoYwRpoaGuJsKW8x TdiykNNUoOEw9OUfAuOb4kGVbijewsK+ove8giVrjrqJ02aEFsvyUIjaxSMSSjh8oWE7 n9+QkNsEF01lnbC3UXSS4oDgdgiIhq6mGwtYXBVHSFXxj2ibehs6szGHS01ByuGKWJQk HSvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=qRBkmVlojpaC+zC9sQ6BJdIGagwKnd2/TW+vRijJ9kg=; b=EZereMZ+3DtC0j1KgjsMwtYtGpHxg9KlzrNDzflpIMJRnxZZGWduIfEFFHmBThrJqk 7Fu+Jo0c2PM2KumrVydEbD+4pUTQVLKv+MIVfQyn2YGTT7NT1euezTRN8iNee9nppVmq 3xfN9tMz5pjHMiz8SPVjGjbIyWvaQoE532zcK1lESak3MCbaIv1bv7DI1vZn92U6Avb9 mkYuRwBTeKXCtmz/EfqlRGrM4EG1nyflLk039u759HOxmNcncM/YSmD9eF2SzU8phSiA n0ouG5IE0t88cAWdhYcNeMn6FvD3VzKPAFT0OeW2N3qCArZBNVQRy4OvpdMswCI/t3Ro A/Ig==
X-Gm-Message-State: AN3rC/7OGAkJB1NSr1jJjvYoA7y0TGJv0AeklWeJWgTis9sYfBqT3m1T Ey+fb21VIaBBxg==
X-Received: by 10.99.9.66 with SMTP id 63mr5519822pgj.22.1492647040098; Wed, 19 Apr 2017 17:10:40 -0700 (PDT)
Received: from [130.216.38.132] (sc-cs-567-laptop.uoa.auckland.ac.nz. [130.216.38.132]) by smtp.gmail.com with ESMTPSA id j73sm6499308pfe.108.2017.04.19.17.10.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Apr 2017 17:10:39 -0700 (PDT)
To: Ted Lemon <mellon@fugue.com>, james woodyatt <jhw@google.com>
References: <55cb757e-ee2d-4818-9fc2-67d559006f34@me.com> <3E179F05-ACCD-4290-A65F-57E4202FAA15@icloud.com> <CAKD1Yr019Ga4jg6gVUHnTwh89hWArXKdAcAYEcW0m4gskrO7Ow@mail.gmail.com> <098b84a4-80d4-2404-72a1-5d1cd32a9968@gmail.com> <4E19A596-5B69-4535-A29A-D08874DDC365@google.com> <32929141-250E-44FC-BC67-2B97B373872E@fugue.com>
Cc: "opsec@ietf.org" <opsec@ietf.org>, "6man@ietf.org" <6man@ietf.org>, "v6ops@ietf.org WG" <v6ops@ietf.org>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <f6253740-6316-810c-c062-e268875f8640@gmail.com>
Date: Thu, 20 Apr 2017 12:10:00 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <32929141-250E-44FC-BC67-2B97B373872E@fugue.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/UQzUadLYTx8fIqtZVODBtVGmpS8>
Subject: Re: [OPSEC] [v6ops] ULAs [was WGLC for draft-ietf-opsec-v6]
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2017 00:10:43 -0000

On 20/04/2017 10:47, Ted Lemon wrote:
> On Apr 19, 2017, at 5:15 PM, james woodyatt <jhw@google.com> wrote:
>>>> Unique Local Addresses (ULA) [RFC4193] are intended for scenarios where IP addresses are not publicly reachable, despite their global address scope. They MUST NOT appear in the default-free routing domain of the public Internet, and gateways at the boundaries of private routing domains SHOULD NOT forward packets from or to ULA addresses where multilateral transit agreements do not explicitly recognize them.
> 
> Changing the first "globally" to "publicly" isn't necessary.  Actually, I think this whole change just makes things less clear.   Publicly and globally mean the same thing.   ULAs are never globally reachable.   If you have more than one site, and route ULAs between them, the ULAs have to be routed over your private links, not over the public internet.   I get that in principle it may be possible to route your ULAs over a link that also carries global traffic and that is not "your link," but it would be better to clarify this in an additional paragraph; by adding the text where you have, you are going to confuse the heck out of any reader who doesn't know what a "multilateral link" is.

Also, "globally reachable" is a term of art in draft-bchv-rfc6890bis and in the new form of the IANA registry that it defines. Once that's final, there is work to do elsewhere (for example, the de facto meaning of "global" in the Python ipaddress module is plain wrong). So this is important terminology. I have no problem mentioning transit agreements, but I think James' SHOULD NOT should also be a MUST NOT.

My routing friends tell me that there's no such thing as a true DFZ any more, too.

    Brian

v2.23.0 | Report a Bug | By Email