Re: [v6ops] [EXTERNAL] Re: Scope of Unique Local IPv6 Unicast Addresses (Fwd: New Version Notification for draft-gont-6man-ipv6-ula-scope-00.txt)

Fernando Gont <fgont@si6networks.com> Wed, 06 January 2021 06:32 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 351403A106F; Tue, 5 Jan 2021 22:32:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.149
X-Spam-Level:
X-Spam-Status: No, score=-2.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.262, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wpPOcDwNfiZm; Tue, 5 Jan 2021 22:32:50 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A37C3A103F; Tue, 5 Jan 2021 22:32:49 -0800 (PST)
Received: from [10.0.0.129] (unknown [186.19.8.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id EE92E283BB4; Wed, 6 Jan 2021 06:32:44 +0000 (UTC)
To: "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>
Cc: IPv6 Operations <v6ops@ietf.org>, 6MAN <6man@ietf.org>
References: <160989494094.6024.7402128068704112703@ietfa.amsl.com> <6fe3a45e-de65-9f88-808d-ea7e2abdcd16@si6networks.com> <CAO42Z2wR-3vbHi-NrBBMmCTNDq5fgqvSmBUbYK7P+63QTNfxkg@mail.gmail.com> <2e80ec51-ec66-16c7-7c9e-a6e8d632c5de@si6networks.com> <91dd34c29aa64a5d80f64bd0a4370dcc@boeing.com> <02c4c5bd-5a49-81f3-4379-c71dbb252112@si6networks.com> <da9fabb091294fc6bf55184f1cce5d61@boeing.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <31ab1e02-ea3c-08db-20be-83576afa5b7a@si6networks.com>
Date: Wed, 6 Jan 2021 03:32:32 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <da9fabb091294fc6bf55184f1cce5d61@boeing.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/0Zh2tcoNrkdoW6_WSIKYpYkyfHk>
Subject: Re: [v6ops] [EXTERNAL] Re: Scope of Unique Local IPv6 Unicast Addresses (Fwd: New Version Notification for draft-gont-6man-ipv6-ula-scope-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 06:32:54 -0000

Hi, Bert,

On 6/1/21 02:53, Manfredi (US), Albert E wrote:
> Hi Fernando, let's follow the KISS principle.

KISS *and* real, please ;-)



> -----Original Message----- From: Fernando Gont
> <fgont@si6networks.com>
> 
>> RFC4193 does not mandate a specific algorithm, but rather specified
>> the
> requirements for the PRNG (good for the RFC4193 authors!). So, 
> documenting the seed will serve no purpose, because other 
> implementations might use a completely different algorithm for 
> generating the ULA prefix.
> 
> Within an enterprise, the admin has a choice of which PRNG to use,
> and what seed to use. Think in terms of one guy, making that
> decision, and then documenting all the Global ID 40-bit sequences in
> use, in the various nets of the enterprise. The guy with this
> responsibility can certainly decide on which algorithm to use!
> 
> It is easy enough to guarantee uniqueness, in this case.

Please do the math.

Being able to connect a few networks together does not mean the addreses
are unique. You can't normally connect  several 10.0.0.0/8 nets, too.

Global-scope, as per RFC4007 would imply that *the ULA prefixes are
globally unique*. *All, at the same time*.




>> An this one is obviously non-enforceable, for multiple reasons,
> including the fact that RFC4193 doesn't mandate any specific
> algorithm.
> 
> I am the enterprise admin, I'm tasked with administering the ULAs for
> the enterprise, and I enforce the rule. The admin of one enterprise
> network has no say in what other admins, of other enterprise
> networks, want to do. Nor is there any requirement for ULAs of
> different enterprise nets to be mutually unique.

Indeed, "global scope" would imply exactly that. Please check my I-D, 
which quotes the relevant text from RFC4193.



>> I don't think anybody has equated ULAs with link-locals. The
>> argument
> has been, instead, that: scope(link-local) < scope(ULA) < scope(GUA)
> 
> Something like "single administrative domain scope," if that existed,
> makes sense to me. I think the problem is that today, it's either
> link local or global scope?

Exactly!  ULAs are not link-local, but not "global", either. They have a 
scope that lies somewhere in between link-local and global.

In my I-D, I called the ULA scope "local", but I don't mind changing 
that to "single administrative domain scope", "private scope", or 
anything else.

The point is, indeed, that ULAs are currently defined as global. BUt 
they are not -- their scope is certainly smaller than global.




>> In a way, the expectation of ULAs to be global-scope is probably
>> what
> drove the recent discussion on the 6man list about a ULA registry --
> 
> To me, that's a different discussion. That registry idea would
> probably be a necessity, but only for the fc00::/8 ULAs, which are
> for future use. When ULAs are not assigned by an individual admin,
> the problem of uniqueness is different, no? 

Indeed. When they are not centrally assigned, or not assigned by the 
same admin, you cannot expect them to be unique across different 
administrative domains. You can expect the probability of collisions 
*when interconnecting a reduced number of ULA-based networks* to be 
small.  But you can certainly not expect the ULA prefixes to be unique 
at a global scale. when you consider ~1M networks (not a big deal if you 
e.g. expect that each home will generate a ULA prefix) you actually have 
almost certainty that there's a collision.



> To me, that registry
> problem is a non-issue, unless and until we start using the fc00::/8
> addresses. As of now, only fd00::/8 are being discussed.

To me, it's also a non issue. But it looks like the proposal for a 
registry has been motivated by the expectation of ULAs being *globally 
unique* (as opposed to "unlikely to collide if you interconnect a 
handful of ULA-based networks").

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492