Re: [v6ops] draft-ietf-v6ops-v6-aaaa-whitelisting-implications-00
"Livingood, Jason" <Jason_Livingood@cable.comcast.com> Fri, 31 December 2010 18:24 UTC
Return-Path: <jason_livingood@cable.comcast.com>
X-Original-To: v6ops@core3.amsl.com
Delivered-To: v6ops@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 053DC3A6810 for <v6ops@core3.amsl.com>; Fri, 31 Dec 2010 10:24:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.826
X-Spam-Level:
X-Spam-Status: No, score=-103.826 tagged_above=-999 required=5 tests=[AWL=-3.291, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_13=0.6, J_CHICKENPOX_23=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SI6fhospb1PZ for <v6ops@core3.amsl.com>; Fri, 31 Dec 2010 10:24:02 -0800 (PST)
Received: from cable.comcast.com (copdcimo01.potomac.co.ndcwest.comcast.net [76.96.32.251]) by core3.amsl.com (Postfix) with ESMTP id ED9673A67C2 for <v6ops@ietf.org>; Fri, 31 Dec 2010 10:24:01 -0800 (PST)
Received: from ([24.40.55.41]) by copdcimo01.cable.comcast.com with ESMTP with TLS id 5503630.20622941; Fri, 31 Dec 2010 11:35:59 -0700
Received: from PACDCEXMB06.cable.comcast.com ([fe80::6134:ea50:286a:c0]) by PACDCEXHUB02.cable.comcast.com ([fe80::11d4:f530:37a0:9f4e%12]) with mapi id 14.01.0270.001; Fri, 31 Dec 2010 13:26:02 -0500
From: "Livingood, Jason" <Jason_Livingood@cable.comcast.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, "v6ops@ietf.org" <v6ops@ietf.org>
Thread-Topic: draft-ietf-v6ops-v6-aaaa-whitelisting-implications-00
Thread-Index: AQHLqRgtl8+KvqhDu0m6RalXgS/NDw==
Date: Fri, 31 Dec 2010 18:26:01 +0000
Message-ID: <C9438334.126F9%jason_livingood@cable.comcast.com>
In-Reply-To: <4CBE0869.50205@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.0.101115
x-originating-ip: [147.191.125.11]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <BA6AA38A0DFAC64586C59E5E58D638D6@cable.comcast.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [v6ops] draft-ietf-v6ops-v6-aaaa-whitelisting-implications-00
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Dec 2010 18:24:03 -0000
Brian - Replies inline below and cc'ing the v6ops list since this is now a WG I-D. The changes you have suggested below will be made shortly in a -01 update of this draft. Thanks for your feedback! - Jason On 10/19/10 5:06 PM, "Brian E Carpenter" <brian.e.carpenter@gmail.com> wrote: >Hi Jason, > >Thanks for writing this. A couple of comments: > >> 7.3.6. Additional Implications If Deployed On An Ad Hoc Basis > >Well, how about > > 1. Scaling (and manual updates). The cost and error-proneness > seem very high, especially as you get nearer to... > > 2. When at least half of the Internet is white-listed, do you > flip over to black-listing the other half, and then... > > 3. What is the exit strategy? Do you just declare victory and switch > the whole mechanism off one day? [JL] Great suggestions - I have added the following text to that section: Additional implications, should this be deployed on an ad hoc basis, could include scalability problems relating to operational processes, monitoring, and ACL updates. In particular, it seems quite likely that as the number of domains that are whitelisted increases, as well as the number of IPv6-capable networks requesting to be whitelisted, that there is an increased likelihood of configuration and other operational errors, especially with respect to the ACLs themselves. It is also unclear when and if it would be appropriate to change from whitelisting to blacklisting, and whether/how this could feasibly be coordinated across the Internet, which may be proposed when a majority of networks (or allocated IPv6 address blocks) have been whitelisted. Finally, some parties implementing DNS whitelisting consider this to be a temporary measure. As such, it is not clear how these parties will judge the network conditions to have changed sufficiently to justify disabling DNS whitelisting and/or what the process and timing will be in order to turn off and stop this practice. > >> 8.3.1. Solving Current End User IPv6 Impairments > >This would IMNSHO be a much more productive use of effort. [JL] Quite so! I have added this text at the end of that section: Despite any potential challenges, many in the Internet community are already working towards this goal and/or have expressed a preference for this approach. > >... >> >> One challenge with this option is the potential difficulty of >> motivating members of the Internet community to work collectively >> towards this goal, sharing the labor, time, and costs related to such >> an effort. Of course, since just such a community effort is now >> underway for IPv6, it is possible that this would call for only a >> moderate amount of additional work. > >Yes, and when people see that solving this issue is in their own >self-interest, it may turn out to be considered essential work anyway. > >> >> [EDITORIAL: More to add?] > >Yes. We need to be specific about the root causes of the loss of sessions. >For example, for 6to4 clients, it is often the case that the IPv6 server's >ISP is not providing a route to 2002::/16 that leads to a 6to4 relay >willing >to relay traffic. It's in the enlightened self interest of every ISP that >has content providers as customers to provide such a relay. Have they been >told? And so on for each of the root causes. > >This needs work; just throwing your hands up and saying "too hard!" isn't >OK. > >The other thing to add is to encourage the "happy eyeballs" approach. [JL] There are a lot of potential root causes. I'm still a bit conflicted on whether they should be covered in this I-D or a different one. I'll note this as an open issue for later. Thanks again! Jason
- Re: [v6ops] draft-ietf-v6ops-v6-aaaa-whitelisting… Livingood, Jason