IETF Logo Mail Archive

Re: [v6ops] IPREF as a transitioning tool

waldemar <waldemar@wdmsys.com> Fri, 10 November 2023 08:30 UTC

Return-Path: <waldemar@wdmsys.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98028C15C2A3 for <v6ops@ietfa.amsl.com>; Fri, 10 Nov 2023 00:30:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.197
X-Spam-Level:
X-Spam-Status: No, score=-2.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wdmsys.com header.b="n3aYfFw3"; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b="DWW9FV9r"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XsNQhXWJqLLE for <v6ops@ietfa.amsl.com>; Fri, 10 Nov 2023 00:30:28 -0800 (PST)
Received: from azure.pine.relay.mailchannels.net (azure.pine.relay.mailchannels.net [23.83.219.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3392AC1519AA for <v6ops@ietf.org>; Fri, 10 Nov 2023 00:30:27 -0800 (PST)
X-Sender-Id: _forwarded-from|217.96.228.89
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 82EA7101D85 for <v6ops@ietf.org>; Fri, 10 Nov 2023 08:30:23 +0000 (UTC)
Received: from outbound1g.ore.mailhop.org (unknown [127.0.0.6]) (Authenticated sender: duocircle) by relay.mailchannels.net (Postfix) with ESMTPA id 0E6D81013AF for <v6ops@ietf.org>; Fri, 10 Nov 2023 08:30:23 +0000 (UTC)
ARC-Seal: i=2; s=arc-2022; d=mailchannels.net; t=1699605023; a=rsa-sha256; cv=fail; b=0MPKgR1pu2MINr7/sd8cLEeI9+D59Ac+4nNjYurqQ4gSJfDuV4M7S6CFtHcvULTcdjAKfI aePEz1BRluz9tNXB1oywOClR4xeazpqglZUHQ7WkV08m1+8+fJPyky2up5F1eD7yXxG8TI ZMGYkS733RDvLgwa5smj24rA0UUMsufhS3ExLAhHwHqYFbRyhoXc/NaPK67w7dk4AqeoUx dIx45rZa9cHDYI6fWWkaIp8xnkOiXHuniWjzs6xOWDMpBkgwEjz72UzqP3lIJAla8z/pYI xLHydCOGreQqdt7TQYKUEsi84PwuTnp9DiP9jKF3jgJxsd8fxkb6XPMlH2+/dQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1699605023; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ikbZeXkQN1UcnKTC2E5Tt8jjKXr5KdD9uvTimCZKeUs=; b=SBQAMAS9Npks5ZYFM9r0AvxNYLerysz4f8Hm2Uv3feELKwMxjiUotgsKEayTGVFKWx8ak/ YyZFaZ39IDTec2XOgIxYLeEIdNbFu78Vt4onHq3e1/RGPgO7Ply1hiPuJKvi9x9zjnYGzj 4v6deDKzkRpiSN6hiBrq63/2LujSx48KvxbJo8x+yN9/PMi/MfvWiaaxFvao4yua5xaFN8 OecxI9TwRS6ceARvosgjB8RfktRpiqUs9g6mjlR/sdEfMRsH9ra7bR5D24NcYIvMXivTd6 UF/xdbx1d3/WYd6U6H4PifZUTscZv+1r8YhpG6nKt8GMNDusqUxQeGfSOP5grw==
ARC-Authentication-Results: i=2; rspamd-6c48c794c6-v7s65; arc=reject ("signature check failed: fail, {[1] = sig:outbound.mailhop.org:reject}"); auth=pass smtp.auth=duocircle smtp.mailfrom=waldemar@wdmsys.com
X-Sender-Id: _forwarded-from|217.96.228.89
X-MC-Relay: Junk
X-MailChannels-SenderId: _forwarded-from|217.96.228.89
X-MailChannels-Auth-Id: duocircle
X-Abaft-Belong: 6b656a5b1e8d6cab_1699605023184_1803102164
X-MC-Loop-Signature: 1699605023184:3162823098
X-MC-Ingress-Time: 1699605023183
Received: from outbound1g.ore.mailhop.org (outbound1g.ore.mailhop.org [54.68.34.165]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.97.113.86 (trex/6.9.2); Fri, 10 Nov 2023 08:30:23 +0000
ARC-Seal: i=1; a=rsa-sha256; t=1699605022; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=KsCb3HJxwjyl/LSERYs7VeCHBWRMy2x32O0q8zAUwilHkiRloLqe7rnwxoLse6FBr9YZV+txJMrBj xyDyea8w8rScLFAIFYgWKkW/n9klbhhKQvICNloUmP/zL0m3YL16JOCDKGWrVFS3fYvIqeAkxxJcLh qPhmWYSmyK9gPy8KXnN90HOrF3F5ujKqppKrZaxvLkmDz9KITs6c0gLyV7PosDCew7SOHFmUwDxR9V 8ZBQcwzw4fU0Xj5oF7z1F24u6Z7K2MjLA2W1DN9AhvGu/M3fP5ZZpcXF8K1Axsp/wHcbw4zumWg4Ga 5AbenES58Kn7r/NrP8zObwkdbYHp1Zw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-transfer-encoding:content-type:in-reply-to:from:references:cc:to: subject:mime-version:date:message-id:dkim-signature:dkim-signature:from; bh=hpxaBdzkuDOuA+d7x+CbZlDslpFPD6xjdMIqz2/9WhI=; b=ihx2Wmew+jcN45PAPxaxoGRbhslVhAcmrFaShee28vqKZF1xP5bpywNirp30GafgTkBHnkU9Gqk7e JfTLMSA26beX71qlHGt/uq1Vger/OT8H5OwrxMgZBAkX0vZ2DRQUiEjDGeYpSZQxJO33imp0IIDsaY AEyWXJ25BlCDh+OZfc47CVgjlwlmys/4xJvpy8DT5+21CPwSl4gsTD0ief3vaADYrxU78gtNmMgxvY Urat6Cwv7aKqtVLI0b0oaevC98LcMKUTZedSOBDf9Y+smC8LtAFLnP4+RM7fD1zS4hTH5GywTJdCbK EhNt76QZEz9I5zTQADAJCxW9moPQRuw==
ARC-Authentication-Results: i=1; outbound3.ore.mailhop.org; spf=softfail smtp.mailfrom=wdmsys.com smtp.remote-ip=168.235.72.19; dmarc=none header.from=wdmsys.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wdmsys.com; s=duo-1675405977089-29a98ead; h=content-transfer-encoding:content-type:in-reply-to:from:references:cc:to: subject:mime-version:date:message-id:from; bh=hpxaBdzkuDOuA+d7x+CbZlDslpFPD6xjdMIqz2/9WhI=; b=n3aYfFw3nY0bGS7lkiNRjfrzqiN1r0T692tVuzM4Vo8m5r3ShuZiccDHjqGVc1XWP9D2EZGlUn1HO /9M4F9y1tZWOFhB1B0bx7Lh2Blro7FEp6fdF36GjWjKedKFwbyeFBsWoL3b5AYJ65UiokuaR61pVpA aNZjegIKCmaEnA8w=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-transfer-encoding:content-type:in-reply-to:from:references:cc:to: subject:mime-version:date:message-id:from; bh=hpxaBdzkuDOuA+d7x+CbZlDslpFPD6xjdMIqz2/9WhI=; b=DWW9FV9rbEBaOSNLeKOm5sdPQ8ad+3dasz9Aed9kfG0a4vmQW5cc6RSoGqHjz+eKHqF3Cy8YlbpSP ApLc0zRngwBYP0YYOfGNEiENMLe5yGgc6lWMMSrK0TBcdz8vhuRYzGwbHKlW+LntCoiYT771srSwhD P+8pUkPjxToz403ZakBwN1K+0fbAL3o6pXJm6J3IO2ouxbgDmiHhb4LRd43UEVqe9cSAVdAtxtQEBX A64/djetL7X7wJndCACVN0GEVyYgAmVtSjsdYjSXOUVFsaauSaY5dzi+vKQrdCeOPOQIq/2syyrRKU InDcoh/C34L/NKb2r2Y3mGQaV3SkvLw==
X-Originating-IP: 168.235.72.19
X-MHO-RoutePath: d2FsZGVtYXI=
X-MHO-User: 600d4294-7fa3-11ee-8626-d1581f149e9f
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from cmail.wdmsys.com (168-235-72-19.cloud.ramnode.com [168.235.72.19]) by outbound3.ore.mailhop.org (Halon) with ESMTPSA id 600d4294-7fa3-11ee-8626-d1581f149e9f; Fri, 10 Nov 2023 08:30:20 +0000 (UTC)
Received: from 217.96.228.89.ipv4.supernova.orange.pl ([217.96.228.89] helo=[192.168.1.13]) by cmail.wdmsys.com with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.95) (envelope-from <waldemar@wdmsys.com>) id 1r1Mu8-000dw8-0r; Fri, 10 Nov 2023 08:30:16 +0000
Message-ID: <442536ba-f736-5106-615c-7fcc0b8dc2a1@wdmsys.com>
Date: Fri, 10 Nov 2023 00:30:12 -0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-US
To: Mark Andrews <marka@isc.org>
Cc: Martin Huněk <martin.hunek@tul.cz>, v6ops@ietf.org
References: <90f07ffa-1f44-8fa6-a6eb-b35c14fcf655@wdmsys.com> <11220775.0j3nEXixpK@asclepius.adm.tul.cz> <df800110-7ee4-23d8-e11f-c6e1e32e8edc@wdmsys.com> <33892F6F-A2AF-4BAA-BB33-1ED99F9FD674@isc.org>
From: waldemar <waldemar@wdmsys.com>
In-Reply-To: <33892F6F-A2AF-4BAA-BB33-1ED99F9FD674@isc.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/1EF-UCwAhDyk3moJ1iZUjnPjfZo>
Subject: Re: [v6ops] IPREF as a transitioning tool
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Nov 2023 08:30:32 -0000

On 11/9/23 22:12, Mark Andrews wrote:
> There is nothing new in this proposal other than adding an unnecessary new DNS record.
>
> Many moons ago the IETF/IRTF was presented with a DNS server that talked to a NAT64 to
> establish A to AAAA mappings on demand to allow IPv4 machines to connect to IPv6 machines.
> See section 3.2 of your proposal.  It worked but clearly had scaling limitations as it needed
> a large IPv4 block to service a small IPv4 client base.  Putting one in every home CPE router
> would probably work but is it really necessary when 99.99% of clients already support dual
> stack.
...scaling issues.  Yes, exactly. IPREF does not have scaling issues.
>
> We already have the ability for IPv6 to connect to IPv6 to IPv4 using NAT64.  This can be run
> with initiating traffic coming from both directions at the same time.  IPv6 on the public side
> to IPv4 on the private side with static mapping and AAAA records in the DNS as well as the more
> common use of dynamic mappings when running IPv6 only on the private side.  This has been done
> for many years now.

...thereby reinforcing IPv4. You will never do away with IPv4 Internet 
this way.

For as long as IPv4 Internet exists, the transition to IPv6 will never 
be completed.  Are you concerned at all that this may happen? Has there 
ever been a doubt in your mind that IPv4 might survive?  Is the fight 
over transition tools worth risking IPv6? IPREF transitions only to pure 
IPv6, it uses only pure IPv6 Internet. It removes IPv4 addresses.

>
>> On 10 Nov 2023, at 14:13, waldemar <waldemar@wdmsys.com> wrote:
>>
>>
>> On 11/9/23 17:12, Martin Huněk wrote:
>>> Hi,
>>>
>>> I'm missing these parts:
>>> - How this technology would interact with the networks that would not use IPREF.
>> It wouldn't. Gateways are needed on both ends. You should think of GWs as a software upgrade on the edge routers, although stand alone gateways make sense in certain configurations, too.
>>> - How the GWs would know when to switch to the IPv6 on the Internet.
>> They wouldn't. The servers would advertise addresses with IPv6 context addresses. GWs don't choose, the endpoints do.
>>> - What about DNSSEC?
>> This was discussed (offline). No issue here. Unlike NAT64, IPREF actually places the exact returned addresses in the packets. It does encode them for local hosts, which are unmodified, but GWs decode them back to their original values when sending out of the network. Also, there is a proposal for a new RR which would simplify things for DNSSEC.
> But you have the DNS synthesising A records.  This does not work with DNSSEC.
No, I don't.  DNS returns what is configured. It does not do any address 
processing. And, it does work with DNSSEC. The paragraph below indicates 
that because hosts are unmodified, thus don't understand IPREF 
addresses, the resolver must encode them. The gateways then restore them 
when the packets reach them. There is no synthesis, just dealing with 
unmodified hosts.
>
> 3.2. Local Network Resolvers
>
> Local network resolvers must recognize IPREF addresses returned by DNS queries.
> They must also be capable of encoding them into native IP addresses in consultation
> with IPREF gateways. This is shown in Figure 4 as a line connecting local DNS resolver
> with IPREF gateway GWA. Encoding is needed because local hosts do not understand IPREF
> addresses. Instead, local hosts use encoded equivalents which are then replaced with
> the actual IPREF addresses by the gateways. There may be a need to standardize on how
> resolvers communicate with gateways.
>
>
>>> - What benefits does it bring to the network that already did the transition?
>> They would be able to communicate with those that did not, or with some more exotic or experimental networks like SCION. IPREF also allows peer networking. Dealing with references might be viewed as easier than dealing with IP addresses.
>>> A lot of us do not start with just IPv4 running. We run dual-stack or braver ones IPv6-mostly/only. The IPv4-only starting point would be around 15 years ago.
>> A lot is still less than all.  Dual stacks prevent taking down IPv4 Internet. The hope that somehow everyone switches  to IPv6 and we can take down IPv4 is a mirage.  These existing technologies perpetuate IPv4. They will never be able to eliminate IPv4 Internet.
>>> Modifying DNS replies on a local recursive resolver is not a good idea. This would break DNSSEC signatures, so IPREF would not work for DNSSEC-validating clients.
>> As mentioned above, DNS replies are not modified. DNSSEC is fine.
> You are mistaken. Section 3.2 requires NODATA being turned into records.  This does not work with DNSSEC.
>>> Rest see inline.
>>>
>>> Dne středa 8. listopadu 2023 10:08:14 CET, waldemar napsal(a):
>>>> I wanted to address one comment that I did not have time to during the
>>>> session yesterday.
>>>>
>>>> There was a gentleman who questioned the wisdom of introducing another
>>>> transition strategy. He said such a proposal would make sense 15 years
>>>> ago, he also said many could propose new strategies but refrain from
>>>> doing so. He ended by stating that there is no need for another
>>>> transition strategy.
>>> I must agree with the thought of the above-mentioned gentleman. Maybe 15 years ago, this could be a viable solution even though we would probably have thought the IPv6 adoption would have been faster than it actually was. Anyway, now we have the proper tools to do the transition to IPv6-only even without IPREF. We can use, for example, SIIT-DC to shut down IPv4 internally without waiting for latecomers. The IPv4-only operator would not care about the reachability of IPv6-only services (together with any transitional mechanism) until there is something really important there. When so, it is not a good idea to give such an operator tool how to not implement native IPv6.
>> The opposite is true. It is the existing transition technologies that give operators tools to not implement pure IPv6. IPREF transitions only to pure IPv6.
>>>> I generally agree with the line of thought. Excessive proliferation of
>>>> methods is detrimental to the cause. I questioned myself whether to go
>>>> with the proposal or not. In the end I decided that IPREF is so
>>>> different and so distinct from anything currently available that it
>>>> should be presented. I already mentioned that it is based on a different
>>>> principle which will make it succeed where existing methods would fail.
>>>> There are other factors, even more significant:
>>>>
>>>> (a) IPREF is 100% customer premise technology. As such, its use is
>>>> totally dependent on the customers choice. There is nothing IETF can do
>>>> to stop them. It is similar to NAT in this respect. NAT was widely
>>>> despised, still is, by IPv6 enthusiast but it took over the world in
>>>> spite of attempts to  block it.
>>>>
>>>> (b) Related to (a), enterprises love the ability to control the process
>>>> themselves, without anybody dictating what they should or should not do
>>>> with their networks. In addition, the economic profile hugely favors
>>>> IPREF. It is simply cheaper not to do dual stacks, not to do two step
>>>> transition, not to have to upgrade what they don't want to upgrade, not
>>>> to have to coordinate with peers. Less cost, less risk.
>>> With the "Enterprise" admin hat on, I like more tools; there is no dispute about that. However, I don't like the idea of placing some translator in the way of all my traffic and being forced to keep it there until the last latecomer finishes the transition. I run full dual-stack now. If I want to run IPREF, it would cost me additional money to do so - buy the translator. There is more risk that an additional device in the way, the translator, would fail. Higher latency. And because all would have to go through it, for me, it means up to 100 Gbps throughput. I'm not convinced if it is better than dual-stack or 464XLAT + SIIT-DC. Seams more like charity work for latecomers than an economically viable solution.
>> Dual stacks is a huge problem. They re-enforce IPv4. These technologies you mention will never be able to do away with IPv4 Internet.
>>>> (c) Related to (b) the economic profile of IPREF is hugely attractive
>>>> to  ISPs as well. Why doing IPv4-as-a-service if it is not necessary,
>>>> why burden pure IPv6 Internet with IPv4 services if they're not needed?
>>>> How can IPv6 compete with IPv4 if it is required to provide extra
>>>> functionality but which can be avoided? Less cost, less risk.
>>> Now, ISP admin hat on. I'm also doing dual-stack now. I would rather love to get rid of NAT/CGNAT. Putting all the traffic through yet another translator that I do not have now. And keep it for how long? I see the additional cost, not less. Also, there is an additional risk of implementing new transitional technology and to run it.
>> IPREF will eliminate NAT, NAT6, and CGNAT, albeit not the first thing that will happen. ISPs running dual stacks?? Yeah, exactly. We need to do away with it. IPREF is 100% customer premise technology, ISPs don't need to do anything, just provide pure IPv6 Internet.
> And how is this different to ISPs providing IPv6 only connections like they do today with ISP NAT64 (which fills the role of the missing IPPREF gateway at the other end). You can publish AAAA records in the DNS which are mapped to internal IPv4 addresses through a NAT64 on the CPE.
Those gateways are not needed thus freeing ISPs from maintaining 
unnecessary services.
>
>>>> I am just an individual, an inventor, I can do only so much. There are
>>>> different roles played by different entities. IPREF must be picked up by
>>>> others. By vendors to build commercial gateways, by architects and
>>>> operators to complete its specification. This project is in a very
>>>> vulnerable stage. It can be easily dismissed. Because of (a), (b), and
>>>> (c) above, it would be foolish to do so. You must allow that the project
>>>> might be picked up at some point, the gateways will be built, and in the
>>>> end the economy of the method will prevail. IPv6 cause is better served
>>>> embracing it than fighting it.
>>> The whole reasoning is full of claims but very little data and very "heavy" (GWs in every network, modified DNS, etc.) without clear motivation for those who already made the transition.
>> Yes, it is in a vulnerable stage for the moment. There is no way to convince doubters without advancing it by building a GW and demonstrating results. But what else is new?
>>> Regards,
>>> Martin
>>>> _______________________________________________
>>>> v6ops mailing list
>>>> v6ops@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.36.0 | Report a Bug | By Email | System Status