IETF Logo Mail Archive

Re: [v6ops] Focused discussion: draft-ietf-v6ops-unique-ipv6-prefix-per-host

Lorenzo Colitti <lorenzo@google.com> Mon, 04 January 2016 05:37 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B08E1A0334 for <v6ops@ietfa.amsl.com>; Sun, 3 Jan 2016 21:37:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.511
X-Spam-Level:
X-Spam-Status: No, score=0.511 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uAz1c5oAZuIf for <v6ops@ietfa.amsl.com>; Sun, 3 Jan 2016 21:37:20 -0800 (PST)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 347AD1A0318 for <v6ops@ietf.org>; Sun, 3 Jan 2016 21:37:19 -0800 (PST)
Received: by mail-yk0-x22c.google.com with SMTP id v14so144756294ykd.3 for <v6ops@ietf.org>; Sun, 03 Jan 2016 21:37:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=yHLF2f7cyig3y440hSgfLqqZlIqzQG79KjaGvbtTN3Q=; b=PYQFamEJrpzajJaYtw0qjgfSeqKIz3DQ3oPsTRcTAFs8XfrzJ4SyKWvSdPQI71QZ9L p+rc5SoBm587qm/uKouFzwrnO5m0udX8YQThaz3OCRvZshGB2Opq6QHhKpt7KS6c3QFU VNgcktoIY3iUWHdwwTn/4SHeFX0tcYyTtV8xduuVi/O8h8OMQo39eqZUG4a7OWe8c13u 00w1kLVi12xXb52QJVKzAxFS2DKaZi63UsYPyzccTXxuxNGozPrYBNRsiCnnN2VLLgUn vm1pVgsqE09opLniK1adt90ivxLYHPgMaulJh+JxnQs5F1Rd3OP8TSNHthB1z4rk8DvA DdGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=yHLF2f7cyig3y440hSgfLqqZlIqzQG79KjaGvbtTN3Q=; b=PSiTj+WlrXrGZhEWD7/IyjEBuBNrmUnQfrMdt0HjrYLSLLQSHxEjGcgiMa6oDNXYS9 QczdWnnM1ojTjqQ7wxK2kbcF/ClrRycaiUGp8F9I7uWTTQxNhN4+hzK9AzUcBVMmtA6T hzD0+5TCNgSZGC78KlDw9iSytXBRt2D8QePlK/BqUuh89w7POEMUsp/QONP7leo7P/+q I0O5eFsJ8u07JWYvxh+MDPA9xhE855VO3VqhoBeDuN5zLvbTtnzNe5omVInossieG4Ns BtHT3IZCN8xn7YfkRmlYVG4vWZ77Z+vzJ8XMcB34yU7+EtZM18k8axp+BOMRSUQaLDh4 St7Q==
X-Gm-Message-State: ALoCoQmpDxC40zGuokWzr09vAtlnAh8SFzecz5Cz5ignYF8JFZk6IvBBiCfcScR8IcTQT2E0Y7GQLC2V4Fjm8I7oQq7H4qsgBwAhMewaiJReN7dXXDlGfAE=
X-Received: by 10.13.205.199 with SMTP id p190mr70874124ywd.116.1451885839030; Sun, 03 Jan 2016 21:37:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.208.201 with HTTP; Sun, 3 Jan 2016 21:36:59 -0800 (PST)
In-Reply-To: <201601031900.u03J0LMe009763@irp-lnx1.cisco.com>
References: <201601031900.u03J0LMe009763@irp-lnx1.cisco.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Mon, 04 Jan 2016 14:36:59 +0900
Message-ID: <CAKD1Yr3RY1oUtQnN675djc22f7B1Fhx0Ntsmr9rmZVEqmygRDg@mail.gmail.com>
To: draft-ietf-v6ops-unique-ipv6-prefix-per-host@tools.ietf.org
Content-Type: multipart/alternative; boundary="001a114e5eb6b11f0b05287b830f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/1Yl5Ygd9z2gkrG3ddQMnusGa3Ds>
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] Focused discussion: draft-ietf-v6ops-unique-ipv6-prefix-per-host
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jan 2016 05:37:22 -0000

On Mon, Jan 4, 2016 at 4:00 AM, <fred@cisco.com> wrote:

> And now for something a little different. I'd like to invite focused
> discussion of draft-ietf-v6ops-unique-ipv6-prefix-per-host, which we
> adopted at IETF 94
>
> Slides are at
> https://www.ietf.org/proceedings/94/slides/slides-94-v6ops-4.pdf.
>

As I said before, I think it's a great approach. The alternative/current
approach of IPv6 on wifi relies on sharing a /64 between untrusted devices
belonging to lots of different customers. That is a security nightmare that
ends up in the network having to maintain lots of state and perform lots of
layering violations (DAD proxying, ND snooping, etc.) This is much better -
everything is plain layer 3 with no hacks, and the user gets a full /64.

Comments:

The draft is targeted to BCP but it is also a description of a particular
solution. That doesn't work well in some places, notably where it says that
the solution uses a captive portal. I don't think there will be consensus
to say that a captive portal is BCP compared to, say, 802.1x, hotspot 2.0,
etc. I think its BCP status should be limited to public wifi networks or in
general for networks where subscriber isolation is a strong requirement.
This is not applicable to home networks, for example; many home networks
don't provide address space in most home networks to support it.

I'd like this draft to cite draft-ietf-v6ops-host-addr-availability, since
/64 per host is not only simpler for the operator, it's better for hosts as
well. On a related note, please remove all mention of the singular "IPv6
address" or "/128 address". Many (all?) common implementations configure
both stable and privacy addresses by default, so that text is incorrect.
For example, change "to select its /128 unique address" to "form global
IPv6 addresses". Also change "it will assign itself a 128 bit IPv6 address
using SLAAC" to "it will form one or more IPv6 addresses using SLAAC". This
happens in lots of places.

The draft should be a bit more explicit on whether communication between
devices is allowed (I assume yes?), and if so, how (I assume the packet is
tunneled to WLAN-GW and then tunneled back to the other device?).

The draft recommends an RA interval of 300s and preferred lifetime of
1800s. But draft-ietf-v6ops-reducing-ra-energy-consumption recommends
"approximately 7 RAs per hour", and lifetimes of "roughly 45-90 minutes".
The two should be made consistent, or the difference should be justified.
We shouldn't be putting out two BCPs with different recommendations.

I don't understand the text "To accomodate this the WLAN-GW can
periodically perform a Subscriber Host Connectivity Verification (i.e.
periodically ping each IPv6 UE...)". It seems to me that the the whole
point of this approach is that the WLAN-GW doesn't need to know the
individual IPv6 addresses formed by the hosts. Also, there's no guarantee
that devices will respond to ping. I think better solutions are:

   -
   - The AP could inform the WLAN-GW of when a subscriber disappeared.
   - The WLAN-GW could time out any GRE interface that had not received any
   packets in the last X minutes, or if the customer's /64 prefix had not
   originated any packets in the last X minutes.

Again, the "subscriber host connectivity" solution would be fine in an
informational document describing a particular solution, but not for a BCP.

Cheers,
Lorenzo

v2.23.0 | Report a Bug | By Email