IETF Logo Mail Archive

Re: [v6ops] Operational Consensus on deployment

Tore Anderson <tore@fud.no> Wed, 06 August 2014 10:51 UTC

Return-Path: <tore@fud.no>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70FF11B293E for <v6ops@ietfa.amsl.com>; Wed, 6 Aug 2014 03:51:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UGgfZGAxrQdd for <v6ops@ietfa.amsl.com>; Wed, 6 Aug 2014 03:51:56 -0700 (PDT)
Received: from greed.fud.no (greed.fud.no [IPv6:2a02:c0:1001:100::145]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2BD61B290E for <v6ops@ietf.org>; Wed, 6 Aug 2014 03:51:55 -0700 (PDT)
Received: from [2a02:c0:2:1:1194:17:0:1000] (port=45056 helo=echo.ms.redpill-linpro.com) by greed.fud.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <tore@fud.no>) id 1XEyp0-0002xc-Hx; Wed, 06 Aug 2014 12:51:54 +0200
Message-ID: <53E20879.4020509@fud.no>
Date: Wed, 06 Aug 2014 12:50:33 +0200
From: Tore Anderson <tore@fud.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
MIME-Version: 1.0
To: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
References: <256EAE0B-5C11-42C7-BCA1-CEC7EE6713A7@cisco.com> <53DFD634.4020304@fud.no> <53E0C548.9050706@fud.no> <5C9FC57A-0DA5-4D36-84AE-CF1D6D17FB44@eircom.net> <53E1C587.4000506@fud.no> <m1XEy8M-0000AXC@stereo.hq.phicoh.net>
In-Reply-To: <m1XEy8M-0000AXC@stereo.hq.phicoh.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/4ZvjKDS8amuY_4Abo3DuGFH2EYY
Cc: IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] Operational Consensus on deployment
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2014 10:51:58 -0000

* Philip Homburg

> As far as I can tell, your proposal maps every public IPv4 address to a
> unique IPv6 address.

Correct.

> In that context, why not just use, for example, host routes to route IPv4
> traffic to the right interface of an IPv4 host.

That would work, but there's a few reasons why I don't consider that
optimal either:

- It would not help me with IPv6 deployment at all, it distracts me from
it. Having a fully IPv6-enabled infrastructure is the goal I want to be
moving towards. SIIT-DC, like MAP and DS-Lite, *requires* IPv6.

- I'd still need to maintain IPv4 throughout my infrastructure. If I'm
also doing IPv6 at the same time, this means I incur extra operational
overhead and cost compared to single stack - "dual everything", as Gert
said.

- There would be no way to aggregate all the host routes, it would
severely pollute my IGP as every single /32 route must be distributed
throughout my network. SIIT-DC, on the other hand, requires no host
routes, as IPv4 traffic will be typically be translated to the server's
primary IPv6 address, creating no extra IGP routes beyond the /64 or
whatever that's routed to the LAN segment anyway.

- You get interesting routing challenges if the servers need occasional
Internet access through a stateful NAT (e.g., to download software
updates). You'll want to route the traffic sourced from the public
address directly out to the Internet, while traffic from RFC1918 sources
needs to be routed through the NAT instance. But both the NAT and no-NAT
route must necessarily be represented as an IPv4 default route. I'm sure
this could be solved with the use of PBR and/or VRFs, but that incurs
extra complexity. An SIIT gateway is on the other hand reached with a
normal /96 route, and does not need to interfere with default routing at
all. Same goes for a NAT64 instance that could be used for occasional
Internet access analogous to the above.

- You'll actually need special configuration on the servers, setting up
and monitoring a secondary service address. With SIIT-DC, there is no
need to touch the servers at all, except in the case where a host agent
is needed to facilitate applications that do not support NAT and/or IPv6.

- The host routes would need to be installed on each the upstream
routers serving as default gateways for the servers' LAN segments, which
scatters these assignments all over the place. With SIIT-DC, the SIIT
gateways have a complete overview of all configured mappings and what
service addresse are available.

All in all it feels to me more like a stop-gap solution that only deals
with IPv4 depletion, rather than something that also facilitates real
progress towards an single-stack IPv6 infrastructure.

(BTW: I've made the assumption that you mean that the server's primary
IPv4 addresses is a private/RFC1918 one, which is then used as the
next-hop for a public /32 assigned to the loopback interface. Let me
know if this assumption was incorrect.)

Tore

v2.23.0 | Report a Bug | By Email