IETF Logo Mail Archive

Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 02 May 2022 22:54 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55299C14F75F; Mon, 2 May 2022 15:54:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.954
X-Spam-Level:
X-Spam-Status: No, score=-2.954 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, NICE_REPLY_A=-1.857, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7KNYpTzlxACx; Mon, 2 May 2022 15:54:47 -0700 (PDT)
Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DA1CC14F734; Mon, 2 May 2022 15:54:47 -0700 (PDT)
Received: by mail-pg1-x536.google.com with SMTP id x12so12727721pgj.7; Mon, 02 May 2022 15:54:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=1o4Is4wAp2OGqW+IzGJkQ62nKXSG+pW7Kv/YkLNeL3o=; b=PTjvmff2DDWYSErAYcKfLu25dGsQVffFM5xRg3XMEwSwFnMkAEIa2uxO+Bzr6jTNul 4hRVRdXGqkjX/zK8H0LBoYsMdkEHmkVqYzkeuP5Jbk0YfDmj9mE19wGPtXqbnauTd5kE 6yn7WUsEPilutIba07GSWuT78qZhD/0CFN6EH3xPQy0H/y4OmmhlV0GbHth+K6eDXclr WZh9LLzQPRRamqfI9/dv8q1mPbp4ylH1wm9lif7t7EjtYXlaAHxtrbsQ9yu/XqOBczBA b+g29WEIdiqsHV9At7asGFNkuiQ6tGA9sJRsDyyjBDWXuDSkTHYzTHD/jQUoDhFKiFvI glhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=1o4Is4wAp2OGqW+IzGJkQ62nKXSG+pW7Kv/YkLNeL3o=; b=ETM1EO958/G0kEcwGYs7186OhSefRzO23KzvO1nFmj3qJJrivspS5fWwdnCreB6/nD Iobs9+Y/YeMCD1k7TrU18lyu/2eQ3IAX2oOKmRfxPsh+F7nmB8FHhKV7OLvg3v1E1PJ/ X5puDpnuIxtMEBxT6mnK7+TU8eTyfOIaaYW/9CuTEO5SqWEPCm1ZL59hHicON2XLlVxJ lVUabScb4/J7K3tvltUIjmZMTK/lb5kqWRd+jJ/J3nPUNIR47eFraHOKMXDb6DBZMKS4 B8QaI+bDO5WNUroCsJPa/HfPvV5mmHngtej2TZ/eKPEpL3h2CP0N0H+nFMsc2NHG2AS8 NT2g==
X-Gm-Message-State: AOAM533QBpYacrTPDV1vpX0WisJvmfS6gGTzJ/iMwZCLeAJJUGpiKgtj gWO3g4109jmkR08M0MYp+KWfDhG4VzqXog==
X-Google-Smtp-Source: ABdhPJyPo5Fv7Y6coXZ633EFltWv9LSA5HJjitQULFYP4cJNLKRbdY+nF2ED4nKdyWdAfZJsDbOpsQ==
X-Received: by 2002:a63:914c:0:b0:3ab:894d:60e7 with SMTP id l73-20020a63914c000000b003ab894d60e7mr11590008pge.176.1651532085921; Mon, 02 May 2022 15:54:45 -0700 (PDT)
Received: from ?IPv6:2406:e003:1005:b501:80b2:5c79:2266:e431? ([2406:e003:1005:b501:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id d12-20020a170902728c00b0015e8d4eb271sm5170902pll.187.2022.05.02.15.54.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 02 May 2022 15:54:45 -0700 (PDT)
To: David Farmer <farmer=40umn.edu@dmarc.ietf.org>, Mark Smith <markzzzsmith@gmail.com>
Cc: v6ops list <v6ops@ietf.org>, 6man list <ipv6@ietf.org>, Kevin Myers <kevin.myers@iparchitechs.com>
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <CAFU7BAST-oNGpy4JvODDsf=8eS69hV8XCi8OgEHBkkoujRN3Rw@mail.gmail.com> <699f556a3eac41179a80d2cc8749a191@huawei.com> <CAO42Z2wiebCOPmtcEOJ3rOaZEpHE7qFZZTf5KLWybSsL6rOd9Q@mail.gmail.com> <CAN-Dau1FV-uEkX1S7vOEVxggjcNvUVTmokPAEOiapxPTySN-vw@mail.gmail.com> <CAPt1N1mk8Qv1anXohCJaiH0WWn-BkS4mr=ffyF0cCaE7CM314w@mail.gmail.com> <CAE=N4xf_wRPQeChkfXWxj7+Do8jp2U6hDtjH+-RUNis+ynMRbQ@mail.gmail.com> <CAM5+tA__Gegt5fR1UFwshm7DKDVMDpFsJK2jMG6Z6Yo79Noc3A@mail.gmail.com> <59b90d7184194a84a0c53b616796dec0@huawei.com> <BN8PR07MB70767C3EC7B68EF1D2286CFE95FC9@BN8PR07MB7076.namprd07.prod.outlook.com> <CAN-Dau3iyP7sMUsiP3ckYEpkLoQK-bpgKnDn6d4Ci7f9V_5CPw@mail.gmail.com> <14c97051cbeb4e20b4b1103c894cd602@huawei.com> <CAN-Dau2s+MxdC1xc9xM=Gs2x5Ak9nh0uv-m5_nYGPHymZMUJsw@mail.gmail.com> <CAO42Z2yJjcQp4C4FXy-vfs+O0Bxaa+pBg0rOpiAmN1xF-TGK5Q@mail.gmail.com> <CAN-Dau3a9zxT1W=2d=8MDT7nz90=WhG7Ff2xOjfm8=Z8YYsPBw@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <d785429a-59f5-42db-3c33-39861b985910@gmail.com>
Date: Tue, 03 May 2022 10:54:40 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <CAN-Dau3a9zxT1W=2d=8MDT7nz90=WhG7Ff2xOjfm8=Z8YYsPBw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/7RmpQlTrPCQ5Ncak4KYkaOpgBSU>
Subject: Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 22:54:48 -0000

David,
On 03-May-22 03:03, David Farmer wrote:
> 
> 
> On Mon, May 2, 2022 at 7:32 AM Mark Smith <markzzzsmith@gmail.com <mailto:markzzzsmith@gmail.com>> wrote:
> 
> 
> 
>     On Mon, 2 May 2022, 13:51 David Farmer, <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>> wrote:
> 
>         ...
>         I believe RFC 6724 is correct, ULAs that are not known to be local, 
> 
> 
>     If a host is given a ULA as a candidate DA, then it is to be considered local and reachable, because per RFC4193, ULA addresses are not to appear in global DNS.
> 
> 
> So IFF, the ULA addresses are not learned from DNS, 

That is, I think, irrelevant. All we are really talking about is the order in which results are returned by getaddrinfo(), which is what RFC6724 determines. At present, you will get this back from getaddrinfo() for a locally defined DNS entry (in Pythonic format):

(<AddressFamily.AF_INET: 2>, 0, 0, '', ('10.1.0.10', 0))
(<AddressFamily.AF_INET6: 23>, 0, 0, '', ('fdee:face:fade::a', 0, 0, 0))

and 99% of app programmers will use the first entry.

Of course, the desired behaviour is to get:

(<AddressFamily.AF_INET6: 23>, 0, 0, '', ('fdee:face:fade::a', 0, 0, 0))
(<AddressFamily.AF_INET: 2>, 0, 0, '', ('10.1.0.10', 0))


> and I'm not sure that is a safe assumption. For example, RFC 5220 section 2.2.2 seems to imply ULAs within the DNS, which is one of the referenced sections in the first paragraph of 10.6.
> 
> Further, as noted in RFC 5220 section 2.1.4, again one of the 
referenced sections in the first paragraph of 10.6;
> 
>     If the ULA is used for internal communication, packets with the ULA 
need to be filtered at the Router.
> 
> 
> That being the router at the Internet boundary for the local network. Your statement also assumes such filtering is present, and again that doesn't seem to be a safe assumption.

Yes it is, in the case of unmanaged domestic and SOHO networks with COTS equipment. Where it might be unsafe is in badly managed enterprise networks. If a network is badly managed *and* puts a faulty AAAA record in local DNS, yes, there might be a black hole.  Or anything else could go wrong, because the network is badly managed.

> So, IFF ULAs are not in the DNS, and ULAs are filtered at the Internet boundary for the local network, can a host assume a ULA given as a candidate DA, is in fact local and not a remote ULA address.

Yes, unless there is a gross misconfguration.

> And at least in my personal experience and the problems as stated in RFC 5220, 

That's a very old document now and it triggered the work on RFC3484 --> RFC6724.

> seems to indicate those conditions are not reliably the case. Put another way, the assumption that a ULA given as a candidate DA is in fact 
a local ULA, and not a remote ULA, is probably only true for well-run and 
well-configured networks.  And I for one would like IPv6 to operate as robustly as possible and work even when a network is misconfigured in some way(s).

Yes, but there are limits. I don't see that we can ever deal with a gross 
ULA misconfiguration that leads to non-local ULAs appearing in the local DNS. Possibly a monitoring system could detect it and issue a warning, but there is no way to prevent a human error leading to it. My example above was produced by patching bogus entries into my hosts file plus four lines of Python:

import socket
gai = socket.getaddrinfo('printer.mynet.example.com', None)
for x in gai:
     print(x)

> 
> Remember, RFC 6724 was intended to deal with issues that caused traffic 
to be black-holed when IPv6 was enabled, and as a result, many people were simply disabling IPv6, so let's be careful not to go back to those days.
> 
>         should be considered remote and GUA IPv6 and IPv4(both GUA and RFC 1918) should be considered more reliable than any possibly/probably remote ULA prefix. Where RFC 6724 failed, is not to require the known to be local ULAs to be added to the table, so ULA will function as intended.

Right. We need to work on that.

Regards
     Brian

v2.23.0 | Report a Bug | By Email