Re: [v6ops] Operational Consensus on deployment
Tore Anderson <tore@fud.no> Tue, 05 August 2014 20:10 UTC
Return-Path: <tore@fud.no>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B1901A02D5 for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 13:10:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zlI1EB0bUDvX for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 13:10:41 -0700 (PDT)
Received: from greed.fud.no (greed.fud.no [IPv6:2a02:c0:1001:100::145]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EAC41A029F for <v6ops@ietf.org>; Tue, 5 Aug 2014 13:10:40 -0700 (PDT)
Received: from cm-84.209.85.233.getinternet.no ([84.209.85.233]:33083 helo=envy.fud.no) by greed.fud.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <tore@fud.no>) id 1XEl48-0008Vm-8p; Tue, 05 Aug 2014 22:10:36 +0200
Message-ID: <53E13A3B.4050303@fud.no>
Date: Tue, 05 Aug 2014 22:10:35 +0200
From: Tore Anderson <tore@fud.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
MIME-Version: 1.0
To: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
References: <256EAE0B-5C11-42C7-BCA1-CEC7EE6713A7@cisco.com> <53DFD634.4020304@fud.no> <DE860EBC-171E-46E7-A3B6-5E8B79A453CC@cisco.com> <53DFEC6C.3010707@gmail.com> <CAD6AjGRUWxT5XiNxMi_S5VgYtGMLb_FVHXN-ZfGpcY=geix15g@mail.gmail.com> <53E06AC9.9010908@fud.no> <4F7D76F6-BD81-453B-94DC-A3C3DFF68505@delong.com> <8600C096-37D0-4651-92C1-BCFDBA674433@nominum.com> <CAD6AjGTBfyT-zNDJtBKCNtRxd=Hi07678Sr_-HgSGYbjAiF3Tg@mail.gmail.com> <C5281716-DC04-42E6-AC82-0D53E5DA0284@nominum.com> <53E1236A.605@fud.no> <m1XEkJJ-0000BuC@stereo.hq.phicoh.net>
In-Reply-To: <m1XEkJJ-0000BuC@stereo.hq.phicoh.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/7lt5T06cILYIBRxVC8R-x-biKVQ
Cc: IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] Operational Consensus on deployment
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 20:10:44 -0000
* Philip Homburg > If dual stack implies no NAT anywhere what is then the correct term for > NAT44 or NAT444 along with native IPv6? > > Just curious. I would call that dual stack. But you don't appearently. The current IPv6 dual stack transition mechanism is defined in RFC 4213, and it makes no reference to NAT whatsoever. This thread started out by Fred asking if we needed to update the consensus that dual stack is the IETF-recommended transition method, and in that context, no I not consider that the current dual stack recommendation includes NAT44*. It would certainly be possible to update RFC 4213 to mean that the new recommendation is to do NAT44* in combination with IPv6, though. But I don't think that's a good idea. We find ourselves in a hole, so maybe we should stop digging instead of getting ourselves a new shovel... >> As for additional help needed, well, I'm trying to put my money where my >> mouth is and coming up with a solution to these problems - you could >> help by reviewing my drafts. :-) The solution works, there is already >> running open-source code, so rough consensus is all that's missing... > > My gut feeling is that translating IPv4 packets to IPv6 or vise versa is > bad idea. Some thing will come up to make your life miserable. In some > sense it is very similar to tunneling. If you by tunneling are referring to the catastrophe that was 6to4, then I disagree. It is more like 6RD or MAP-E as it will typically contained within a single administrative domain. As for other things failing, if you have some concrete examples, please let me know. I'd certainly want to see if I can make those work, or if not, make sure the drafts properly document the limitations causing the failure. > I think it is safe to say that in your model you have enough public IPv4 > address to run your services. What your proposal eliminates is the need > for internal IPv4 addresses. That's right. No addresses lost due to network infrastructure, servers/applications performing internal tasks, unused addresses on LAN segments due to CIDR ^2 boundaries or space set aside for future growth. One public service per IPv4 address only. I'd imagine that most internet content providers have a much higher number of internal applications/servers than they have public service addresses, so this adds up to significant savings. > The question is then, why not simply run on RFC-1918 addresses internally? > Afterall, usually the goal is to provide IPv4 services. I'd like to to it Right from the start, and actually deploy IPv6. Changing to RFC1918 and NAT44 will do nothing to help me to deploy IPv6, if anything it would distract me from it. When I do get around to doing IPv6 as well, I'm stuck with the complexity of running two IP protocols in parallel, resulting in extra OpEx and reduced reliability I'd rather go without. (IMHO, IPv4-only is preferable to that, and it looking at the IPv6 availability graphs it would appear most operators share this view.) If I ever want to actually discontinue the IPv4+NAT44 stuff in order to get rid of that extra complexity and go IPv6-only, then that's another very time-consuming and non-revenue-generating project to look forward to. (Not.) In summary, IPv4 scarcity forces us to change the way we've always done stuff up until now. I'm not happy about it, but it is unfortunately inevitable. Considering I need to change all this stuff now anyway I'd much rather do it in a way that actually solves the problem long-term, and doesn't just line me up for another big and painful migration projects a few years down the road. > Maybe our setup is unique, but we have quite a few servers in remote > data centers that need to access internal servers. What we do is have > ACLs in the firewalls to only allow the addresses we know about and keep > the rest of the Internet out. > > In your model, any IPv4 address in a remote data center would either have to > translated to an IPv6 address (which of course nobody recognizes) or we > need an IPv4 firewall infront of the SIIT Gateway. Leaving the dual ACL > problem in place. Presumably you'll want a firewall inside of the SIIT gateway, to deal with IPv6 ACLs? If so, you only need one firewall and only one ACL. If you previously had an ACL that said something like in iptables syntax, where 192.0.2.100 is the trusted IP address you want to allow: --source 192.0.2.100 --protocol tcp --dport ssh -j ACCEPT ...with SIIT, you'd instead do, assuming 64:ff9b::/96 is the translation prefix): --source 64:ff9b::192.0.2.100 --protocol tcp --dport ssh -j ACCEPT The above IPv6 address with the embedded IPv4 dotted quad is syntactically valid, by the way, you don't even have to convert it to hex (cf. RFC4291 section 2.2). I would generally recommend locating the SIIT gateways as close to the edge of your network as possible. Ideally as a logical function located inside the border routers. That way, on the inside you can simply treat everything as IPv6, and have one IPv6 firewall, one IPv6 ACL, one IPv6 IGP topology, and so on, and so on. Tore
- [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Mark Andrews
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] Operational Consensus on deployment Czerwonka Michał 1 - Hurt
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment William F. Maton Sotomayor
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Ted Lemon
- Re: [v6ops] Operational Consensus on deployment Heatley, Nick
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Czerwonka Michał 1 - Hurt
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Ted Lemon
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roaming… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Ted Lemon
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Mikael Abrahamsson
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roaming… Tore Anderson
- Re: [v6ops] IPv4v6 roaming Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Vízdal Aleš
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Vízdal Aleš
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Tore Anderson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Tore Anderson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… holger.metschulat
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Lee Howard
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ca By
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Dave Michaud
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ca By
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Jouni
- Re: [v6ops] Operational Consensus on deployment Eric Vyncke (evyncke)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Dave Michaud
- Re: [v6ops] Operational Consensus on deployment Lorenzo Colitti
- Re: [v6ops] Operational Consensus on deployment Kossut Tomasz - Hurt
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Geir Egeland
- Re: [v6ops] Operational Consensus on deployment Ray Hunter
- Re: [v6ops] Operational Consensus on deployment Heatley, Nick
- Re: [v6ops] Operational Consensus on deployment Mark Andrews
- Re: [v6ops] Operational Consensus on deployment George Michaelson
- Re: [v6ops] Operational Consensus on deployment Heatley, Nick
- Re: [v6ops] Operational Consensus on deployment Kossut Tomasz - Hurt
- Re: [v6ops] Operational Consensus on deployment Eric Vyncke (evyncke)
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment James Woodyatt
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment James Woodyatt
- Re: [v6ops] Operational Consensus on deployment Mark Andrews