IETF Logo Mail Archive

Re: [v6ops] Operational Consensus on deployment

Tore Anderson <tore@fud.no> Tue, 05 August 2014 20:10 UTC

Return-Path: <tore@fud.no>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B1901A02D5 for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 13:10:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zlI1EB0bUDvX for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 13:10:41 -0700 (PDT)
Received: from greed.fud.no (greed.fud.no [IPv6:2a02:c0:1001:100::145]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EAC41A029F for <v6ops@ietf.org>; Tue, 5 Aug 2014 13:10:40 -0700 (PDT)
Received: from cm-84.209.85.233.getinternet.no ([84.209.85.233]:33083 helo=envy.fud.no) by greed.fud.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <tore@fud.no>) id 1XEl48-0008Vm-8p; Tue, 05 Aug 2014 22:10:36 +0200
Message-ID: <53E13A3B.4050303@fud.no>
Date: Tue, 05 Aug 2014 22:10:35 +0200
From: Tore Anderson <tore@fud.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
MIME-Version: 1.0
To: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
References: <256EAE0B-5C11-42C7-BCA1-CEC7EE6713A7@cisco.com> <53DFD634.4020304@fud.no> <DE860EBC-171E-46E7-A3B6-5E8B79A453CC@cisco.com> <53DFEC6C.3010707@gmail.com> <CAD6AjGRUWxT5XiNxMi_S5VgYtGMLb_FVHXN-ZfGpcY=geix15g@mail.gmail.com> <53E06AC9.9010908@fud.no> <4F7D76F6-BD81-453B-94DC-A3C3DFF68505@delong.com> <8600C096-37D0-4651-92C1-BCFDBA674433@nominum.com> <CAD6AjGTBfyT-zNDJtBKCNtRxd=Hi07678Sr_-HgSGYbjAiF3Tg@mail.gmail.com> <C5281716-DC04-42E6-AC82-0D53E5DA0284@nominum.com> <53E1236A.605@fud.no> <m1XEkJJ-0000BuC@stereo.hq.phicoh.net>
In-Reply-To: <m1XEkJJ-0000BuC@stereo.hq.phicoh.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/7lt5T06cILYIBRxVC8R-x-biKVQ
Cc: IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] Operational Consensus on deployment
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 20:10:44 -0000

* Philip Homburg
> If dual stack implies no NAT anywhere what is then the correct term for
> NAT44 or NAT444 along with native IPv6?
> 
> Just curious. I would call that dual stack. But you don't appearently.

The current IPv6 dual stack transition mechanism is defined in RFC 4213,
and it makes no reference to NAT whatsoever. This thread started out by
Fred asking if we needed to update the consensus that dual stack is the
IETF-recommended transition method, and in that context, no I not
consider that the current dual stack recommendation includes NAT44*.

It would certainly be possible to update RFC 4213 to mean that the new
recommendation is to do NAT44* in combination with IPv6, though. But I
don't think that's a good idea. We find ourselves in a hole, so maybe we
should stop digging instead of getting ourselves a new shovel...

>> As for additional help needed, well, I'm trying to put my money where my
>> mouth is and coming up with a solution to these problems - you could
>> help by reviewing my drafts. :-) The solution works, there is already
>> running open-source code, so rough consensus is all that's missing...
> 
> My gut feeling is that translating IPv4 packets to IPv6 or vise versa is
> bad idea. Some thing will come up to make your life miserable. In some
> sense it is very similar to tunneling.

If you by tunneling are referring to the catastrophe that was 6to4, then
I disagree. It is more like 6RD or MAP-E as it will typically contained
within a single administrative domain.

As for other things failing, if you have some concrete examples, please
let me know. I'd certainly want to see if I can make those work, or if
not, make sure the drafts properly document the limitations causing the
failure.

> I think it is safe to say that in your model you have enough public IPv4
> address to run your services. What your proposal eliminates is the need
> for internal IPv4 addresses.

That's right. No addresses lost due to network infrastructure,
servers/applications performing internal tasks, unused addresses on LAN
segments due to CIDR ^2 boundaries or space set aside for future growth.
One public service per IPv4 address only. I'd imagine that most internet
content providers have a much higher number of internal
applications/servers than they have public service addresses, so this
adds up to significant savings.

> The question is then, why not simply run on RFC-1918 addresses internally?
> Afterall, usually the goal is to provide IPv4 services.

I'd like to to it Right from the start, and actually deploy IPv6.
Changing to RFC1918 and NAT44 will do nothing to help me to deploy IPv6,
if anything it would distract me from it. When I do get around to doing
IPv6 as well, I'm stuck with the complexity of running two IP protocols
in parallel, resulting in extra OpEx and reduced reliability I'd rather
go without. (IMHO, IPv4-only is preferable to that, and it looking at
the IPv6 availability graphs it would appear most operators share this
view.)

If I ever want to actually discontinue the IPv4+NAT44 stuff in order to
get rid of that extra complexity and go IPv6-only, then that's another
very time-consuming and non-revenue-generating project to look forward
to. (Not.)

In summary, IPv4 scarcity forces us to change the way we've always done
stuff up until now. I'm not happy about it, but it is unfortunately
inevitable. Considering I need to change all this stuff now anyway I'd
much rather do it in a way that actually solves the problem long-term,
and doesn't just line me up for another big and painful migration
projects a few years down the road.

> Maybe our setup is unique, but we have quite a few servers in remote
> data centers that need to access internal servers. What we do is have
> ACLs in the firewalls to only allow the addresses we know about and keep
> the rest of the Internet out.
> 
> In your model, any IPv4 address in a remote data center would either have to
> translated to an IPv6 address (which of course nobody recognizes) or we
> need an IPv4 firewall infront of the SIIT Gateway. Leaving the dual ACL
> problem in place.

Presumably you'll want a firewall inside of the SIIT gateway, to deal
with IPv6 ACLs? If so, you only need one firewall and only one ACL. If
you previously had an ACL that said something like in iptables syntax,
where 192.0.2.100 is the trusted IP address you want to allow:

--source 192.0.2.100 --protocol tcp --dport ssh -j ACCEPT

...with SIIT, you'd instead do, assuming 64:ff9b::/96 is the translation
prefix):

--source 64:ff9b::192.0.2.100 --protocol tcp --dport ssh -j ACCEPT

The above IPv6 address with the embedded IPv4 dotted quad is
syntactically valid, by the way, you don't even have to convert it to
hex (cf. RFC4291 section 2.2).

I would generally recommend locating the SIIT gateways as close to the
edge of your network as possible. Ideally as a logical function located
inside the border routers. That way, on the inside you can simply treat
everything as IPv6, and have one IPv6 firewall, one IPv6 ACL, one IPv6
IGP topology, and so on, and so on.

Tore

v2.23.0 | Report a Bug | By Email