IETF Logo Mail Archive

Re: [v6ops] ULA precedence [Thoughts about wider operational input]

Erik Auerswald <auerswald@fg-networking.de> Thu, 28 April 2022 07:50 UTC

Return-Path: <auerswald@fg-networking.de>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2E6C14F739; Thu, 28 Apr 2022 00:50:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fKICsoKMRqZi; Thu, 28 Apr 2022 00:50:22 -0700 (PDT)
Received: from mailgw1.uni-kl.de (mailgw1.uni-kl.de [IPv6:2001:638:208:120::220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15E9AC15952A; Thu, 28 Apr 2022 00:50:20 -0700 (PDT)
Received: from mail.fg-networking.de (mail.fg-networking.de [IPv6:2001:638:208:cd01::23]) by mailgw1.uni-kl.de (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id 23S7oEaH185380 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Apr 2022 09:50:14 +0200
Received: from login.fg-networking.de (login.fg-networking.de [131.246.197.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.fg-networking.de (Postfix) with ESMTPS id 41AE12009B; Thu, 28 Apr 2022 09:50:02 +0200 (CEST)
Received: by login.fg-networking.de (Postfix, from userid 11002) id 358D9155; Thu, 28 Apr 2022 09:50:02 +0200 (CEST)
Date: Thu, 28 Apr 2022 09:50:02 +0200
From: Erik Auerswald <auerswald@fg-networking.de>
To: Mark Smith <markzzzsmith@gmail.com>
Cc: Ted Lemon <mellon@fugue.com>, 6man list <ipv6@ietf.org>, v6ops list <v6ops@ietf.org>
Message-ID: <20220428075001.GA86458@fg-networking.de>
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de> <CAKD1Yr1v0Tkh+pWD-ts=PL3gZf7Qj6OHW6Cuvj8iGcSSMibjew@mail.gmail.com> <20220425100310.GF67548@fg-networking.de> <CAPt1N1=XedJ7tY9pKDS3LvDMak6iPsK9fA=oF7Z0KkmGcA6-_A@mail.gmail.com> <CAO42Z2ydhe3hVOqSaN814hYh3oF3yG_du+gRkg6yD5haCqDnLQ@mail.gmail.com> <CAPt1N1=YdnZ_N+47v4A_EM70TobSt1sw5tcmBfQJEP5Y1zCwMg@mail.gmail.com> <CAO42Z2xyx2MpCCYQoXA9izRM7Xk42+Z-1OnL2PuzgsGfw1SFiw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAO42Z2xyx2MpCCYQoXA9izRM7Xk42+Z-1OnL2PuzgsGfw1SFiw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/8iq2NHRpOecwNOC616WCcmlSJWA>
Subject: Re: [v6ops] ULA precedence [Thoughts about wider operational input]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2022 07:50:26 -0000

Hi Mark,

On Thu, Apr 28, 2022 at 07:51:05AM +1000, Mark Smith wrote:
> 
> The main theme of DA selection in RFC3484 is to prefer the likely most
> reliable DA by minimising external dependencies. Loopback is the best
> DA because it has the minimum external dependencies - it is within the
> host itself. GUAs are the least likely reliable of a set of DAs
> because they are likely to have the most external dependencies, such
> as links, routers, networks, network operators, and RIRs and ISPs
> supplying the GUA space, for the majority of GUA DAs - Internet GUA
> DAs.

I'd say that _remote_ ULAs are less reliable than GUAs.  Selecting ULA
source to reach GUA destination risks that the return traffic would be
sent to a _remote_ ULA (if the initial packet even reaches the
destination; it could be filtered because of using a "wrong" source
address).

The RFC 6724 default errs on the side of caution by assuming that ULA
are non-local, unless either auto-detected or configured as local.

> RFC6724 doesn't follow that minimise external dependencies theme
> because it is preferring GUAs with more external dependencies over
> ULAs that have less external dependencies.

RFC 6724 attempts to distinguish between remote and local ULA.  Local
ULA is either manually added to the address selection policy table, or
automatically added based on active local ULA IPv6 addresses (section
10.6).  Other ULA are not known to be local, thus they might be remote.

> [...]
> So ULAs are likely more reliable than GUAs for all of the same reasons
> Site-Locals were likely more reliable than GUAs - less external
> dependencies. ULAs should be preferred over GUAs by default for DA and
> then SA selection similar to how Site-Locals were preferred over GUAs
> by default.

There are at least two problems with always preferring ULA over GUA:

1. Using a ULA source address to reach a remote GUA destination is
   likely to result in connection problems (ULA source filtered
   at the edge, return traffic from GUA to ULA cannot reach the
   ULA destination).  To prevent this, GUA and ULA use different
   labels in the policy table.

2. Preferring a ULA destination of unknown locality over a GUA
   destination risks using an unreachable destination address.
   To prevent this, ULA that are not known to be local use a lower
   precedence than GUA.

To quote RFC 6724 section 10.6:

  "Sections 2.1.4, 2.2.2, and 2.2.3 of RFC 5220 [RFC5220] describe
   address selection problems related to Unique Local Addresses (ULAs)
   [RFC4193].  By default, global IPv6 destinations are preferred over
   ULA destinations, since an arbitrary ULA is not necessarily
   reachable"

The referenced sections describe specific problems with ULA use without
differentiating between GUA and ULA (i.e., RFC 3484 address selection)
in different scenarios:

* Section 2.1.4.  Combined Use of Global and ULA
* Section 2.2.2.  ULA and IPv4 Dual-Stack Environment
* Section 2.2.3.  ULA or Global Prioritization

Reverting to RFC 3484 would regress to that state.

> I assumed that was all the update to RFC6724 was going to be for ULAs
> - replacing Site-Locals with ULAs with the same SA and DA preferences.

Are you suggesting the following change?

OLD:

     Prefix        Precedence Label
     ------------------------------
     ::/0                  40     1
     fc00::/7               3    13
     fec0::/10              1    11

NEW:

     Prefix        Precedence Label
     ------------------------------
     ::/0                  40     1
     fc00::/7               1    11
     fec0::/10              1    11

That would not change comparison results between GUA and ULA addresses.

Put differently, your suggestion is already implemented in RFC 6724.

Kind regards,
Erik
-- 
Dipl.-Inform. Erik Auerswald
Gesellschaft für Fundamental Generic Networking mbH
Geschäftsführung: Volker Bauer, Jörg Mayer
Gerichtsstand: Amtsgericht Kaiserslautern - HRB: 3630

v2.23.0 | Report a Bug | By Email