Re: [v6ops] <draft-ietf-v6ops-464xlat-optimization-00.txt> - pre-(shepherd-writeup) review

[JORDI PALET MARTINEZ <jordi.palet@consulintel.es>]

Hi Jen,

Tks a lot, very useful inputs!

Responding now to this ... sorry bit busy today with another document ;-) and as a consequence, a new version (-02) being published in a while ...


El 10/7/20 5:58, "Jen Linkova" <furry13@gmail.com> escribió:

    OK, I"ve read the document and before I finish the write up I'd like
    to discuss a number of comments I have.
    My apologies for not raising them during the WGLC - I was not paying
    attention, got busy with work...

    0) I might need coffee but I found the Abstract a bit confusing so if
    I may suggest some text..

    ""IP/ICMP Translation Algorithm (SIIT) can be used to provide access
    for IPv4-only devices or applications to IPv4-only or dual-stack
    destinations over IPv6-only infrastructure. In that case the traffic
    flows are translated twice: first from IPv4 to IPv6 (at the ingress
    point to then IPv6-only network) and then from IPv6 back to IPv4 at
    the egress point.  If the destination is IPv6-enabled that second
    translation might not be required. This document describes some
    optimization to 464XLAT and MAP-T deployments to avoid translating IP6
    flows back to IPv4 if the destination is reachable over IPv6. The
    proposed solution would significantly reduce the NAT64 utilisation in
    the operator's network"

[Jordi] Yep, tks, I'm happy to use this alternative text (slightly changed):

   IP/ICMP Translation Algorithm (SIIT) can be used to provide access
   for IPv4-only devices or applications to IPv4-only or dual-stack
   destinations over IPv6-only infrastructure.  In that case, the
   traffic flows are translated twice: first from IPv4 to IPv6
   (stateless NAT46 at the ingress point to the IPv6-only
   infrastructure) and then from IPv6 back to IPv4 (stateful NAT64, at
   the egress point).  When the destination is IPv6-enabled, the second
   translation might be avoided.  This document describes a possible
   optimization to 464XLAT and MAP-T to avoid translating IPv6 flows
   back to IPv4 if the destination is reachable over IPv6.  The proposed
   solution would significantly reduce the NAT64 utilization in the
   operator's network.




    1) Introduction section
    The draft says: "allow IPv4-only devices or applications to connect
    with IPv4 services in Internet, by means of a
       stateless NAT46 SIIT (IP/ICMP Translation Algorithm) as described
    by  [RFC7915]."

    Do you think it would help saying  "with IPv4 services in Internet
    over IPv6-only infrastructure"?  Otherwise it sounds confusing - why
    do we need anything at all to help IPv4-only clients to talk to
    IPv6-only services?

[Jordi] Yep, tks!

    2) ""This allows to translate the IPv6-only flow back to IPv4, in
    order to forward it to Internet."

    I'm not sure we can call a flow 'IPv6-only'. Flows are usually IPv6 or
    IPv4...I think the terms 'IPv6-only' and 'IPv4-only flows' are used
    extensively in the draft.

[Jordi] Yep, tks! Reviewed across all the doc.

    3) "In both cases (NAT46 and NAT64), the translation of the packet
       headers is done using the IP/ICMP translation algorithm defined in
       [RFC7915] and algorithmically translating the IPv4 addresses to IPv6
       addresses following [RFC6052]."

    IMHO this text would be more readable if we split it in two sentences:
    " In both cases (NAT46 and NAT64), the translation of the packet
       headers is done using the IP/ICMP translation algorithm defined in
       [RFC7915] . Translation between IPv4 and IPv6 addresses is done as
    per RFC6052]."

[Jordi] I'm sure I've read/used this text in other documents and got no complains, but I'm happy to change it.

    4) Section 3 is called "Possible Optimisation". However it comes
    before the Section 4 (problem statement) and the text seems to be more
    about the problem.
    Also, the first 3 paragraphs of Section 4 (until "until "As shown in
    the Figure 4" text) seem to repeat Section 3. Shall those two sections
    be merged?
    Or am I missing anything and they are actually talking about different things?

[Jordi] This was a single longer section before, including the intro (which explains also some of your other inputs later on), but a previous review from the WG suggested to split it. I think it makes sense to keep the actual distribution of the text, as it follows a natural reading flow, even if the problem statement comes "later". May be an alternative is to rename section 4 as "problem statement summary" ?

    5) "In the case of 464XLAT, a DNS64 ([RFC6147]) is (optionally) in charge
    of the synthesis of AAAA records from the A records, so they can use
       a NAT64, without the need of doing a double-translation by means of
       the NAT46/CLAT." - who are "they"?  This is the first sentence of
    the section so not sure who you are referring to.

[Jordi] Caused by the split of the section ... resolved now.

    6) Fig 1: Shouldn't it be 'Dual-Stack LAN', not 'LAN's Dual-Stack'?

[Jordi] I think it was originally just LAN's or just Dual-Stack and when adding the other wording ... changed.

    7) ""As it can be observed in the preceding picture, the situation is the
       same, regardless of in case of a wired network with a CE Router or a
       cellular network where a UE is connecting other devices (which may be
       IPv4-only or have IPv4-only apps), by means of a tethering
       functionality."

    IMHO it's a bit hard to parse...Maybe smth like:
    "Examples of a topology shown on the picture above includes:
    - a residential ISP IPv6-only access network with a dual-stack LAN
    behind a CPE performing NAT46 (CLAT);
    - IPv6-only mobile ISP network when a UE performs CLAT for IPv4-only
    applications running on that UE or for traffic originated by other
    devices connected to the UE via tethering."

[Jordi] Yep, reworded.

    8) Section 5.1. Approach 1: DNS/Routing-based Solution
    "5.1. Approach 1: DNS/Routing-based Solution
    "Because the WKP is non-routable, this solution will only be possible
       if the CDN/cache is in the same ASN as the provider network, or
       somehow interconnected without routing thru" Internet."

    Maybe it's worth explicitly mentioning that this approach would
    require that the path to the destination is NOT traversing NAT64
    devices. Otherwise the simple configuration of such devices 'translate
    everything with the destination address in the WKP' would become much
    more complex.

[Jordi] Is there "having more specific routing prefixes", anyway, I've added test to remark it.

    9) Section 5.2.3
    ""In normal conditions the TTL for both A and AAAA records, of a given
    FQDN, should be the same,"

    I'm not sure it's the case actually and we can expect that to happen
    'normally'. Do you have any references proving that point?

[Jordi] I don't have in mind a reference. Tried to find it now, and no luck, but I'm sure is the correct way. If you have different TTLs for A and AAAA records strange things will happen to IPv4-only or IPv6-only or dual-stack users. Anyway, even if I'm wrong, the text we have doesn't get impacted, because for the optimization the important one is the AAAA record, as already indicated in the actual text.

    10) Section 5.2.7. Behavior in case of multiple A/AAAA RRs
    Sorry but I have difficulties understanding those two sentences. What
    'existing procedures'  the resolver must be using?
    IMHO this section would be much easier to understand if there is an
    example: the given FQDN has 15 A RRs and 5 AAAA RRs. What EAMT entries
    would be created?
    As most CDNs would have multiple entries, this is a key point of the proposal.

[Jordi] Existing procedures are either using the first RR, or shuffling among them (RFC1794). Whatever is done must be transparent to the CDNs. In fact, CDNs and caches usually (just done some random test to verify it) do the round robin. What it is clear, and this what I'm trying to say, is that whatever is doing the CE,  should not be "modified" with the optimization, because the CDN is making sure that the response is good never mind it is any of the A records or any of the AAAA records. I will try to reword the text to make it clearer.

    11) Section 5.2.8. Behavior in presence/absence of DNS64
    "Furthermore,  because as indicated in Section 5.2.2, the EAMT entry
    is not created
       when the service is IPv6-enabled."

    Is it correct? The section 5.2.2 seems to be talking about detecting
    IPv6 enabled services and using their AAAAs for creating EAMT entries.

[Jordi] The "not" is a typo. Some wrong copy and paste. Anyway, I think I will reword the full paragraphs to  make it clearer and actually shorter.

    12)  (related to 11) The draft seems to assume that the CPE/UA knows
    the NAT64 prefix somehow. As it's an operational document I believe it
    would be beneficial to provide some guidance on how exactly the device
    should discover the prefix. Obviously, the operator could use RFC8781
    (PREF64 RA option) or PCE. Or the device and use RFC7050. However if
    the device uses RFC7050 then the Section 5.2.8 shall discuss this.

[Jordi] I was having in mind using RFC8585, but actually never put it, because the other references (464XLAT, NAT64, etc., already have it). However now I think it is a good point having a reference to RFC8781, and all the other choices.

    13) IMHO sections 5.2.9.  Behavior when using literal addresses or non
    IPv6-compliant APIs and 5.2.12. Behavior in case of Foreign DNS should
    be follow each other or  sections 5.2.9. might have a reference to
    5.2.12.

[Jordi]  Ok. Moved 5.2.12 after 5.2.9.

    14) Section 5.2.11 Behavior in presence of Happy Eyeballs
    IMHO, this section should make it explicit and very very clear: as
    soon as an EAMT entry is created for an IPv4 address, Happy Eyeballs
    fallback to that IPv4 address becomes impossible. In case of
    connectivity issues with the IPv6 address used in that EAMT entry, the
    client would not be able to reach the destination.
    I feel like the draft does not discuss the impact enough.  It's not
    about delay, it's about IPv6 becoming the only protocol to reach
    IPv6-enabled destinations for both dual-stack and IPv4-only hosts.
    Maybe it's a good thing in 2020 ;)

[Jordi] I've pointed to this in the other email ... So, I think we agree on the possible tradeoff. I will see how I can improve the text to made it clearer.

    15) Later in that section the draft says:
    " So even if Happy Eyeballs is present, the fallback to IPv4-only
    typically, will be slower than native IPv6 itself, because
       the added delay in the NAT46+NAT64 translations, when not using this
       optimization."

    I think it should be saying "IPv4 would be slower", not "fallback to
    IPv4".  So maybe smth like " 'IPv4 is expected to be slower than
    native IPv6 due to delays added by NAT46+NAT64. This optimization
    reduced that delay by eliminating the need of the second translation
    (NAT64)"?

[Jordi] Yep. All the happy eyeballs section re-worded and made more explicit. Note that depending on "where" the IPv6 failure is happening, IPv6 to a destination could be failing and IPv4 still working ... see the new text.

    16) The draft does not discuss the troubleshooting implication. For
    example if I'm running 'traceroute 8.8.8.8 from my IPv4-only host and
    there is an EAMT entry for 8.8.8.8.
    IMHO this draft needs to discuss this and potential impact on tech
    support procedures.

[Jordi] This is already considered, either via a CLI, GUI or both, you can configure static "invalid" entries:
   6.  Valid/Invalid: When set to 1, means that this EAMT entry MUST NOT
       be used and consequently no optimization performed.  It may be
       used also for an explicit configuration (GUI, CLI, provisioning
       system, etc.) to disallow optimization for explicitly configured
       IPv4 addresses.

   7.  Auto/Static: When set to 1, means that this EAMT entry has been
       manually/statically configured, for example by means of an
       explicit configuration (GUI, CLI, provisioning system, etc.), so
       it doesn't expire with TTL.

Anyway, I will add a specific section to remark it.

    17) Another thing which seems to be missing is some guidelines on
    controlling this feature. I'd suggest adding some text about that.
    IMHO, the router vendors SHOULD (I'd vote for MUST even) have that
    optimization disabled by default. The routers MUST have a knob to turn
    it off if it's enabled.

[Jordi] In my previous email already discussed about this. I've added this text:
   Note that this optimization MUST NOT be
   enabled when the WAN link is IPv4-only or dual-stack.  In other
   words, only can be enabled if the WAN link is IPv6-only and
   consequently, the NAT46/CLAT is enabled in the CE

    18) Acknowledgements Section
    Pls remove "....and TBD".

[Jordi] I usually keep it open for last minute contributors, and the RFC editor close it (and they order them alphabetically, etc.). Done now.

    -- 
    SY, Jen Linkova aka Furry



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.