IETF Logo Mail Archive

Re: [v6ops] draft-palet-v6ops-464xlat-opt-cdn-caches

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Mon, 08 July 2019 21:43 UTC

Return-Path: <prvs=1092a35ad6=jordi.palet@consulintel.es>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3138E1202E9 for <v6ops@ietfa.amsl.com>; Mon, 8 Jul 2019 14:43:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJhWBeLAuRHb for <v6ops@ietfa.amsl.com>; Mon, 8 Jul 2019 14:43:13 -0700 (PDT)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB2DC120278 for <v6ops@ietf.org>; Mon, 8 Jul 2019 14:43:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1562622191; x=1563226991; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:Message-ID:Thread-Topic:References:In-Reply-To: Mime-version:Content-type; bh=yjE4hQqTTjrxi2wN98pNOq8ynzyx02oPyJ YvuJ0TJnk=; b=L65VejqSEWTYF5X10mEGUBc59dw7hjegrBxIWIZB6v7MH6pQfF B4KbWxCkuUVJYsLP/gEFMnaRbAnEOlepzYEDHwBgj8jxtAOY5SFNZZkoywpWBujR OSjl3jKtDa5VrqpwIzJYY2JW81PrRJNUTh+kVQQylUqw7IxshPMcuho9M=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Mon, 08 Jul 2019 23:43:11 +0200
X-Spam-Processed: mail.consulintel.es, Mon, 08 Jul 2019 23:43:10 +0200
Received: from [10.10.10.130] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50006319625.msg for <v6ops@ietf.org>; Mon, 08 Jul 2019 23:43:09 +0200
X-MDRemoteIP: 2001:470:1f09:495:61d7:174e:4fa1:2845
X-MDHelo: [10.10.10.130]
X-MDArrival-Date: Mon, 08 Jul 2019 23:43:09 +0200
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=1092a35ad6=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: v6ops@ietf.org
User-Agent: Microsoft-MacOutlook/10.10.b.190609
Date: Mon, 08 Jul 2019 23:43:09 +0200
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: v6ops@ietf.org
Message-ID: <3E423587-A00A-4918-966E-C8BEAE0298FD@consulintel.es>
Thread-Topic: [v6ops] draft-palet-v6ops-464xlat-opt-cdn-caches
References: <291EE30B-D299-4EA1-8C8B-53F4BE6A9B07@gmail.com> <D4014EF2-7CD5-4A8E-8DBB-3BA02B663F6C@gmail.com> <D0CDA5A2-2D48-4A75-98EF-131753FB6381@consulintel.es>
In-Reply-To: <D0CDA5A2-2D48-4A75-98EF-131753FB6381@consulintel.es>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3645474189_200027141"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/9GddE6b92--PBQfp1IE69ixYmAc>
Subject: Re: [v6ops] draft-palet-v6ops-464xlat-opt-cdn-caches
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 21:43:25 -0000

Hi Fred, all,

 

I just submitted a new version for this document.

 

https://datatracker.ietf.org/doc/draft-palet-v6ops-464xlat-opt-cdn-caches/?include_text=1

 

I’ve updated the issues from your inputs, as well as the issue that Martin raised. It has required a much complex approach than the one initially drafted when responding to him, but I think it resolves the problem.

 

Hopefully we can get inputs, specially from CDN/Cache providers, but also from hosting providers if they are using this reverse-proxy often …

 

Regards,

Jordi

@jordipalet

 

 

 

El 28/6/19 17:10, "v6ops en nombre de JORDI PALET MARTINEZ" <v6ops-bounces@ietf.org en nombre de jordi.palet=40consulintel.es@dmarc.ietf.org> escribió:

 

Hi Fred,

 

Thanks for your inputs.

 

Responses, below, in-line.

 

Regards,

Jordi

@jordipalet

 

 

 

El 28/6/19 15:55, "v6ops en nombre de Fred Baker" <v6ops-bounces@ietf.org en nombre de fredbaker.ietf@gmail.com> escribió:

 

I’m reading through this draft, and feel some comments are in order on the issues marked “TBD”. In this case, I’m writing as an individual.

 

Sometimes I use the TBD, not necessarily because that need to be completed, but to make sure that I double think on that for the next version.

 

In the general problem and proposed solutions, I agree that the problem statement makes sense (it is comparable to the problem statement in SIIT-DC), and section 4.2 (also comparable to SIIT-DC) seems to present the solution with the least impact on the network and its surrounding devices.

 

A few thoughts:
  The information in the EAMT MUST be kept timely-synchronized with the

  AAAA records TTL's.  In order to achieve that, each EAMT entry MUST
  update with each A query, the TTL of the relevant AAAA record.
  Update of RFC7757 ? TBD.

 

I don’t view this as changing 6145/7915’s algorithm. I need to understand how this changes 7757 to agree that it updates it.

 

Section 6 of RFC7915 has a SHOULD for EAM. I think this is right, but I see that RFC6877 (464XLAT), should get it as a MUST.

 

Similarly, my question about RFC7757, is if it is useful that each entry in the EAMT also needs to have a TTL, or this is exclusive for our optimization case (this ID) ?

 

  SIIT already has a SHOULD for EAM support.  TBD. 464XLAT may be
  updated by this document so the CLAT has a MUST for EAM support.
 
THe fact that you want it for this use case doesn’t mean that it is required by all use cases. I’d want to hear that argument before agreeing to “MUST”.
 
I think it makes sense that 464XLAT is *always* optimized, so that’s why I think it requires to be updated by this document..
 
And in any event, what is the argument for 2119 language in an informational document? This is beginning to sound more like a Proposed Standard...
 
Actually we have got this request already many times when having the IESG review. I’ve used RFC7084 “special” language in the recent RFC8585, and I was asked to just use the RFC2119 one.
 
However, I also believe that this document, if we agree that 464XLAT must be always optimized, then this ID is an opportunity for killing two birds with a stone:
1)  Updating RFC6877 to include the optimization always.
2)  It doesn’t make senses (we talked already some time ago about this), that MAP-E/T, DS-Lite and lw4o6 are standards, and 464XLAT which is the mechanism that have “more” users in the world (even compared to all the others together), is just informational. So this ID may be a proposed standard covering both aspects.
 
  TBD.  Should we recommend having A "null" records for IPv6-only
  services in Internet?  A web page IPv4-only hosted by IETF(?) showing
  "sorry this web page/service is only available from IPv6 enabled
  operators"?

 

I’m very concerned about requiring something that is not going to be DNSSEC-compatible, which 

 

“null” maybe not the best wording here, so may not break DNSSEC. I mean using an IPv4 address that is not actually configured in the server that the has the AAAA. I think it makes sense that this address is a public one defined by the IETF, which we may use for a special page (or not use at all, but still a special one).

 

it seems such a “null” record has to be. I’m also concerned about something that forces a change to DNS implementations, as a change to the interpretation of an A resource record seems likely to do. An A resource record advertises an IPv4 address that one can expect to work under some set of conditions, and a “null” record seems to advertise an address whose set of conditions for 

 

Clearly, I confused using the “null” wording. Is a real address (so no change at all in DNS implementations), but this address is not actually configured in the interface of the server (because it is IPv6-only).

 

validity would be null. So this is something I would be concerned to find, and would expect to require dnsop support for before I was willing to accept it.




  TBD.  Other risks to consider ? If a CE is misconfigured, even a
  small percentage of broken CEs may bring the content providers to
  switch back to IPv4-only.  So possible failure cases need to be
  carefully considered for every possible solution approach.

  TBD.  Should a way to manually exclude EAMT entries be considered?
  May be a manual config in the CPE and by means of operator config.
  This is way-out to ensure nothing is broken by surprise and is not
  solvable.

 

I’m not an operator. I would expect any operator reading this to say “heavens no, no manual or specific configurations. Make this just fall out of normal operations.” 

 

I think again is a matter of wording. Many CEs have lots of options that usually operators don’t use. But if they need to use they can configure them remotely, or because they get from the vendor a default “factory” config. However, in some cases, those configs are also managed by “expert” users (and today a gamer, just an example, is most of the time an expert user).

 

Operators, please feel free to agree or disagree, and say why.




  This document does not have any new specific security considerations.

 

The question about “broken CEs” seems to point to a security consideration. In what way might they be misconfigured, and what would the effect be?

 

Again, I need to change the wording here. The CE is not actually broken. The complete paragraph “TBD.  Other risks to consider ? …” was more a way to remind muself to work on that. The point is that if we have this optimization, we need to make sure to double-check with CDNs that it doesn’t create a trouble for them, because in those cases they see the “CE as broken for IPv6” and they prefer to disable IPv6 for the entire ISP that has the “broken CEs”.

 

Is that clearer now?

 

I will definitively improve the wording for the next version, so those points don’t create confusion.

 

 

_______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops 


**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

_______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops 



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

v2.23.0 | Report a Bug | By Email