Re: [v6ops] AWS ipv6-only features
Nick Buraglio <buraglio@es.net> Wed, 01 December 2021 19:58 UTC
Return-Path: <buraglio@es.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 077123A0A8C for <v6ops@ietfa.amsl.com>; Wed, 1 Dec 2021 11:58:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=es.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4RGSh1Ax_0HZ for <v6ops@ietfa.amsl.com>; Wed, 1 Dec 2021 11:58:20 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92EF93A0A8B for <v6ops@ietf.org>; Wed, 1 Dec 2021 11:58:20 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id 13so50323566ljj.11 for <v6ops@ietf.org>; Wed, 01 Dec 2021 11:58:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.net; s=esnet-google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=eXfC+Od1ROWQtO/fbNDg8buNTtaNdw2ECdGm6aAgZqM=; b=T2krqb21I6yEw8T3VStDhxAUYyYJjPUY6VybckKb3Q9Y3JtS1twS2xsgWyEzlXCOUL III+A1FQhsDcdkPShPttt4VEagyug+/OeCajw66xfXY+wARLvxjXUts8CAuiSQiE4zB0 80ra6INO13x6jdhzY+FJ5WhezOwbTs7yySg76pxmTap4lHb75nDL0timduDlYd8TDGoL yxubJBwEPlZXFu2jnIfrCneXvd8Zjf4eQUR1sPdbLpNNaMAzNm9kEXqzjvyFlpVX4GCm MljuHpWJ4hHoBU2Y+Wn46NLCgT50ClnJkI4Jx4wST+SGFPzJ24Po92OeFzd8dP5Ioe5T +kcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=eXfC+Od1ROWQtO/fbNDg8buNTtaNdw2ECdGm6aAgZqM=; b=fGA1AxE6rqFk4I3fzplm+B+1hmf98S/SIopLSj9LhZhISK3SZbJOfGhpka4ghOxrEJ uFFooV1IiAg7uh3H4NPmPNngeVhfBd48e1ChvREmGVFsWnS1qnccqhgEmq2To/1axrnq iZtsZM0MHHUGbc+NifroMSvwbRYub2ul/06ZYIkXK5eGfPOK7UiRyK5OqpgRmzBBcd/o Pixop/gOufXdkb9fpbRnyzWrq1ytn+Qh2njtQ1RvIO9NP2kWQQ/Ove3dNUwobnUBsuVy RVFMTIG+HcQ/mv0Az1s/eghkgP3BwmClqKhqCLEaDakJmEC6lVJTGiPV8/7b4/SCysDw H08g==
X-Gm-Message-State: AOAM530B2PKi8EziNFtcIJSlZc0nc7c2LGc4yb+IELXimpTZN2YCfZH+ LD4ClFovOqlOsR2sdJ4Xl8z5zvgiG4LYnb/Jvcz/Z8K9m1wqi8PSkzP76ueK/wd09UFh0w8hOHr pZT1pDMSPVJYUzvjsdzMTdaTnvwBhKUjM9GE4lI+C+Cmi89Apm7VhCRbNPG+8egBB3s6ulaprEm qHW2RVNgs=
X-Google-Smtp-Source: ABdhPJxxq6+Sre7ucM48bs1D9BkVhGzE76aeoMw1WRLQShc95SNuH+hqrmgTz93snkHhhIawi0RKoYC6VYT1GYieKF0=
X-Received: by 2002:a2e:2a46:: with SMTP id q67mr7705431ljq.398.1638388693375; Wed, 01 Dec 2021 11:58:13 -0800 (PST)
MIME-Version: 1.0
References: <CAD6AjGRAkpMDaAh31mVL=+Gcz5PHejUxxLazr4Xb=vVRHfaSpw@mail.gmail.com> <CAO42Z2z8u_DQMd9eNSQp_RhBinXk2KyH4pdbVLMEqOta-hoG1w@mail.gmail.com> <CADzU5g5odQ82FJ0TsdNxFB42OkgLZ+PWanLLrK1roLojAUS54A@mail.gmail.com> <CAO42Z2z+ZJ_pLwZmBjZ_HFsNXQ6jok-PMRTP23ZD2UMch61wtw@mail.gmail.com> <CAM5+tA9JhRWfZ2VLLQnT8Mg+Xng-+Rc-oQnX8Ma5DguL2uDO8w@mail.gmail.com> <C7A86994-311E-4D94-80AE-74A15D6D62B1@delong.com> <m1mrzjf-0000GqC@stereo.hq.phicoh.net> <C75C1488-6B27-4BE4-8B68-BFBF35748369@delong.com> <m1msJDa-0000HCC@stereo.hq.phicoh.net>
In-Reply-To: <m1msJDa-0000HCC@stereo.hq.phicoh.net>
Reply-To: buraglio@es.net
From: Nick Buraglio <buraglio@es.net>
Date: Wed, 01 Dec 2021 13:58:01 -0600
Message-ID: <CAM5+tA-ab9+ifue4H1U-SGFXqaksuu2eUoC6AhU3OmwL75ZMyA@mail.gmail.com>
To: Philip Homburg <pch-v6ops-11@u-1.phicoh.com>
Cc: v6ops@ietf.org
Content-Type: multipart/alternative; boundary="000000000000133fe105d21b1895"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Bq2kJHfjj1h0_csYfmdBgZzQLJI>
Subject: Re: [v6ops] AWS ipv6-only features
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2021 19:58:26 -0000
On Wed, Dec 1, 2021 at 12:36 AM Philip Homburg <pch-v6ops-11@u-1.phicoh.com> wrote: > > > Is this common practice somewhere? Do people expect that something > sensible > > > will happen if you try that? Is it documented what should happen? > > > > Probably more common in mDNS than DNS, but yes, something sensible > > SHOULD happen as documented in the RFCs: > > > > AAAA record sorting in getaddrinfo() or getnameinfo() should return > > the ULA records before the GUA records in the linked list. > > > > As a result, an application that sensibly iterates through the list > > in order (as is expected behavior) should connect via GUA if possible > > (if not, it should rapidly receive an error and move on to the next > > item in the list, so no extraordinary processing or coding is > > required in the application). > > mDNS is a bit of a boring case. If you get an mDNS reply is likely that the > destination is on the same subnet. It is possible to mess that up, but > that is more upto the network admin. > As is having multiple AAAA records for different addresses. I've definitely seen this with GUA. > With DNS, how is it sensible to put both a ULA and a GUA in a single > DNS record? Without happy eyeballs (and anything that is not > a webbrowser is unlikely to implement happy eyeballs), putting in two > addresses for a host just means waiting twice as long when the host is > down. > If a host is down then the timeout doesn't matter. If a protocol is broken, without happy eyeballs then failover is already long enough that the user has likely moved on. But how does that work for other services? Anything without happy eyeballs has a timeout long enough that the user will see it and almost certainly move on or report a problem. More savvy users may wait it out or try to figure out why their SSH session times out or the like, at which point it largely doesn't matter what the actual problem is. It's a degraded service. Having best practices in place on top of reference designs would go a long way. Personally, I think being prescriptive in the preference order is warranted. If an application fails to heed that, then there is a document to point to that says "this, then that, then this" will save a lot of headaches for both developers that are blindly making up their own rules (as they would have guidelines to reference) and folks operating a network or support an application stack that have to answer the phone. > > What benefit do you expect to get from putting two addresses for the same > host in DNS (at the same DNS name, in the same view)? > This is obviously very common with IPv4 and IPv6 - www.google.com resolves to both the same A and AAAA, what is the functional difference? I can do the same thing with my RFC1918 space internally (or externally , regardless of "correctness", if I am so inclined). Granted, DNS views are the technically smartest choice here, however, the question is not "why would someone do it this way?". That operational ship sailed years ago with the advent of the ULA RFC and is comfortably adrift at sea And it's not changing until enough momentum is in place to tow it back - which is also not really the point. The question is, operationally, why does this behave inconsistently? Sure, it's up to the application developers. What guidance do they have? Our answer to that question should absolutely *not* be "developers don't understand networks". While often true, that is a response to a completely different problem space doesn't make anyones production deployment or on-call schedule any better. The question we should be asking is "Can we improve this? How?" Be it guidelines as Brian suggested, or other mechanisms, someone should be asking, so I am. I am happy to answer as well. > Having two views (or names), one for external use with a GUA and one > internal > use with ULA makes sense. > Sure, that's a best case deployment. How many first time IPv6 deployments fall into that category? Not many. My first few 15+ years ago were admittedly a total disaster and were re-done after we learned some hard lessons. I am getting asked about things like ULA, documentation space, and other foundational IPv6 concepts a lot in recent months. With the increasing push for IPv6 (and IPv6-only) the questions won't get any fewer. The more consistently those of us prototyping, designing, building, and supporting IPv6 can answer, the higher the tide raising all boats will be. I will now step off of my high horse, the air is getting a bit thin up here. nb > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] AWS ipv6-only features Ca By
- Re: [v6ops] AWS ipv6-only features Mark Smith
- Re: [v6ops] AWS ipv6-only features Clark Gaylord
- Re: [v6ops] AWS ipv6-only features Mark Smith
- Re: [v6ops] AWS ipv6-only features Clark Gaylord
- Re: [v6ops] AWS ipv6-only features Mark Smith
- Re: [v6ops] AWS ipv6-only features Brian E Carpenter
- Re: [v6ops] AWS ipv6-only features Clark Gaylord
- Re: [v6ops] AWS ipv6-only features Lorenzo Colitti
- Re: [v6ops] AWS ipv6-only features otroan
- Re: [v6ops] AWS ipv6-only features Mark Smith
- Re: [v6ops] AWS ipv6-only features Vasilenko Eduard
- Re: [v6ops] AWS ipv6-only features Vasilenko Eduard
- Re: [v6ops] AWS ipv6-only features otroan
- Re: [v6ops] AWS ipv6-only features Pascal Thubert (pthubert)
- Re: [v6ops] AWS ipv6-only features Gert Doering
- Re: [v6ops] AWS ipv6-only features Chengli (Cheng Li)
- Re: [v6ops] AWS ipv6-only features Chengli (Cheng Li)
- Re: [v6ops] AWS ipv6-only features Lorenzo Colitti
- Re: [v6ops] AWS ipv6-only features Gert Doering
- Re: [v6ops] AWS ipv6-only features Mark Smith
- Re: [v6ops] AWS ipv6-only features Gert Doering
- Re: [v6ops] AWS ipv6-only features Vasilenko Eduard
- Re: [v6ops] AWS ipv6-only features Vasilenko Eduard
- Re: [v6ops] AWS ipv6-only features - videoconfereā¦ Alexandre Petrescu
- Re: [v6ops] AWS ipv6-only features Eric Vyncke (evyncke)
- Re: [v6ops] AWS ipv6-only features sthaug
- Re: [v6ops] ipv6-only features Alexandre Petrescu
- Re: [v6ops] ipv6-only features Nick Buraglio
- Re: [v6ops] ipv6-only features Vasilenko Eduard
- Re: [v6ops] AWS ipv6-only features Owen DeLong
- Re: [v6ops] AWS ipv6-only features Nick Buraglio
- Re: [v6ops] AWS ipv6-only features Owen DeLong
- Re: [v6ops] AWS ipv6-only features Brian E Carpenter
- Re: [v6ops] AWS ipv6-only features Brian E Carpenter
- Re: [v6ops] AWS ipv6-only features Nick Buraglio
- Re: [v6ops] AWS ipv6-only features Owen DeLong
- Re: [v6ops] AWS ipv6-only features Owen DeLong
- Re: [v6ops] AWS ipv6-only features Brian E Carpenter
- Re: [v6ops] AWS ipv6-only features Nick Buraglio
- Re: [v6ops] AWS ipv6-only features Vasilenko Eduard
- Re: [v6ops] AWS ipv6-only features Philip Homburg
- Re: [v6ops] AWS ipv6-only features David Farmer
- Re: [v6ops] AWS ipv6-only features Nick Buraglio
- Re: [v6ops] AWS ipv6-only features Nick Buraglio
- Re: [v6ops] AWS ipv6-only features Owen DeLong
- Re: [v6ops] AWS ipv6-only features Brian E Carpenter
- Re: [v6ops] AWS ipv6-only features Owen DeLong
- Re: [v6ops] AWS ipv6-only features Philip Homburg
- Re: [v6ops] AWS ipv6-only features Nick Buraglio
- Re: [v6ops] AWS ipv6-only features Nick Buraglio