IETF Logo Mail Archive

Re: [v6ops] AWS ipv6-only features

Nick Buraglio <buraglio@es.net> Wed, 01 December 2021 19:58 UTC

Return-Path: <buraglio@es.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 077123A0A8C for <v6ops@ietfa.amsl.com>; Wed, 1 Dec 2021 11:58:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=es.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4RGSh1Ax_0HZ for <v6ops@ietfa.amsl.com>; Wed, 1 Dec 2021 11:58:20 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92EF93A0A8B for <v6ops@ietf.org>; Wed, 1 Dec 2021 11:58:20 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id 13so50323566ljj.11 for <v6ops@ietf.org>; Wed, 01 Dec 2021 11:58:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.net; s=esnet-google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=eXfC+Od1ROWQtO/fbNDg8buNTtaNdw2ECdGm6aAgZqM=; b=T2krqb21I6yEw8T3VStDhxAUYyYJjPUY6VybckKb3Q9Y3JtS1twS2xsgWyEzlXCOUL III+A1FQhsDcdkPShPttt4VEagyug+/OeCajw66xfXY+wARLvxjXUts8CAuiSQiE4zB0 80ra6INO13x6jdhzY+FJ5WhezOwbTs7yySg76pxmTap4lHb75nDL0timduDlYd8TDGoL yxubJBwEPlZXFu2jnIfrCneXvd8Zjf4eQUR1sPdbLpNNaMAzNm9kEXqzjvyFlpVX4GCm MljuHpWJ4hHoBU2Y+Wn46NLCgT50ClnJkI4Jx4wST+SGFPzJ24Po92OeFzd8dP5Ioe5T +kcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=eXfC+Od1ROWQtO/fbNDg8buNTtaNdw2ECdGm6aAgZqM=; b=fGA1AxE6rqFk4I3fzplm+B+1hmf98S/SIopLSj9LhZhISK3SZbJOfGhpka4ghOxrEJ uFFooV1IiAg7uh3H4NPmPNngeVhfBd48e1ChvREmGVFsWnS1qnccqhgEmq2To/1axrnq iZtsZM0MHHUGbc+NifroMSvwbRYub2ul/06ZYIkXK5eGfPOK7UiRyK5OqpgRmzBBcd/o Pixop/gOufXdkb9fpbRnyzWrq1ytn+Qh2njtQ1RvIO9NP2kWQQ/Ove3dNUwobnUBsuVy RVFMTIG+HcQ/mv0Az1s/eghkgP3BwmClqKhqCLEaDakJmEC6lVJTGiPV8/7b4/SCysDw H08g==
X-Gm-Message-State: AOAM530B2PKi8EziNFtcIJSlZc0nc7c2LGc4yb+IELXimpTZN2YCfZH+ LD4ClFovOqlOsR2sdJ4Xl8z5zvgiG4LYnb/Jvcz/Z8K9m1wqi8PSkzP76ueK/wd09UFh0w8hOHr pZT1pDMSPVJYUzvjsdzMTdaTnvwBhKUjM9GE4lI+C+Cmi89Apm7VhCRbNPG+8egBB3s6ulaprEm qHW2RVNgs=
X-Google-Smtp-Source: ABdhPJxxq6+Sre7ucM48bs1D9BkVhGzE76aeoMw1WRLQShc95SNuH+hqrmgTz93snkHhhIawi0RKoYC6VYT1GYieKF0=
X-Received: by 2002:a2e:2a46:: with SMTP id q67mr7705431ljq.398.1638388693375; Wed, 01 Dec 2021 11:58:13 -0800 (PST)
MIME-Version: 1.0
References: <CAD6AjGRAkpMDaAh31mVL=+Gcz5PHejUxxLazr4Xb=vVRHfaSpw@mail.gmail.com> <CAO42Z2z8u_DQMd9eNSQp_RhBinXk2KyH4pdbVLMEqOta-hoG1w@mail.gmail.com> <CADzU5g5odQ82FJ0TsdNxFB42OkgLZ+PWanLLrK1roLojAUS54A@mail.gmail.com> <CAO42Z2z+ZJ_pLwZmBjZ_HFsNXQ6jok-PMRTP23ZD2UMch61wtw@mail.gmail.com> <CAM5+tA9JhRWfZ2VLLQnT8Mg+Xng-+Rc-oQnX8Ma5DguL2uDO8w@mail.gmail.com> <C7A86994-311E-4D94-80AE-74A15D6D62B1@delong.com> <m1mrzjf-0000GqC@stereo.hq.phicoh.net> <C75C1488-6B27-4BE4-8B68-BFBF35748369@delong.com> <m1msJDa-0000HCC@stereo.hq.phicoh.net>
In-Reply-To: <m1msJDa-0000HCC@stereo.hq.phicoh.net>
Reply-To: buraglio@es.net
From: Nick Buraglio <buraglio@es.net>
Date: Wed, 01 Dec 2021 13:58:01 -0600
Message-ID: <CAM5+tA-ab9+ifue4H1U-SGFXqaksuu2eUoC6AhU3OmwL75ZMyA@mail.gmail.com>
To: Philip Homburg <pch-v6ops-11@u-1.phicoh.com>
Cc: v6ops@ietf.org
Content-Type: multipart/alternative; boundary="000000000000133fe105d21b1895"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Bq2kJHfjj1h0_csYfmdBgZzQLJI>
Subject: Re: [v6ops] AWS ipv6-only features
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2021 19:58:26 -0000

On Wed, Dec 1, 2021 at 12:36 AM Philip Homburg <pch-v6ops-11@u-1.phicoh.com>
wrote:

> > > Is this common practice somewhere? Do people expect that something
> sensible
> > > will happen if you try that? Is it documented what should happen?
> >
> > Probably more common in mDNS than DNS, but yes, something sensible
> > SHOULD happen as documented in the RFCs:
> >
> > AAAA record sorting in getaddrinfo() or getnameinfo() should return
> > the ULA records before the GUA records in the linked list.
> >
> > As a result, an application that sensibly iterates through the list
> > in order (as is expected behavior) should connect via GUA if possible
> > (if not, it should rapidly receive an error and move on to the next
> > item in the list, so no extraordinary processing or coding is
> > required in the application).
>
> mDNS is a bit of a boring case. If you get an mDNS reply is likely that the
> destination is on the same subnet. It is possible to mess that up, but
> that is more upto the network admin.
>

As is having multiple AAAA records for different addresses. I've definitely
seen this with GUA.


> With DNS, how is it sensible to put both a ULA and a GUA in a single
> DNS record?  Without happy eyeballs (and anything that is not
> a webbrowser is unlikely to implement happy eyeballs), putting in two
> addresses for a host just means waiting twice as long when the host is
> down.
>

If a host is down then the timeout doesn't matter. If a protocol is broken,
without happy eyeballs then failover is already long enough that the user
has likely moved on.  But how does that work for other services? Anything
without happy eyeballs has a timeout long enough that the user will see it
and almost certainly move on or report a problem. More savvy users may wait
it out or try to figure out why their SSH session times out or the like, at
which point it largely doesn't matter what the actual problem is. It's a
degraded service. Having best practices in place on top of reference
designs would go a long way. Personally, I think being prescriptive in the
preference order is warranted. If an application fails to heed that, then
there is a document to point to that says "this, then that, then this" will
save a lot of headaches for both developers that are blindly making up
their own rules (as they would have guidelines to reference) and folks
operating a network or support an application stack that have to answer the
phone.


>
> What benefit do you expect to get from putting two addresses for the same
> host in DNS (at the same DNS name, in the same view)?
>

This is obviously very common with IPv4 and IPv6 - www.google.com resolves
to both the same A and AAAA, what is the functional difference? I can do
the same thing with my RFC1918 space internally (or externally , regardless
of "correctness", if I am so inclined). Granted, DNS views are the
technically smartest choice here, however, the question is not "why would
someone do it this way?". That operational ship sailed years ago with the
advent of the ULA RFC and is comfortably adrift at sea And it's not
changing until enough momentum is in place to tow it back - which is also
not really the point. The question is, operationally, why does this behave
inconsistently? Sure, it's up to the application developers. What guidance
do they have? Our answer to that question should absolutely *not* be
"developers don't understand networks". While often true, that is a
response to a completely different problem space doesn't make anyones
production deployment or on-call schedule any better.
The question we should be asking is "Can we improve this? How?" Be it
guidelines as Brian suggested, or other mechanisms, someone should be
asking, so I am. I am happy to answer as well.


> Having two views (or names), one for external use with a GUA and one
> internal
> use with ULA makes sense.
>

Sure, that's a best case deployment. How many first time IPv6 deployments
fall into that category? Not many. My first few 15+ years ago were
admittedly a total disaster and were re-done after we learned some hard
lessons.
I am getting asked about things like ULA, documentation space, and
other foundational IPv6 concepts a lot in recent months. With the
increasing push for IPv6 (and IPv6-only) the questions won't get any
fewer.  The more consistently those of us prototyping, designing, building,
and supporting IPv6 can answer, the higher the tide raising all boats will
be.

I will now step off of my high horse, the air is getting a bit thin up
here.

nb



>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email