IETF Logo Mail Archive

Re: [v6ops] ULA precedence [Thoughts about wider operational input]

Erik Auerswald <auerswald@fg-networking.de> Sun, 24 April 2022 17:28 UTC

Return-Path: <auerswald@fg-networking.de>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E01AE3A1779; Sun, 24 Apr 2022 10:28:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 344w7jRAqtyG; Sun, 24 Apr 2022 10:28:08 -0700 (PDT)
Received: from mailgw1.uni-kl.de (mailgw1.uni-kl.de [IPv6:2001:638:208:120::220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F17B73A1777; Sun, 24 Apr 2022 10:28:06 -0700 (PDT)
Received: from mail.fg-networking.de (mail.fg-networking.de [131.246.197.23]) by mailgw1.uni-kl.de (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id 23OHRwkb053071 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 24 Apr 2022 19:27:59 +0200
Received: from login.fg-networking.de (login.fg-networking.de [131.246.197.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.fg-networking.de (Postfix) with ESMTPS id BFDF62009B; Sun, 24 Apr 2022 19:27:49 +0200 (CEST)
Received: by login.fg-networking.de (Postfix, from userid 11002) id 56684155; Sun, 24 Apr 2022 19:27:49 +0200 (CEST)
Date: Sun, 24 Apr 2022 19:27:49 +0200
From: Erik Auerswald <auerswald@fg-networking.de>
To: Nick Buraglio <buraglio@es.net>
Cc: v6ops list <v6ops@ietf.org>, 6man list <ipv6@ietf.org>
Message-ID: <20220424172743.GA218999@fg-networking.de>
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/EA8FXykPWRUj-K6PnJQCJyl-AH8>
Subject: Re: [v6ops] ULA precedence [Thoughts about wider operational input]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Apr 2022 17:28:13 -0000

Hi Nick,

I saw your Internet-Draft draft-buraglio-v6ops-ula on "The Daily
Dose of IETF" <https://tools.ietf.org/dailydose/>, issue 4085 from
2022-04-22.  I found the title of interest to me, because some
years ago I tried to deploy ULA and came to the conclusion that
this resulted in more problems than solutions.  But my experience
differs markedly from what I read in the draft.

What I have experienced is implementing ULA addressing inside
an organization some years ago.  But back then IPv6 ULA was
preferred over IPv4, and NAT for IPv6 was not widely available.
We did have NAT for IPv4, but not for IPv6.  But with ULA treated
the same as GUA, connections to external hosts with both IPv4
and GUA IPv6 addresses were attempted with ULA source addresses.
This obviously did not work.  Additionally, we encountered address
selection problems where some host would prefer a ULA source address
to reach external GUA destinations, even though it could have used
a GUA source address.  We then reverted to only using GUA for IPv6.

The policy table from RFC 6724 Section 2.1 addresses all of the
above problems.  RFC 6724 also describes extensions for specific
use cases, including that of preferring ULA for use inside an
organization (or lab).

Section 2.1 of RFC 6724 contains:

 "An implementation MAY automatically add additional site-specific
  rows to the default table based on its configured addresses,
  such as for Unique Local Addresses (ULAs) [RFC4193] [...] (see
  Sections 10.6 [...])."

Section 3.1 of RFC 6724 contains:

 "Also, note that ULAs are considered as global, not site-local,
  scope but are handled via the prefix policy table as discussed
  in Section 10.6."

Section 10.6 of RFC 6724 contains:

 "By default, global IPv6 destinations are preferred over
  ULA destinations, since an arbitrary ULA is not necessarily
  reachable[.]"

 "However, a site-specific policy entry can be used to cause ULAs
  within a site to be preferred over global addresses as follows."

Then the site specific ULA /48 prefix is inserted into the policy
table, with precedence higher than that of GUA, and with a different
label.  Because of the higher precedence, ULA is preferred over GUA.
Because of the different labels of ULA and GUA, connections to GUA
destinations prefer GUA source addresses over ULA.

This can be done automatically, as described in the same section:

 "Since ULAs are defined to have a /48 site prefix, an implementation
  might choose to add such a row automatically on a machine with
  a ULA."

The result is that only the local ULA prefix, i.e., exactly the
local IPv6 addresses, are preferred over IPv4 (and IPv6 GUA).
This should be exactly what is needed to use ULA addresses inside
an organization, or for a lab.

It seems to me as if RFC 6724 already includes the general solution
for the problem described in your draft, i.e., adding the locally
used ULA /48 prefix with appropriate precedence and label to the
address selection policy table.

Implementing the non-normative suggestion from Section 10.6 of RFC
6724 would in all likelihood result in making ULA usable for local
tests and even first steps in deploying IPv6.  ULA addresses would
only be used locally.  Existing IPv4 based Internet access would not
be impaired by adding IPv6 ULA.

Application layer gateways could be deployed with ULA on the inside
and GUA on the outside.

Local servers with external IPv6 services only available via GUA,
but without IPv4, would be reachable using ULA source addresses.
This would allow to, e.g., host an IPv6 web page using a DNS entry
without A record as part of those first steps towards implementing
IPv6, and transparently combine it with ULA on local clients,
without negatively affecting said clients' Internet access which
is still based on IPv4 (often private addresses with NAT).

In order to keep IPv6 deployment similar to IPv4, IPv6 NAT could be
considered.  To make this work as intended, the address selection
policy table could be adjusted to contain the local ULA prefix
with precedence greater or equal to GUA and the same label as GUA.
The automatic ULA row addition from RFC 6724 should then be disabled
using the "Automatic Row Additions flag" from RFC 6724 Section 2,
if it were implemented and enabled otherwise.

After gaining some experience with IPv6, one has a better basis
to decide how to proceed, i.e., if GUA addresses shall be used for
Internet access, or ULA + NAT instead.  This experience gathering
process might include deploying IPv6 NAT, GUA on client subnets,
IPv6 ALGs, or a combination of those.

If after the first steps in IPv6 use one should decide that ULA +
NAT shall be used instead of GUA without NAT, local policy could
be implemented by adjusting the address selection policy table as
described above.  Such adjustments are within the possibilities
provided by RFC 6724.

It might be helpful to ask operating system vendors for full support
of RFC 6724, including section 10.6, i.e., automatically adding a
local ULA /48 prefix with appropriate precedence and label to the
address selection policy table.

It might also be helpful to ask operating system vendors for
improved administrative tools to ease adjustment of the address
selection policy.  To support testing different variants, such
adjustments should be possible dymanically, without needing to
restart processes or reboot systems.  As such the GNU C Library
(glibc) implementation that is not thread safe and thus discourages
use of its "reload" functionality seems to show potential for
improvement (https://man7.org/linux/man-pages/man5/gai.conf.5.html).

It might even be helpful to ask operating system vendors to implement
a simple toggle to enable or disable an address selection policy
that caters towards ULA with IPv6 NAT (e.g., removing the policy
table entry for fc00::/7, or changing both preference and label to
be identical to the GUA entry ::/0).

With kind regards,
Erik
-- 
Dipl.-Inform. Erik Auerswald
Gesellschaft für Fundamental Generic Networking mbH
Geschäftsführung: Volker Bauer, Jörg Mayer
Gerichtsstand: Amtsgericht Kaiserslautern - HRB: 3630

v2.23.0 | Report a Bug | By Email