Re: [v6ops] Scope of Unique Local IPv6 Unicast Addresses (Fwd: New Version Notification for draft-gont-6man-ipv6-ula-scope-00.txt)

Ted Lemon <mellon@fugue.com> Wed, 06 January 2021 18:09 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EADEC3A10E6 for <v6ops@ietfa.amsl.com>; Wed, 6 Jan 2021 10:09:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J4gl6BasOXCQ for <v6ops@ietfa.amsl.com>; Wed, 6 Jan 2021 10:09:03 -0800 (PST)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 607543A10DA for <v6ops@ietf.org>; Wed, 6 Jan 2021 10:09:03 -0800 (PST)
Received: by mail-qt1-x835.google.com with SMTP id g24so2579327qtq.12 for <v6ops@ietf.org>; Wed, 06 Jan 2021 10:09:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=lI1K76zbEooCB95VgnJbDrPuqokTja1trr1xk39pa1s=; b=QnivyyyFbBGERu1GRNI3VNflNZXxtGnBZcQhHzEFUwsAu2lV7TJRpquD10JIrRyj5I KDCpSignmzDYEhMmqKK1aniXtngFa2j00zA/cYtikBIIynAgIOFygeGv1nqKbJsB9/sN 2J/4J6WSXPQPo/sFPoqt7V88A9aBhy/tXAzezHVeKyV3BBt+8wN+PrJ46yinEuRxCD9r adconG4kStQF7se7THxvNnuKBOZucTF0VxUsAGtbnuSsa3+zAlRmbhf0aKXpcoyBxK6o Fn2I9Yrj2MpA4lrcQ0spNu4x75m81WjUoKQlo4EJm346cecYCfdpjLpKj16OfwD5TqBt lFyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=lI1K76zbEooCB95VgnJbDrPuqokTja1trr1xk39pa1s=; b=SMlHzvmMpXqVu7R0P90iTG6d616Hrv9fgZt3kgVwGd0s47egiVNYQlIWy/HarXqS8x WxVM3ZBX60phBpUTgnLOAJWYYAyTdcSlUXm8iQvTu4tYLUdES+myL0VHpmpExKbRn6ql NI5J6bB2EV0YadWM9W+YxdPzJwKIlFltuqxJvk9eS+M6hMX04ltWBjFFAgw17ygskRK3 seZ+PhdgtbS1WleEGAiaVukrwFNQXzsFs4WjLxgLsndm8hhxteoPcEjDHFisqwybx9Ci c897O2S4WpQ4w8f3y7/9gPnl+aM12ai9fNmoapD2pjqULuaSbXgDTeix7cmMWgVHYf1J 8q8g==
X-Gm-Message-State: AOAM530oUBZA5rr/VJ+snHLSW5W3sZp6ejXkxfVfpadW+8+3InK8dC2s gEPvyfjJbjceWDG4fcH/KCKjpg==
X-Google-Smtp-Source: ABdhPJwUR9nH81OHF6GjmKiSG7V4owprwzPWlVhI90JlwEgm0OMlTB12U4gy5rrkwArcs2lKJqjavg==
X-Received: by 2002:ac8:5a90:: with SMTP id c16mr5070025qtc.331.1609956542471; Wed, 06 Jan 2021 10:09:02 -0800 (PST)
Received: from mithrandir.lan (c-24-91-177-160.hsd1.nh.comcast.net. [24.91.177.160]) by smtp.gmail.com with ESMTPSA id q32sm1591342qtb.0.2021.01.06.10.09.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Jan 2021 10:09:01 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <26933B3A-039C-4418-A1FF-5EFD5FC92523@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_47C06E68-CF31-4E53-A189-1212BBB9B1C3"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.2\))
Date: Wed, 6 Jan 2021 13:08:59 -0500
In-Reply-To: <13054.1609955471@localhost>
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, ipv6@ietf.org, Gert Doering <gert@space.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <160989494094.6024.7402128068704112703@ietfa.amsl.com> <6fe3a45e-de65-9f88-808d-ea7e2abdcd16@si6networks.com> <m1kx98E-0000EhC@stereo.hq.phicoh.net> <b53b5d62-0334-f791-f56a-f2122767ecdb@si6networks.com> <m1kxAVC-0000KhC@stereo.hq.phicoh.net> <c236e635-518b-fb51-5024-901ec4677c5d@si6networks.com> <20210106162652.GX13005@Space.Net> <1ddf8850-a8cb-53a7-31bc-7433d5a984f2@si6networks.com> <1169.1609953092@localhost> <FA6275FF-E148-46DC-BCFD-987315765873@fugue.com> <13054.1609955471@localhost>
X-Mailer: Apple Mail (2.3654.60.0.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/EVLWLWL-kKk7nv6OUPIXXqUwQsA>
Subject: Re: [v6ops] Scope of Unique Local IPv6 Unicast Addresses (Fwd: New Version Notification for draft-gont-6man-ipv6-ula-scope-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 18:09:05 -0000

On Jan 6, 2021, at 12:51 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> But... caching and outsourcing of DNS servers and outsourcing of DNS resolvers.
> I hate all of that: except for simpler (IoT) devices, which should always use
> local DNS server to get local policy,  all this policy should be in the
> client, not the server.

Okay, if that’s possible, sure, but the way to do that sort of policy would be to say what server to contact for what domain. The VPN example is just one example; you could certainly also do this without a VPN. It’s pretty easy to do on the Mac—just add a scoped DNS resolver; not sure how hard it is on Linux.

The thing is, though, that somebody has to provide the intelligence to decide either who to ask or what address to use. I think that by default you should never see a ULA other than from the local resolver, because there’s just no way for someone who _doesn’t_ know that ULA to know whether it would work or not. So if there are some domains that you want treated specially, the easiest way to do that is to have a different resolver for those domains (a scoped resolver).