IETF Logo Mail Archive

Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]

Brian Carpenter <brian.e.carpenter@gmail.com> Mon, 25 April 2022 23:58 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86DABC1D5AD2; Mon, 25 Apr 2022 16:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u52UXGV8Of_V; Mon, 25 Apr 2022 16:58:44 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD9E1C1D4673; Mon, 25 Apr 2022 16:58:43 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id x33so29062337lfu.1; Mon, 25 Apr 2022 16:58:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0P9+OEAsAewiFlp2BQoPfDeUGNmFGDiBUVSwoL7Fr9A=; b=NAQrqcLpmYe+jMKrI33cEs17QOXA9ZlXlrOz8Qri38lv3EjsNvAjD3df3zkM4+yKZC TdOloRnQY62noIxKwBOVwUBoaujsZHgdTQTEYwucEb3bs2JYCbeXv+sjYyA+snFgHMdI HbuJXrfbYwR8VdX8FC+k8pusK7yG9ugBIDYM2LpcdkWQy4cy760W2kCjz57Q71phHQok 3BBh57up6Du2iqKpc9ulERD7AsShDXVWn5NXeVGmqgLSa7Y9ibwaOvmoXpMux4NpLAN3 owmcLgRZHX4Yuy3IN5uj6XrtE3LI/Xztl+hoXt6XgeuOcMCsvjSv3HzaHvb+/SF26w9I SuIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0P9+OEAsAewiFlp2BQoPfDeUGNmFGDiBUVSwoL7Fr9A=; b=tOtCErp7QywORB98hrZneX8HLBCisrWsowaj3k4Rfrlt1V9r6KbqIF7gyIB0rPOHsn iH8qSBvRQNZRneD+UvYAsE20vK6U5E9ta88fq4M7RqvEEGaKikd2Cv8jPxxCdydKkkE+ bXue0dMy2fowD9TH7ExMLqJYdviyrUp1mUiGRd5m30EnYkX1B8QUgXPNF6vSlVqMemit x1FGwcGaak03UH4AGNNn6SXXrNsvzqxyLXha5/qMncWqkM95n4DTgTfJQ7+Ov8X+Mwq7 /6uJ6lNnTQ7qHIm7mmDzQw8CcETC4p2+vjTur5knPwgfyNiwidt2cUMa+LQk8qC8hiRf /6Og==
X-Gm-Message-State: AOAM531aUsSrW2wTGPqGaAOYLr5bL9Hlz5RKMawKN7Q+cpMBpDGTYU8Y pl0aAz/ES4u4nwqOCaAT3qWm00uBC72ZegFpBJs=
X-Google-Smtp-Source: ABdhPJz/9l/kc6XJFinceUNAtPMes7iaKAxOvjHY1yzfBmvUwDRDj7ijZq/L/fDmSPwSliXjMumVmtGm1iqwWgbJAz4=
X-Received: by 2002:a05:6512:20cc:b0:471:f6fb:dac9 with SMTP id u12-20020a05651220cc00b00471f6fbdac9mr10231171lfr.475.1650931121220; Mon, 25 Apr 2022 16:58:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de> <CAKD1Yr1v0Tkh+pWD-ts=PL3gZf7Qj6OHW6Cuvj8iGcSSMibjew@mail.gmail.com> <0afe25f5-52b7-a438-0696-cf8b0a83c2dc@gmail.com> <BN8PR07MB70760D9693580F5BDCB61DD995F89@BN8PR07MB7076.namprd07.prod.outlook.com> <CAKD1Yr3Z9wGQ+uiA2WcW00MrOiLyHs+bSoFjHVtrixCi2qp4DA@mail.gmail.com> <BN8PR07MB7076A6456CAB48EF428D6E8695F89@BN8PR07MB7076.namprd07.prod.outlook.com> <65d0d9ac-77fc-c200-09e3-0c3949ca1541@gmail.com> <CAN-Dau2FS99ewfgH8xk-jSJFCnO92CJV9ZC98DUE2UDR7V1Eww@mail.gmail.com>
In-Reply-To: <CAN-Dau2FS99ewfgH8xk-jSJFCnO92CJV9ZC98DUE2UDR7V1Eww@mail.gmail.com>
From: Brian Carpenter <brian.e.carpenter@gmail.com>
Date: Tue, 26 Apr 2022 11:58:27 +1200
Message-ID: <CANMZLAYbpZBDA8uFnJqfWfWTQ4S9RN4a-DqWe36qzfAfDtXiQA@mail.gmail.com>
To: David Farmer <farmer@umn.edu>
Cc: Kevin Myers <kevin.myers@iparchitechs.com>, Lorenzo Colitti <lorenzo@google.com>, Erik Auerswald <auerswald@fg-networking.de>, Ted Lemon <elemon@apple.com>, v6ops list <v6ops@ietf.org>, 6man list <ipv6@ietf.org>
Content-Type: multipart/related; boundary="00000000000007908305dd835b7d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/F0ptZ2IiOIvt9NoUZ4LqXfiwvV4>
Subject: Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 23:58:48 -0000

No, I explicitly don't want to look at audit rules. I want someone who
understands them to explain what the functional requirements are. NAT is
not a functional requirement.

Regards,
    Brian Carpenter
    (via tiny screen & keyboard)

On Tue, 26 Apr 2022, 11:06 David Farmer, <farmer@umn.edu> wrote:

> You want to look at PCI DSS 3.2 requirement 1.3.7.
> [image: image.png]
>
> Compensating controls is an option, but auditors have to sign off on them,
> and the whole process is about minimizing exceptions and getting a clean
> audit. IT isn't in charge of this, finance people are, it's not technical,
> it's all about the money, and numbers with 7 or 8 significant digits or
> more.
>
> I've been on that the merry-go-round several times, I believe in IPv6 E2E,
> but if anyone asks me just do NPTv6 or NAT66, whatever the auditor wants
> you to do.
>
> Have fun on the merry-go-round, I'll pass.
>
> Thanks
>
> On Mon, Apr 25, 2022 at 5:32 PM Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
>
>> Kevin,
>>
>> > Auditing frameworks and auditors are just not ready for IPv6 and
>> without migration strategies like NAT, they'll have no reason to be because
>> IPv4 will continue to dominate.
>>
>> You're describing a vicious circle, and the question is how can we break
>> it?
>>
>> Advocating NPTv6 might achieve that, but many of us dislike that strategy.
>>
>> Can you explain what are the technical requirements in PCI-DSS land that
>> have been interpreted as requiring NAT44? Is it time for RFC4864bis,
>> because this is exactly what we were aiming at with that RFC?
>>
>> Regards
>>     Brian Carpenter
>>
>> On 25-Apr-22 17:34, Kevin Myers wrote:
>> > This misses the problem entirely though.
>> >
>> > It's not a choice to reconsider, these are regulatory requirements. The
>> fact that a handful of enterprises have deployed IPv6 doesn't move the
>> needle on compliance for the vast majority of them.
>> >
>> > No retail enterprise is going to choose IPv6 without NAT internally if
>> it means not being permitted to use credit cards because of a failed
>> PCI-DSS audit.
>> >
>> > Auditing frameworks and auditors are just not ready for IPv6 and
>> without migration strategies like NAT, they'll have no reason to be because
>> IPv4 will continue to dominate.
>> >
>> >
>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> > *From:* Lorenzo Colitti <lorenzo@google.com>
>> > *Sent:* Sunday, April 24, 2022, 11:27 PM
>> > *To:* Kevin Myers <kevin.myers@iparchitechs.com>
>> > *Cc:* Brian E Carpenter <brian.e.carpenter@gmail.com>; Erik Auerswald <
>> auerswald@fg-networking.de>; Ted Lemon <elemon@apple.com>; v6ops list <
>> v6ops@ietf.org>; 6man list <ipv6@ietf.org>
>> > *Subject:* Re: [v6ops] ULA precedence [Thoughts about wider operational
>> input]
>> >
>> > There are several fortune 500 companies that have publicly stated that
>> they have deployed IPv6 with global addressing, so that's definitely
>> possible.
>> >
>> > As for "is it better to deploy IPv6 with NAT66 or not to deploy at
>> all", I would guess it depends who you ask. My personal answer would be no.
>> It's possible that when faced with app and OS incompatibilities, those
>> enterprises might reconsider. Or they might pick the same technical
>> solutions as the enterprises that have already deployed with global
>> addresses.
>> >
>> > On Mon, Apr 25, 2022 at 12:42 PM Kevin Myers <
>> kevin.myers@iparchitechs.com <mailto:kevin.myers@iparchitechs.com>>
>> wrote:
>> >
>> >     IPv6 NAT is already being deployed in large enterprises for the few
>> that want to tackle IPv6. Vendor implementations exist, so that ship has
>> sailed regardless of where the IETF lands.
>> >
>> >     Most of the Fortune 500 fall under regulatory compliance of one
>> body or another (PCI-DSS, FIPS, HIPAA, etc) and none of them are setup well
>> for an IPv6 no-NAT world. Most of the discussion I see around enterprise
>> adoption on the IETF lists misses this point. It matters very little
>> whether NAT is a "good" or "bad" practice when it comes to selecting an
>> operational model. Enterprises choose operational models that will pass
>> audits
>> and the overwhelming majority rely heavily on NAT.  We can make the
>> argument that compliance bodies and auditors should update their guidance
>> and standards and they absolutely should, but it will probably take close
>> to a decade to change the regulatory compliance auditing landscape to the
>> point that IPv6 without NAT is commonplace.
>> >
>> >     If auditors won't sign off on end to end GUA addressing, then NAT
>> is going to remain.
>> >
>> >     Enterprises are more than willing to punt IPv6 for another decade
>> and will likely have no issues in doing so given how little IPv4 space most
>> of them need compared to service providers. Even when IPv6 becomes the
>> predominant transport type for an Internet handoff everywhere, it will
>> still just live in the underlay while IPv4 remains the predominant choice
>> in the overlay, in apps,  and internally in the DC for enterprises.
>> >
>> >     At what point does it become more important to have IPv6
>> implemented, than to have it "perfectly" implemented?
>> >
>> >     Kevin Myers
>> >     Sr. Network Architect
>> >     IP ArchiTechs
>> >
>> >     -----Original Message-----
>> >     From: v6ops <v6ops-bounces@ietf.org <mailto:v6ops-bounces@ietf.org>>
>> On Behalf Of Brian E Carpenter
>> >     Sent: Sunday, April 24, 2022 9:48 PM
>> >     To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org <mailto:
>> 40google.com@dmarc.ietf.org>>; Erik Auerswald <auerswald@fg-networking.de
>> <mailto:auerswald@fg-networking.de>>; Ted Lemon <elemon@apple.com
>> <mailto:elemon@apple.com>>
>> >     Cc: v6ops list <v6ops@ietf.org <mailto:v6ops@ietf.org>>; 6man list
>> <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>> >     Subject: Re: [v6ops] ULA precedence [Thoughts about wider
>> operational input]
>> >
>> >     On 25-Apr-22 12:16, Lorenzo Colitti wrote:
>> >      > On Mon, Apr 25, 2022 at 2:28 AM Erik Auerswald <
>> auerswald@fg-networking.de <mailto:auerswald@fg-networking.de> <mailto:
>> auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>>> wrote:
>> >      >
>> >      >       "Since ULAs are defined to have a /48 site prefix, an
>> implementation
>> >      >        might choose to add such a row automatically on a machine
>> with
>> >      >        a ULA."
>> >      >
>> >      >     The result is that only the local ULA prefix,
>> i.e., exactly the
>> >      >     local IPv6 addresses, are preferred over IPv4
>> (and IPv6 GUA).
>> >      >     This should be exactly what is needed to use ULA addresses
>> inside
>> >      >     an organization, or for a lab.
>> >      >     [...]
>> >      >     Implementing the non-normative suggestion from Section 10.6
>> of RFC
>> >      >     6724 would in all likelihood result in making
>> ULA usable for local
>> >      >     tests and even first steps in deploying IPv6.  ULA addresses
>> would
>> >      >     only be used locally.  Existing IPv4 based Internet access
>> would not
>> >      >     be impaired by adding IPv6 ULA.
>> >      >
>> >      >
>> >      > That does seem like it might make ULA more useful, yes.
>> >      >
>> >      > Additionally, maybe we could clarify that the longest-prefix
>> match rule
>> >     does not apply to ULAs outside the same /48? I think that would fix
>> the issue observed by +Ted Lemon <mailto:elemon@apple.com <mailto:
>> elemon@apple.com>> in home networks:
>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00
>> <
>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>
>> <
>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00
>> <
>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>>
>> .
>> >
>> >     When two networks each with its own ULA prefix are intentionally
>> merged, longest match would be the right thing, wouldn't it? (Assuming that
>> the split DNSs are also merged, and of course internal routing.) In that
>> case there is no "foreign" ULA prefix.
>> >
>> >      >     In order to keep IPv6 deployment similar to IPv4, IPv6 NAT
>> could be
>> >      >     considered.  To make this work as intended, the address
>> selection
>> >      >     policy table could be adjusted to contain the
>> local ULA prefix
>> >      >     with precedence greater or equal to GUA and the same label
>> as GUA.
>> >      >
>> >      >
>> >      > This seems like it would encourage the use of IPv6 NAT. I think
>> there is reasonably strong consensus within the IETF that that is not the
>> right way to go, because it pushes problems on to application developers.
>> This adds costs for NAT traversal software development and maintenance,
>> and requires devices to implement NAT keepalives, increasing battery usage.
>> >
>> >     That may be the IETF's consensus, but there is a very large
>> fraction of the enterprise network operations community that strongly
>> disagrees,
>> and in fact regards this as a red line issue. It isn't even clear that
>> they'd accept NPTv6 as an alternative to NAPT66. If this is indeed the only
>> way to get IPv6 inside enterprises, what is the right thing for the IETF
>> to do?
>> >
>> >             Brian
>> >
>> >     _______________________________________________
>> >     v6ops mailing list
>> >     v6ops@ietf.org <mailto:v6ops@ietf.org>
>> >     https://www.ietf.org/mailman/listinfo/v6ops <
>> https://www.ietf.org/mailman/listinfo/v6ops>
>> >
>> >
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>
>
> --
> ===============================================
> David Farmer               Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
>

v2.23.0 | Report a Bug | By Email