Re: [v6ops] SLAAC renum: Problem Statement & Operational workarounds

Ole Troan <otroan@employees.org> Mon, 28 October 2019 22:36 UTC

Return-Path: <otroan@employees.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CA2112006B for <v6ops@ietfa.amsl.com>; Mon, 28 Oct 2019 15:36:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQdQ6vuD2GGE for <v6ops@ietfa.amsl.com>; Mon, 28 Oct 2019 15:36:29 -0700 (PDT)
Received: from clarinet.employees.org (clarinet.employees.org [198.137.202.74]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4628C120033 for <v6ops@ietf.org>; Mon, 28 Oct 2019 15:36:29 -0700 (PDT)
Received: from astfgl.hanazo.no (246.51-175-81.customer.lyse.net [51.175.81.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id 78D6A4E11B5C; Mon, 28 Oct 2019 22:36:28 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id 9B7CA205AC83; Mon, 28 Oct 2019 23:36:25 +0100 (CET)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3594.4.19\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <CAFU7BARBHGcxzULO-aVr+c5CJW6UCsNRkrgQSRdB7vtpYZw85w@mail.gmail.com>
Date: Mon, 28 Oct 2019 23:36:24 +0100
Cc: Mark Smith <markzzzsmith@gmail.com>, v6ops list <v6ops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <40E27B00-5C6F-4704-9554-2DC532F854BE@employees.org>
References: <m1iNIFE-0000IwC@stereo.hq.phicoh.net> <d1b6855d-bde9-7b53-4809-0846bb9772e4@si6networks.com> <CAO42Z2x7vudujw5t++obry56g=VNjQXXTHFK8pBPk0jmk78Bcg@mail.gmail.com> <CAJoHkZ8pTjszP0vw4BjX0HUhmPa6wJONzdy2JEm5iqAfBUvjRg@mail.gmail.com> <CAO42Z2wCYi4KWTEz1hUSPVr9+hu8GaHRkPuvQQ2P00knvnPaaQ@mail.gmail.com> <848BA3B3-36B4-4C42-86D0-88759BC45D5A@employees.org> <CAFU7BARBHGcxzULO-aVr+c5CJW6UCsNRkrgQSRdB7vtpYZw85w@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>
X-Mailer: Apple Mail (2.3594.4.19)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/HkkLsIQ9pz56JTuaDVnEBl0lt3Y>
Subject: Re: [v6ops] SLAAC renum: Problem Statement & Operational workarounds
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Oct 2019 22:36:31 -0000

>> Right. Instant/flash renumbering is not supported in IP networks.
> 
> Oh. Surprise. After I've been doing it all the time....;)

Oh great. So which services do you run in the network? Any issue with short DNS ttls?
Or do you only do this with MP-TCP / QUIC or only mosh style applications with a built in session layer?
I presume you have a routed network with multiple routers and links as well?

Ole, not sarcastic at all. ;-)


> 
> Actually it would be helpful  to define requirements/expectations. I read it as:
> R1: [MUST HAVE] after the renumbering host is able to open new connections
> R2: [NICE TO HAVE] old connections survive the renumbering.
> 
> IMHO we shall at least enumerate the most common scenarios where R1 is
> not happening and look what can be done here.
> If we have a scenario when hosts end up with totally broken connectivity we can:
> 1) say 'oh just don't do that' - however before we do this (== produce
> some BCPs) it's worth analysing if it's feasible and, more
> importantly:
>  --- is the party affected by the issue is the same party which is
> supposed to follow the BCP?
>  --- are we talking about 'fix all hosts'? (when did we deal last
> time with the scenario 'a machine re-authenticated via 802.1x
> successfully, changed the VLAN but kept the old IPv6 prefix'?
> 2) See if there is a way to mitigate at least part of the problem by
> making the protocol more robust (isn't all DNA work is actually in the
> same problem space?)
> 
>> IPv6 does nothing to help with this, well, assuming a network hiding behind NAT, it makes it harder.
>> Apart from "does not work", what more can the IETF say or do here?
> 
> Try to make the Internet work better, maybe? :)
> 
>>> On 24 Oct 2019, at 12:43, Mark Smith <markzzzsmith@gmail.com> wrote:
>>> 
>>> 
>>> 
>>> On Thu, 24 Oct 2019, 20:59 Trevor Warwick, <twarwick@gmail.com> wrote:
>>> 
>>> On Thu, 24 Oct 2019 at 09:18, Mark Smith <markzzzsmith@gmail.com> wrote:
>>> 
>>> 
>>> I thought about this in the exact context of the scenario of this draft. Although the design of the broadband deployment I worked on always planned to give out stable prefixes, I worked through this scenario and realised that so many complex issues disappear if you provide stable prefixes.
>>> 
>>> Fundamentally, if an ISP is selling an always on link to the same location, then the addressing should be as permanent as the link delivery location is.
>>> 
>>> 
>>> If you're an ISP today, and using DHCPv6-PD to hand out IPv6 prefixes, what are the possible scenarios if you don't try hard to keep the prefixes stable?
>>> 
>>> Why don't you want to try hard? Not trying hard gives customers a bad experience. They're paying you to try hard to give them the best suitable service you can give them.
>>> 
>>> 
>>> - You could be running a closed environment where all customers are forced to use your CPE, in which case you can make sure that your CPE has various   hacks added to try to cope with prefix instability and avoid customer hosts experiencing connectivity issues when prefixes change. Maybe you can make this work well enough, and advanced customers who don't want to use your CPE are just out of luck.
>>> 
>>> - If you're in an environment where customers can chose their own CPE, then it seems almost guaranteed that there will be connectivity problems when the prefix changes, because many CPE implementations don't handle this situation at all. So you're then relying on hosts falling back seamlessly to IPv4, in order to continue to have connectivity. In which case, I'd wonder why you're bothering to provide an IPv6 service in the first place.
>>> 
>>> See what I said about selling an always on service to a fixed location, and the addressing having the same amount of stability as the service and link itself.
>>> 
>>> The reason this problem really exists is that ISPs have fundamentally continued to treat residential, always on broadband customers although they were still dial up customers. Nothing has changed - per BRAS (NAS) IP address pools, pool route aggregation at the router, customer gets a single IPv4 address when they attach, that can change each time they attach. PPPoE is making Ethernet connectivity resemble dial up connectivity.
>>> 
>>> Now this dial up model is trying to be applied to semi-permanent IPv6 services, where it's even less applicable now that customers get their own routed address space on a semi-permanent link.
>>> 
>>> Treat all customers as routed subnet SOHO customers, so they get the same prefix regardless of which BRAS they attach to. Move the route aggregation boundary to a higher level to e.g. a cluster of BRASes, or a region.
>>> 
>>> Use an IPv6 address provisioning model that suites and matches the service they're paying for, not a nearly 30 year old dial up model.
>>> 
>>> If your customers can BYO their CPE, then stable prefixes are the only choice.
>>> 
>>> See slide 6.
>>> 
>>> Residential IPv6 CPE - What Not to Do and Other Observations
>>> https://www.slideshare.net/mobile/markzzzsmith/residential-ipv6-cpe-what-not-to-do-and-other-observations
>>> 
>>> 
>>> 
>>> 
>>> I do think this is an important problem that needs to be solved, for this context and the others mentioned in the draft.
>>> 
>>> 
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>> 
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
> 
> 
> 
> -- 
> SY, Jen Linkova aka Furry