IETF Logo Mail Archive

Re: [v6ops] Operational Consensus on deployment

Philip Homburg <pch-v6ops-3@u-1.phicoh.com> Tue, 05 August 2014 21:40 UTC

Return-Path: <pch-bBB316E3E@u-1.phicoh.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 905CD1B2BF8 for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 14:40:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.9
X-Spam-Level:
X-Spam-Status: No, score=-3.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qei4cb36K4fP for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 14:40:07 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo6.hq.phicoh.net [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2F41B2BF6 for <v6ops@ietf.org>; Tue, 5 Aug 2014 14:40:07 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (Smail #91) id m1XEmSi-0000A8C; Tue, 5 Aug 2014 23:40:04 +0200
Message-Id: <m1XEmSi-0000A8C@stereo.hq.phicoh.net>
To: Tore Anderson <tore@fud.no>
From: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
Sender: pch-bBB316E3E@u-1.phicoh.com
References: <256EAE0B-5C11-42C7-BCA1-CEC7EE6713A7@cisco.com> <53DFD634.4020304@fud.no> <DE860EBC-171E-46E7-A3B6-5E8B79A453CC@cisco.com> <53DFEC6C.3010707@gmail.com> <CAD6AjGRUWxT5XiNxMi_S5VgYtGMLb_FVHXN-ZfGpcY=geix15g@mail.gmail.com> <53E06AC9.9010908@fud.no> <4F7D76F6-BD81-453B-94DC-A3C3DFF68505@delong.com> <8600C096-37D0-4651-92C1-BCFDBA674433@nominum.com> <CAD6AjGTBfyT-zNDJtBKCNtRxd=Hi07678Sr_-HgSGYbjAiF3Tg@mail.gmail.com> <C5281716-DC04-42E6-AC82-0D53E5DA0284@nominum.com> <53E1236A.605@fud.no> <m1XEkJJ-0000BuC@stereo.hq.phicoh.net> <53E13A3B.4050303@fud.no>
In-reply-to: Your message of "Tue, 05 Aug 2014 22:10:35 +0200 ." <53E13A3B.4050303@fud.no>
Date: Tue, 05 Aug 2014 23:39:57 +0200
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/J9i0riqM21sMyBktXgWc9vlbUpI
Cc: IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] Operational Consensus on deployment
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 21:40:09 -0000

In your letter dated Tue, 05 Aug 2014 22:10:35 +0200 you wrote:
>The current IPv6 dual stack transition mechanism is defined in RFC 4213,
>and it makes no reference to NAT whatsoever. This thread started out by
>Fred asking if we needed to update the consensus that dual stack is the
>IETF-recommended transition method, and in that context, no I not
>consider that the current dual stack recommendation includes NAT44*.
>
>It would certainly be possible to update RFC 4213 to mean that the new
>recommendation is to do NAT44* in combination with IPv6, though. But I
>don't think that's a good idea. We find ourselves in a hole, so maybe we
>should stop digging instead of getting ourselves a new shovel...

The IETF has ignored NAT44 for a very long time. Most home users don't
actually have IPv4 access: they have a middle box that breaks things.

Outside the IETF (and I assume to a large extent also inside the IETF) people
will find this line of reasoning overly pedantic. To them, NAT44 is just 
part of the Internet.

We can also be pedantic about 'dual stack' and refer to v6+v4 or v6+NAT44 or
v6+NAT444.

However I think the meaning of dual stack is the concept that IPv4 and IPv6
are independent. Neither is tunneled over or translated into the other.

In that sense, whether IPv4 is native or behind a CGN is not relevant. We
matter is that IPv6 is completely independent of that.

>If you by tunneling are referring to the catastrophe that was 6to4, then
>I disagree. It is more like 6RD or MAP-E as it will typically contained
>within a single administrative domain.

No operator likes tunnels. 6RD is not considered 'native IPv6', it is a
second class citizen. 

Personally I think tunneling IPv6 locally over IPv4 works very well. But
there seem to be very few people who agree with that point of view.

>As for other things failing, if you have some concrete examples, please
>let me know. I'd certainly want to see if I can make those work, or if
>not, make sure the drafts properly document the limitations causing the
>failure.

The thing is that in the IPv4 world, probably every coding mistake you
can imagine is out there somewhere. Anything that differs from the way
IPv4 is normally done, may cause things to fail in some small fraction of
systems.

To give a concrete example. The obvious solution to a lower MTU is actually
path MTU discovery, but that doesn't work, so we do MSS clamping.

Out in the field are middle boxes that break MSS clamping. 

The reason those boxes work is that every server supports an MTU of 1500.
If your server doesn't, things break.

>> I think it is safe to say that in your model you have enough public IPv4
>> address to run your services. What your proposal eliminates is the need
>> for internal IPv4 addresses.
>
>That's right. No addresses lost due to network infrastructure,
>servers/applications performing internal tasks, unused addresses on LAN
>segments due to CIDR ^2 boundaries or space set aside for future growth.
>One public service per IPv4 address only. I'd imagine that most internet
>content providers have a much higher number of internal
>applications/servers than they have public service addresses, so this
>adds up to significant savings.

Except that any truely internal server, you can already run on IPv6-only.
No need to change anything in your front-end to do that.

>Presumably you'll want a firewall inside of the SIIT gateway, to deal
>with IPv6 ACLs? If so, you only need one firewall and only one ACL. If
>you previously had an ACL that said something like in iptables syntax,
>where 192.0.2.100 is the trusted IP address you want to allow:
>
>--source 192.0.2.100 --protocol tcp --dport ssh -j ACCEPT
>
>...with SIIT, you'd instead do, assuming 64:ff9b::/96 is the translation
>prefix):
>
>--source 64:ff9b::192.0.2.100 --protocol tcp --dport ssh -j ACCEPT

Now we wait for somebody to type 64:ff9b::192.0.2.0/24 instead of
64:ff9b::192.0.2.0/120.

Also, this not in canonical form. So any program that outputs these address
uses a different syntax. Try grepping your firewall config for an address
you see in tcpdump and not finding it.

And I wonder howmany people understand this notation at all.

v2.23.0 | Report a Bug | By Email