[v6ops] Re: Dynamic addresses

Ted Lemon <mellon@fugue.com> Sat, 10 August 2024 16:45 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B767C151099 for <v6ops@ietfa.amsl.com>; Sat, 10 Aug 2024 09:45:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JzteQ3oOUVW for <v6ops@ietfa.amsl.com>; Sat, 10 Aug 2024 09:44:58 -0700 (PDT)
Received: from mail-oa1-x29.google.com (mail-oa1-x29.google.com [IPv6:2001:4860:4864:20::29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08A7BC151534 for <v6ops@ietf.org>; Sat, 10 Aug 2024 09:44:57 -0700 (PDT)
Received: by mail-oa1-x29.google.com with SMTP id 586e51a60fabf-2689e7a941fso2020763fac.3 for <v6ops@ietf.org>; Sat, 10 Aug 2024 09:44:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1723308297; x=1723913097; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=yQtbYPImoiGQCBCBw7fvWEe1DRtyITPdbg1Mp2FceJk=; b=gotp9SNiY6jAjE3PghidyxFIBcv06ZyCRMoRxdSqljFfT1gHxaP+AlPbvcHWOezba4 4y0LT5QXpaAgsUQZV9mUXZBgmT55YXPWb4foH76lB0pQE+Bkiqf4e/HTSyMClm5xxuGT Z0UnPFTUAfsNtNKRquheidMLc+DTd4AdW6aItxTF6Nvl/Fv8Ar3ffj687rEZaVepBwEx 7MiJdvz1o4lVlYwfqRKl6/ZCbb3bl06gWZz7TdPbzmLcw3fAitmT8enEEbf6zAXCxFsy 5HtAOHIGshtIZ+gG+Dm5RoYS5Yb/xaXZj9JJSSNeXEcx1n9EMPsf6yEi3H3vJoX8vJEM p+iA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723308297; x=1723913097; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yQtbYPImoiGQCBCBw7fvWEe1DRtyITPdbg1Mp2FceJk=; b=rRhIa/aLS8/8rJr7Ji35yJtUcMun7+DLUobcTW+8j1UcLT7ddHFDt07lzCyGhdobeF +ywxqocXS/KIADGar5kvvmy92LGkD6PMLAw1hvYrvE1Jvy4Yp1hJ62c3YJJco4dtti9F d4f3brIPZSvaJ/O8ns38gy3+nYcbppoY4I2p5hU25T5inti+RYrQzERY+NIB1bIT0g3o Z81aecHjukwMnFI1mTumLsEhBPZQnfm1mleAH6KMgaUtQOTsS82/f+2m5+MVOOjIBUrr 5BE0s7K0UMhpZBINhawRrjR1LRqjK3350eF3BOd0HlGL7aZ5fL7/CkuBfNbdUoY81yJ6 2ONA==
X-Forwarded-Encrypted: i=1; AJvYcCUNe2V+hL+IQhu+lWjm1a6iVavPUokLMz3+sw5ZMDlO0Yr549JD/hbGQlAKPN6YW7qjKsYQs+jLD2yQLVTxEQ==
X-Gm-Message-State: AOJu0Yztp3/WmltNAKQSn1T9FidOJkKqnVzR5+loP2+fAnjwaxByCmwz ZnNYq0UQj0hv4lj3iIuY2734IEUdTcYSdBW7M3iBmc/fzYtUSFytE8kiLZ4HyS+u1w0/kSi+Iv+ BJVoJpuvQ8FvwsCZlXac92Hqg0GpScmHNcZ6/pQ==
X-Google-Smtp-Source: AGHT+IFlL87+Vdoz0M1cFfTTqM1BIGoOh1Xo18skJkr9dFQs/6dS06EzensJ+YkkZbagKQKqv3ia6rWN1GaI+Jw3e9c=
X-Received: by 2002:a05:6871:552:b0:260:e611:c09 with SMTP id 586e51a60fabf-26c62fad649mr6026875fac.47.1723308296872; Sat, 10 Aug 2024 09:44:56 -0700 (PDT)
MIME-Version: 1.0
References: <df01e0f8-1b0d-4792-be2c-89a59da7de49.ref@swbell.net> <df01e0f8-1b0d-4792-be2c-89a59da7de49@swbell.net> <CAJgLMKte1H3FaoQOhc7_No=SNdczQFo2_mp2c1FvTOqLCRFm2g@mail.gmail.com> <6e70bed7-6f84-4a4a-90f8-fec1d10a599b@swbell.net> <CAJgLMKsXHcxzu8Kbrg1pu9SDkGDH0b1bWzW__CrfpDaSv3Joog@mail.gmail.com> <CACyFTPFakaDLdTJVc6d1HiR_oaedNOV76MRQxJp=+z95uQFVZQ@mail.gmail.com> <CAPt1N1=rQp5U4_X=2WvCV358S9Qm+E+_+gs_mgUJHP_68dYLmg@mail.gmail.com> <d16406c6-e5d9-4aa4-a16e-7513d04d6b07@gmail.com> <CACyFTPEdh_SL3BJ6WcD18tpYzH=Q6gxYnXanTsHZxF4xQm7LuA@mail.gmail.com> <19b076c0-ff57-471a-8f66-6ad47d7169f4@gmail.com> <f469fd02-f67e-4aa3-80e1-e055e63fadd2@swbell.net> <CACyFTPGNUvKkF+hxg1xJPSRNWo4aZN+jtwO3GeMLmQ1pTY8x3g@mail.gmail.com> <CAPt1N1kLTuKjtvsJ5qGd_kjnc8K2HDc7OemMqtaSavGH6kAqJA@mail.gmail.com> <CACyFTPEjAq0kGHFwiNnqsmyhxavu6HhEBu6X7OQXAgaKpPqa1g@mail.gmail.com>
In-Reply-To: <CACyFTPEjAq0kGHFwiNnqsmyhxavu6HhEBu6X7OQXAgaKpPqa1g@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Sat, 10 Aug 2024 12:44:46 -0400
Message-ID: <CAPt1N1nrGy8g-Hk-zcpr_DYX0zvZutfZMz6fNWtzBNzpfC+snw@mail.gmail.com>
To: Daryll Swer <contact@daryllswer.com>
Content-Type: multipart/alternative; boundary="000000000000dfbfad061f56fae5"
Message-ID-Hash: WPZDERFGD6BLE6WKVG5SQLQEVV7AZG5K
X-Message-ID-Hash: WPZDERFGD6BLE6WKVG5SQLQEVV7AZG5K
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The Multach's <jmultach@swbell.net>, v6ops@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [v6ops] Re: Dynamic addresses
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Jmexkn8xolp0W7IyUg8GrGXnw9g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

What do you mean by “use against”?

Op za 10 aug 2024 om 11:14 schreef Daryll Swer <contact@daryllswer.com>

> Ted
>
> > It sounds like the isps who you know of who are doing this are not
> following the rfcs. That makes it cheaper, and makes it break IPv6 for the
> end user.
>
> *Most*, ISPs don't conform to RFCs, BCPs and BCOPs. As a consultant, I
> get exposed (They email me their diagrams and configs for review) to tens
> of networks every year, and I can count on one hand, how many networks
> conform to the minimum for networking in general (IPv4 vs IPv6 aside).
>
> That's why I think the "draft-ietf-v6ops-cpe-lan-pd" should potentially,
> have something to give to end-users for them to use against such ISPs, in
> order for these users to get a permenaent ia_pd (/56 minimum or /48
> maximum) via support tickets, asking the ISP to conform.
>
> *--*
> Best Regards
> Daryll Swer
> Website: daryllswer.com
> <https://mailtrack.io/l/713f3f681113f0bfb34c34bcf30460679e5a5347?url=https%3A%2F%2Fwww.daryllswer.com&u=2153471&signature=fe00cdb4ee3ab02c>
>
>
> On Sat, 10 Aug 2024 at 19:53, Ted Lemon <mellon@fugue.com> wrote:
>
>> At least in Germany the address shifting was a regulatory thing—the isp I
>> was working with on it didn’t want to do it—it was expensive and
>> inconvenient.
>>
>> It sounds like the isps who you know of who are doing this are not
>> following the rfcs. That makes it cheaper, and makes it break IPv6 for the
>> end user.
>>
>> Op za 10 aug 2024 om 10:10 schreef Daryll Swer <contact@daryllswer.com>
>>
>>> > Then again, there is a claim that on those you may not get a prefix at
>>> all (just a single IP6 address), and if you do, often its a /64 with no PD.
>>>
>>> IIRC, US Telcos even have separate billing for mobile
>>> tethering/hotspot, right? And IPv6 doesn't always work over that ways?
>>>
>>> Over here, it appears the tethering interface just bridges with the PDP
>>> interface, and the “clients” that connects gets a /128 GUA, shared with a
>>> single /64 with the SIM.
>>>
>>> > For security reasons, one of them has a rule to change the assigned
>>> IPv6 address space at least once every 4 hours.
>>>
>>> You mean conspiracy theories about big bro and “privacy”… It's not
>>> “security”.
>>>
>>> iPhones have built-in security, Ted Lemon can probably elaborate on
>>> that. Android, too, has built-in security, the Google folks here can
>>> probably elaborate on that.
>>>
>>> Nope, I am completely against conspiracy theories about “dynamic IP
>>> stops big bro from spying on you”. If big bro wants to “spy” on you, no
>>> amount of “dynamic IPs” is stopping that.
>>>
>>> *--*
>>> Best Regards
>>> Daryll Swer
>>> Website: daryllswer.com
>>> <https://mailtrack.io/l/ba62818f368e4ab91c6676b1a01e6088ea674e45?url=https%3A%2F%2Fwww.daryllswer.com&u=2153471&signature=b8dfc4abc306b3d8>
>>>
>>>
>>> On Sat, 10 Aug 2024 at 19:29, The Multach's <jmultach@swbell.net> wrote:
>>>
>>>> That triggered a memory about addressing on US cellular carriers, at
>>>> least one of which does this.
>>>>
>>>> Then again, there is a claim that on those you may not get a prefix at
>>>> all (just a single IP6 address), and if you do, often its a /64 with no PD.
>>>>
>>>> For security reasons, one of them has a rule to change the assigned
>>>> IPv6 address space at least once every 4 hours.
>>>>
>>>>
>>>> On 8/9/2024 9:33 PM, Brian E Carpenter wrote:
>>>>
>>>> On 10-Aug-24 11:34, Daryll Swer wrote:
>>>>
>>>>  > But I don't understand the statement "breaks SLAAC on the LAN". A
>>>> change of prefix renumbers the LAN, but that doesn't break SLAAC, it just
>>>> causes SLAAC to renumber everything. It will only break active sessions.
>>>>
>>>> It will break, on the host side, because they won't know to use the new
>>>> prefix, until the pref/valid values expire.
>>>>
>>>>
>>>> https://www.6connect.com/blog/is-your-isp-constantly-changing-the-delegated-ipv6-prefix-on-your-cpe-router/
>>>>
>>>>
>>>> Thanks, yes, I knew that of course but the description of that as
>>>> breaking SLAAC confused me. (When my ISP was changing prefixes after a CE
>>>> power cut and reboot, the issue was masked by other effects of the power
>>>> cut.)
>>>>
>>>> There's no reason to be promoting dynamic v6 prefixes, in addition to
>>>> the SLAAC context, this makes it painful, for end-users to host anything at
>>>> home, even basic SSH.
>>>>
>>>>
>>>> I completely agree.
>>>>
>>>>    Brian
>>>>
>>>>
>>>> *--*
>>>> Best Regards
>>>> Daryll Swer
>>>> Website: daryllswer.com
>>>> <https://mailtrack.io/l/8b190af15371d42cba28cde7db9581f1c207dde9?url=https%3A%2F%2Fwww.daryllswer.com&u=2153471&signature=0564b87de4f69994>
>>>> <https://mailtrack.io/l/8b190af15371d42cba28cde7db9581f1c207dde9?url=https%3A%2F%2Fwww.daryllswer.com&u=2153471&signature=0564b87de4f69994>
>>>>
>>>>
>>>> On Sat, 10 Aug 2024 at 04:56, Brian E Carpenter <
>>>> brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>
>>>> <brian.e.carpenter@gmail.com>> wrote:
>>>>
>>>>     [Public service announcement: as of now, I'm spam-filtering
>>>> messages with 'Digest' subject headers.]
>>>>
>>>>     My ISP used to change my prefix whenever there was a power cut and
>>>> the modem restarted. Now, it appears to be stable.
>>>>
>>>>     But I don't understand the statement "breaks SLAAC on the LAN". A
>>>> change of prefix renumbers the LAN, but that doesn't break SLAAC, it just
>>>> causes SLAAC to renumber everything. It will only break active sessions.
>>>>
>>>>     Regards
>>>>          Brian
>>>>
>>>>     On 10-Aug-24 10:13, Ted Lemon wrote:
>>>>      > In order to do this, they would have to not renew a previously
>>>> assigned prefix. I think some German telecoms used to do this as a privacy
>>>> message, but it was operationally very difficult because it doubled demand
>>>> for prefixes.
>>>>      >
>>>>      > Where are you seeing this irl, and how does it happen?
>>>>      >
>>>>      > Op vr 9 aug 2024 om 15:08 schreef Daryll Swer <
>>>> contact=40daryllswer.com@dmarc.ietf.org
>>>> <mailto:40daryllswer.com@dmarc.ietf.org>
>>>> <40daryllswer.com@dmarc.ietf.org> <
>>>> mailto:40daryllswer.com@dmarc.ietf.org
>>>> <40daryllswer.com@dmarc.ietf.org>
>>>> <mailto:40daryllswer.com@dmarc.ietf.org>
>>>> <40daryllswer.com@dmarc.ietf.org>>>
>>>>      >
>>>>      >     Tim, is there something we can do to encourage not only
>>>> "more than a /64", but also encourage "static ia_pd to ensure the customer
>>>> will not experience broken IPv6 connectivity due to ever changing
>>>> prefixes".
>>>>      >
>>>>      >     Too many ISPs out there do dynamic IPs and breaks SLAAC on
>>>> the LAN.
>>>>      >
>>>>      >     I feel this draft could be a powerful tool, in the hands of
>>>> the end user to get these ISPs doing the right way of IPv6 more often.
>>>>      >
>>>>      >     --
>>>>      >     Sent from my iPhone
>>>>      >
>>>>      >
>>>>      >     On Fri, 9 Aug 2024 at 7:37 PM, Timothy Winters <
>>>> tim@qacafe.com <mailto:tim@qacafe.com> <tim@qacafe.com> <
>>>> mailto:tim@qacafe.com <tim@qacafe.com> <mailto:tim@qacafe.com>
>>>> <tim@qacafe.com>>> wrote:
>>>>      >
>>>>      >         Yes.  I've seen several instances of /64 being used for
>>>> container networks on CPEs.
>>>>      >
>>>>      >         ~Tim
>>>>      >
>>>>      >         On Fri, Aug 9, 2024 at 9:38 AM The Multach's <
>>>> jmultach@swbell.net <mailto:jmultach@swbell.net> <jmultach@swbell.net>
>>>> <mailto:jmultach@swbell.net <jmultach@swbell.net>
>>>> <mailto:jmultach@swbell.net> <jmultach@swbell.net>>> wrote:
>>>>      >
>>>>      >             So are these considered a LAN link prefix assignment
>>>> under 7084 L2:
>>>>      >
>>>>      >             - Assignment of a /64 prefix for internal IPv6
>>>> communication between a
>>>>      >             primary SoC and a secondary chip (e.g., a Wi-Fi chip
>>>> which uses IPv6).
>>>>      >
>>>>      >             - Assignment of a /64 prefix for usage by an
>>>> internal container or VM.
>>>>      >
>>>>      >
>>>>      >             On 8/9/2024 7:56 AM, Timothy Winters wrote:
>>>>      >              >
>>>>      >              >
>>>>      >              > On Thu, Aug 8, 2024 at 10:58 PM The Multach's <
>>>> jmultach@swbell.net <mailto:jmultach@swbell.net> <jmultach@swbell.net>
>>>> <mailto:jmultach@swbell.net <jmultach@swbell.net>
>>>> <mailto:jmultach@swbell.net> <jmultach@swbell.net>>> wrote:
>>>>      >              >
>>>>      >              >     The following, while being user focused,
>>>> fails to take into
>>>>      >              >     account that
>>>>      >              >     some of those prefixes may be used internally
>>>> (or reserved for
>>>>      >              >     internal
>>>>      >              >     use) by the CPE or for ISP purposes and not
>>>> assignable:
>>>>      >              >
>>>>      >              >     "SHOULD" (or an elongated exception for the
>>>> above) would be more
>>>>      >              >     appropriate.
>>>>      >              >
>>>>      >              >     LPD-4: After LAN link prefix assignment the
>>>> IPv6 CE Router MUST
>>>>      >              >     make the
>>>>      >              >     remaining IPv6 prefixes available to other
>>>> routers via Prefix
>>>>      >              >     Delegation.
>>>>      >              >
>>>>      >              > I think this covers that case.   After local
>>>> assignment, unused
>>>>      >              > prefixes MUST be made available.
>>>>      >              > LPD-2:  The IPv6 CE Router MUST assign a prefix
>>>> from the delegated
>>>>      >              >            prefix as specified by L-2 [RFC7084].
>>>>      >              >
>>>>      >              > 7084
>>>>      >              >    L-2:   The IPv6 CE router MUST assign a
>>>> separate /64 from its
>>>>      >              >           delegated prefix(es) (and ULA prefix if
>>>> configured to provide
>>>>      >              >           ULA addressing) for each of its LAN
>>>> interfaces.
>>>>      >              >
>>>>      >              >
>>>>      >              >
>>>>  _______________________________________________
>>>>      >              >     v6ops mailing list -- v6ops@ietf.org
>>>> <mailto:v6ops@ietf.org> <v6ops@ietf.org> <mailto:v6ops@ietf.org
>>>> <v6ops@ietf.org> <mailto:v6ops@ietf.org> <v6ops@ietf.org>>
>>>>      >              >     To unsubscribe send an email to
>>>> v6ops-leave@ietf.org <mailto:v6ops-leave@ietf.org>
>>>> <v6ops-leave@ietf.org> <mailto:v6ops-leave@ietf.org
>>>> <v6ops-leave@ietf.org> <mailto:v6ops-leave@ietf.org>
>>>> <v6ops-leave@ietf.org>>
>>>>      >              >
>>>>      >
>>>>      >         _______________________________________________
>>>>      >         v6ops mailing list -- v6ops@ietf.org
>>>> <mailto:v6ops@ietf.org> <v6ops@ietf.org> <mailto:v6ops@ietf.org
>>>> <v6ops@ietf.org> <mailto:v6ops@ietf.org> <v6ops@ietf.org>>
>>>>      >         To unsubscribe send an email to v6ops-leave@ietf.org
>>>> <mailto:v6ops-leave@ietf.org> <v6ops-leave@ietf.org> <
>>>> mailto:v6ops-leave@ietf.org <v6ops-leave@ietf.org>
>>>> <mailto:v6ops-leave@ietf.org> <v6ops-leave@ietf.org>>
>>>>      >
>>>>      >     45efe8dfc775213ded0fc41c7d84ccccb0d6aa20
>>>> _______________________________________________
>>>>      >     v6ops mailing list -- v6ops@ietf.org <mailto:v6ops@ietf.org>
>>>> <v6ops@ietf.org> <mailto:v6ops@ietf.org <v6ops@ietf.org>
>>>> <mailto:v6ops@ietf.org> <v6ops@ietf.org>>
>>>>      >     To unsubscribe send an email to v6ops-leave@ietf.org
>>>> <mailto:v6ops-leave@ietf.org> <v6ops-leave@ietf.org> <
>>>> mailto:v6ops-leave@ietf.org <v6ops-leave@ietf.org>
>>>> <mailto:v6ops-leave@ietf.org> <v6ops-leave@ietf.org>>
>>>>      >
>>>>      >
>>>>      > _______________________________________________
>>>>      > v6ops mailing list -- v6ops@ietf.org <mailto:v6ops@ietf.org>
>>>> <v6ops@ietf.org>
>>>>      > To unsubscribe send an email to v6ops-leave@ietf.org
>>>> <mailto:v6ops-leave@ietf.org> <v6ops-leave@ietf.org>
>>>>
>>>>