IETF Logo Mail Archive

Re: [v6ops] Dual ISP deployment operational issues and uncertainties

Nick Buraglio <buraglio@es.net> Wed, 31 August 2022 21:37 UTC

Return-Path: <buraglio@es.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97B7CC153391 for <v6ops@ietfa.amsl.com>; Wed, 31 Aug 2022 14:37:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.103
X-Spam-Level:
X-Spam-Status: No, score=-1.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_AFFORDABLE=1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=es.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YA9oln-EK2Hy for <v6ops@ietfa.amsl.com>; Wed, 31 Aug 2022 14:37:28 -0700 (PDT)
Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D6E9C15AE39 for <v6ops@ietf.org>; Wed, 31 Aug 2022 14:32:13 -0700 (PDT)
Received: by mail-pf1-x436.google.com with SMTP id 72so15667994pfx.9 for <v6ops@ietf.org>; Wed, 31 Aug 2022 14:32:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.net; s=esnet-google; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc; bh=kMjSJgubJ5xXmzQ2L0XZbahBJ2fQ2iguYFGBFN59RfI=; b=mNvfGlRJmCTrwa+gjtdNJKiQ3dRI8HkI9aztF35qH9v0L3kiUGkM49Sa6ncaB3Ntns jZaL5Ewwp24rMfweFstYQULZXwd4f0V6k0YtrB7iJNKIPnUXhK3H1UEWUEoTKseseCSG XKm1r2pbxnRjeLBqyLOhHyrdOmmRp/IzOIPVobjalxRWPAu9Qs6yAXS1JlxXNhQ75lPO p9I/oEWj6OwA86bVThTiG9WUhxlHTZQv4OcmGqlkkhKsO+Ju8/wOLkj/3PjgJgUgb5hx U2Nb4C5v3LGVU7YqC98N69e9zR/BTJ1TolN0/he/Vhuz5rpQ3IYjZ/kTBVklq9A0g1xH GyWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=kMjSJgubJ5xXmzQ2L0XZbahBJ2fQ2iguYFGBFN59RfI=; b=tJUGLbv1atPhXOeADlzGGdf6aKSwcOoFjhVm9VK+lGwWK7HyghmFWXkQUz6nHizzqi cpjso0AR5RDovRxdxnsNV86CTH/EIIFgd2GL1te1j4LUa7uUy9/dU/+xGWbrJr8dfY8q Iw3T0vDczjJJybw78Gpd7A0NRj3obIxgEGAjW6m3PHNB9DiswRiytyrxVfzxaQjBAvYQ brRXPfAOMsX/xw4lKa7ElUWrkK2UlYOViSrJJsNq8ippdNXNav67AmToEBHCfOxJvSL5 fFc3jc0bm1e46VkPjfS13sg2qx7hNRaQ7diJj7o99qslhlXhOwvkdmPPxzdKvaNHr67t msOg==
X-Gm-Message-State: ACgBeo20kf6tcXF8fCypqt4tqNqNsP/2/bXR2HFlWzJdQLac7I2spNEk wvCs+tMWuBJHlTYlYc6rgcoCgqmPq8JIxgWYM2C5Vo4F5eGyakEC2NKcAN0wqjVPbSS87Otv9SS jCXNGD8MQFMREu73K10bUShrqA/TQGP9cUxn8hgOKeGpeIRPainMy3+XhfPtN0fb5bg/gCl4OkW I=
X-Google-Smtp-Source: AA6agR7GVBBAvv3One/0XjZ/U3YxxU9lnjuPSyA3VDX3BgBWZgtzYsYiUi3ZWYC8ZekKU5lajxuNqLxSIvmrMEvUwPw=
X-Received: by 2002:a63:d45:0:b0:42b:9fdc:1c27 with SMTP id 5-20020a630d45000000b0042b9fdc1c27mr18709273pgn.30.1661981532490; Wed, 31 Aug 2022 14:32:12 -0700 (PDT)
MIME-Version: 1.0
References: <28642990-c869-47fd-41d4-f43249b5f6dd@posteo.de> <0C5EAAF1-9657-4FB8-9323-1F6C350E8D45@employees.org> <1060ecee-a6b0-bddb-35b2-33f53a0126f8@gmail.com>
In-Reply-To: <1060ecee-a6b0-bddb-35b2-33f53a0126f8@gmail.com>
Reply-To: buraglio@es.net
From: Nick Buraglio <buraglio@es.net>
Date: Wed, 31 Aug 2022 16:32:00 -0500
Message-ID: <CAM5+tA-BUfz2ujx-SyPAmMFYKiSi8bcY98mvEm1YWwnQxSa95A@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Ole Troan <otroan@employees.org>, Klaus Frank <klaus.frank@posteo.de>, v6ops@ietf.org, Kevin Myers <kevin.myers@iparchitechs.com>
Content-Type: multipart/alternative; boundary="000000000000de922005e7903af5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/KLco291CsytXvDGa-GBd1y5JOh8>
Subject: Re: [v6ops] Dual ISP deployment operational issues and uncertainties
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2022 21:37:32 -0000

I have been working on exactly this problem recently. Given the **current**
landscape of affordable, widely available options, there aren't many. If
one were to need to get this working today, what I have found is this:

Multi-netting:
* Prefix preference is hairy, not well understood, and poorly supported in
a way that makes it easily deployed.
* Multi-netting is wrought with lack of awareness and that will make most
security teams balk at it.
* It's fairly onerous for an operations team to support at the first level
due to it being so foreign of a concept when a NOC is used to legacy IPv4.
* It suffers from the same issues that exist with DNS application support,
RR failover is not always great making timeouts a thing, leading to
perceptions of performance degradation or poor user experience.
* *Many* devices are unable to support it in a way that a given engineer
can deal with, or have unexposed knobs, making it largely unsupportable.

NPTv6
My preferred option, but not well supported in most smaller devices with a
few exceptions.
* I've never seen it in a provider issued CPE, ONT+Router, even in most of
the MetroE gear that I have seen*
* Where it is available there are odd bit-shifting issues when both
allocations are not the same, i.e. not a /48. This seems to kinda-sorta
work but I'd never, ever try to support it at scale as it is available
today given that most providers in this level of space, at least in
North America, tend to delegate at most a /56 to a level of service that
would be in use for something like a SD-WAN solution.
* Lacks a way to make it work with address space that is not myred in other
operational problems (i.e. ULA doesn't work for this in dual stacked
networks that have diverse devices or embedded/OT systems with no mechanism
for adjusting address selection)

NAT66
My own deployments are using this for the backup link. It's my last choice,
but it works without breaking outbound traffic, which let's be honest,
that's that we're mostly talking about for these use cases - eyeball
networks or soho/small biz deployments where they need to connect to a DC
or cloud system "somewhere on the internet". Rarely have I seen the
requirement for inbound connectivity. This has the advantage of being
incredibly easy to set up, works as designed, and for ensuring backup
connectivity in a primary link outage, it is largely seamless.

I will say that I begrudgingly came to what I can only assume will be an
unpopular solution here, but it's what is easily available now, and can be
supported with almost no overhead. This also works for IPv6-only client +
NAT64 networks, which is how some of the testing was done.

Assumptions made:
All IPv6 is PA space
Backup link is not ECMP or load sharing - it is simply for backup
At least one service has native IPv6 (I have also done this via a tunnel on
the backup over an IPv4-only network)
CPE must be available, commercially supportable, and well known (i.e. not a
linux system or a random DDWRT box)



----
nb

ᐧ

On Wed, Aug 31, 2022 at 3:56 PM Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> On 31-Aug-22 19:00, Ole Troan wrote:
> >
> >> Limitations with UPNPv6 and other limitations with the discovery. Or
> just because the NAT discovery is bypassed as E2E is assumed for IPv6
> (otherwise you could just stick with IPv4 and wouldn't have to migrate from
> a use-case perspective; Also one of the main selling-points of IPv6 is the
> reduced complexity by not needing to implement complex NAT detection and
> traversal techniques)
> >
> > Given the apparent success of NAT64, it’s not at all obvious that IPv6
> applications will not need the same level of NAT/firewall traversal logic
> that IPv4 applications require.
>
> Absolutely, but are code paths in the end-node applications affected? I
> thought NATs were supposed to act as if they were transparent :-).
>
> I must confess that I have never understood STUN properly, but RFC8489
> appears to cover IPv6 already.
>
> > I would also expect that other “middle boxes” in an IPv6 network that
> require traversal is at a level with IPv4.
>
> Yes, the code paths in any NAT-aware middleboxes would be affected. But
> since NAT66 is already a thing in the real world, if not in the IETF, I
> would expect this to be taken care of.
>
>     Brian
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email