IETF Logo Mail Archive

Re: [v6ops] Thoughts about wider operational input

Mark Andrews <marka@isc.org> Wed, 23 March 2022 21:51 UTC

Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CEF53A1139 for <v6ops@ietfa.amsl.com>; Wed, 23 Mar 2022 14:51:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=quBvAINh; dkim=pass (1024-bit key) header.d=isc.org header.b=eBuZMMMB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVMdvXJ__gH5 for <v6ops@ietfa.amsl.com>; Wed, 23 Mar 2022 14:51:26 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC9CC3A1138 for <v6ops@ietf.org>; Wed, 23 Mar 2022 14:51:25 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 1D5193AB00B; Wed, 23 Mar 2022 21:51:24 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 1D5193AB00B
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1648072284; bh=0aBHrKT7YKEdrM7kPWjXVShWw2h9UDuUjBW/Vye1IBQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=quBvAINhBisPgc2V/bX9Icvt9NJXPEOKvHmmz4EyKNa1I/PfSyNCST9qf8IxSp4mJ qlr0qR9x0bHzmCliEGwS106zcfWS8xvxRybgXvFDc9nwKp2WiWTqapSOrk+DZqtbtF Ycyh0YcroKLIm7g8iAMJFHurYfzsI9IKqxqa7aD8=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 30CD0110247A; Wed, 23 Mar 2022 21:50:42 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 0083111026DC; Wed, 23 Mar 2022 21:50:41 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 0083111026DC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1648072242; bh=0/XopStkCpD92dMX64BBygMOzf/LwxxLHdQChaishEU=; h=Mime-Version:From:Date:Message-Id:To; b=eBuZMMMBSC34LDZgAYq1xXLxqE516I49zBHejAZbcd5ObKnM7Tq27p12rTDhklRia N/XApnv9ZYZLoZ0cPhtE4942h/8vNqPNPMmQNvM/Erl32YtOh6DosGnjgp4kmDELdJ Omk88h2ULqv4bkfnLAfFCWfukuAeVLevULHIxaz0=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id VpTtAQJFqGkm; Wed, 23 Mar 2022 21:50:41 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id E9301110247A; Wed, 23 Mar 2022 21:50:40 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <bfac221410ef48e38658ca39b16e652e@huawei.com>
Date: Thu, 24 Mar 2022 08:51:20 +1100
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, "buraglio@es.net" <buraglio@es.net>, "v6ops@ietf.org" <v6ops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2F11CE65-4F57-4060-977F-9C26BA1E331B@isc.org>
References: <8f918356-89ce-e2a1-a807-7d382568db0a@gmail.com> <5A071DCB-DFDC-47F7-85B3-8C9E58B691DA@isc.org> <bfac221410ef48e38658ca39b16e652e@huawei.com>
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Kd59n4adSh4YCDfyhAOfw1AqAQE>
Subject: Re: [v6ops] Thoughts about wider operational input
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 21:51:32 -0000

Happy Eyeballs works well enough for TCP.  For other transports not so much.

As for the text, yes it should have been updated when the table was updated.

> On 24 Mar 2022, at 08:21, Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote:
> 
> Hi Mark,
> Happy Eyeballs would easily handle all situations when ULA is between GUA and IPv4 on priority.
> Imagine that only ULA and IPv4 are available, but GUA is not. HYv2 should select 1 IPv6 and 1 IPv4 for initial competition.
> If ULA has NPT then it would win (because of 50ms), if ULA is local-only then IPv4 would win.
> Everything is fine because HYv2 should try both address spaces.
> 
> But you are right in general.
> If no HYv2 on the host then the host would choose only ULA. If ULA is local-only then would be no internet connectivity.
> 
> IMHO: it means that some aspects of HYv2 should be incorporated into RFC 6724bis. To satisfy all scenarios.
> 
> By the way, it does not contradict with Brian said: RFC 6724 has no consistency between English text and policy table in section 2.1.
> It is for sure Errata.
> 
> Eduard
> -----Original Message-----
> From: Mark Andrews [mailto:marka@isc.org] 
> Sent: Wednesday, March 23, 2022 11:48 PM
> To: Brian E Carpenter <brian.e.carpenter@gmail.com>
> Cc: buraglio@es.net; Vasilenko Eduard <vasilenko.eduard@huawei.com>; v6ops@ietf.org
> Subject: Re: [v6ops] Thoughts about wider operational input
> 
> The table is designed to be patched for local topology. You add in the local ULA prefixes before IPv4.  The default will allow connection to succeed provided hosts and links are up and configured as expected on the first attempt.   If you push ULA above IPv4 and you have a non reachable ULA you are need fast failover to the next address. 
> 
> The OP complaint about the table indicates lack of understanding of what is intended. 
> 
> Note there are defined mechanisms for distributing a more site specific table. The OS and administrators should avail themselves of them.  A node doesn’t necessarily have the requisite knowledge to do this for itself (multiple ULA prefixes reachable). It can add directly connected prefixes. 
> --
> Mark Andrews
> 
>> On 24 Mar 2022, at 07:07, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>> 
>> Eduard, you wrote:
>> 
>>> I am puzzled why ::ffff:0:0/96 has been treated as IPv4? Strange interpretation.
>> 
>> Not at all strange. By definition (see RFC4291, section 2.5.5.2) that 
>> is the entire
>> IPv4 address space, respresented as an IPv6 prefix.
>> 
>> The problem is that RFC 6724 asserts that it sets IPv6 precedence 
>> above IPv4, but in fact it sets ULA precedence below IPv4. That is a 
>> glaring error in RFC 6724 - either text is wrong or the table is 
>> wrong. The behaviour that Nick reports is conformance to the default 
>> table in RFC 6724, which is non-confromance to the text.
>> 
>> Regards
>>  Brian Carpenter
>> 
>>> On 24-Mar-22 02:53, Nick Buraglio wrote:
>>> My testing and experience has shown this, yes, and I know others have 
>>> had this experience as well.
>>> nb
>>>> On Wed, Mar 23, 2022 at 3:37 AM Vasilenko Eduard 
>>>> <vasilenko.eduard@huawei.com> wrote:
>>>> 
>>>> Nick has given a URL with a detailed explanation. It has:
>>>> "ULA per RFC 6724 is less preferred (the Precedence value is lower) than all IPv4 (represented by ::ffff:0:0/96 in the table)."
>>>> I am puzzled why ::ffff:0:0/96 has been treated as IPv4? Strange interpretation.
>>>> The same section 2.1 has: "
>>>> Another effect of the default policy table is to prefer
>>>>   communication using IPv6 addresses to communication using IPv4
>>>>   addresses, if matching source addresses are available.
>>>> "
>>>> Nothing is stated about IPv6 type, "any" is assumed (including ULA).
>>>> 
>>>> Nick, are you sure that IPv4 prioritization over IPv6 ULS is really the case for real OSes?
>>>> If yes, IMHO: it is the bug in implementation (non-compliance to RFC 6724).
>>>> 
>>>> /Ed
>>>> -----Original Message-----
>>>> From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Brian E 
>>>> Carpenter
>>>> Sent: Tuesday, March 22, 2022 11:48 PM
>>>> To: buraglio@es.net; Ted Lemon <mellon@fugue.com>
>>>> Cc: v6ops@ietf.org
>>>> Subject: Re: [v6ops] Thoughts about wider operational input
>>>> 
>>>> Nick,
>>>> 
>>>> Where is the "prefer IPv4 over ULA" preference coded (whereas, presumably, "prefer IPv4 over GUA" is not coded)?
>>>> 
>>>> Regards
>>>>    Brian Carpenter
>>>> 
>>>> On 23-Mar-22 09:35, Nick Buraglio wrote:
>>>>> Yes, I know I have harped on this many times and have posted some 
>>>>> simple examples of the behavior to the list. My experience has 
>>>>> been, and continues to be, that if I have dual stacked hosts with A 
>>>>> and AAAA records, and the IPv6 clients are using ULA that IPv6 is never used.
>>>>> In an IPv6-only environment ULA has no higher priority protocol to 
>>>>> supersede the ULA. In the context of transitioning to an IPv6 
>>>>> world, it is fairly unrealistic to assume any kind of greenfield, 
>>>>> and dual-stack
>>>> is by and large the standard "permanently temporary" solution for 
>>>> the vast majority of implementations. So in this context, which has 
>>>> been 99% of what I have seen until I began working on the IPv6-only 
>>>> implementation
>> mandated by the USG OMB-M-21-07 document, that was the de facto standard (and will continue to be for enterprise deployments, in my opinion).
>>>>> I would be happy to be incorrect about this, honestly it would make 
>>>>> my work-life easier if I was. So, yes, I fully acknowledge that 
>>>>> your use case is absolutely the right one for ULA. For doing a 
>>>>> transition in an existing network (which circles back the the 
>>>>> original topic of this
>>>>> thread: getting enterprises to use IPv6 in a meaningful way), this 
>>>>> is a really
>>>> well put together descriptions of the every-day implications of 
>>>> trying
>> to use ULA:
>>>>> https://blogs.infoblox.com/ipv6-coe/ula-is-broken-in-dual-stack-net
>>>>> wor
>>>>> ks/
>>>>> <https://blogs.infoblox.com/ipv6-coe/ula-is-broken-in-dual-stack-ne
>>>>> two
>>>>> rks/>
>>>>> 
>>>>> nb
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On Tue, Mar 22, 2022 at 3:20 PM Ted Lemon <mellon@fugue.com <mailto:mellon@fugue.com>> wrote:
>>>>> 
>>>>>    I'm sure you believe this assertion, Nick, but you haven't 
>>>>> given us
>>>> any way of understanding why you believe this. In fact we're using 
>>>> ULAs in the Thread Border Router to enable IPv6 communication 
>>>> between different subnets, which literally could not be done with 
>>>> IPv4. So at least for
>> this use case, ULAs work well. Would it work better to have a GUA? Comme ci comme ça. On the one hand, prefix delegation and real routing would make the solution more general. On the other, GUAs are great for reaching out to the internet, which we may or may not want light bulbs to be able to do.
>>>>> 
>>>>>    On Tue, Mar 22, 2022 at 9:13 PM Nick Buraglio <buraglio@es.net <mailto:buraglio@es.net>> wrote:
>>>>> 
>>>>>        ULA is an operational non-starter in the presence of any dual stacked hosts.  Per its design, it just won't ever use IPv6 in any meaningful way and that time and effort are better served on adding GUA addressing of one kind or another.
>>>>> 
>>>>>        nb
>>>>> 
>>>>> 
>>>>> 
>>>>>        On Tue, Mar 22, 2022 at 2:55 PM Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>>>>> 
>>>>>            Hi Gert,
>>>>> 
>>>>>            I see that the discussion has been going on while I was sleeping, but I want to clarify below...
>>>>>            On 22-Mar-22 21:30, Gert Doering wrote:
>>>>>> Hi,
>>>>>> 
>>>>>> On Tue, Mar 22, 2022 at 11:42:12AM +1300, Brian E Carpenter wrote:
>>>>>>> I agree with Jordi that multihoming is a genuine impediment. What isn't generally realised is that it's a problem of scale when considering at least 10,000,000 enterprises, much more than it's a problem of IPv6 itself.
>>>>>> 
>>>>>> What is "an enterprise"?
>>>>>> 
>>>>>> My stance on this is that for "largely unmanaged 
>>>>> SoHo
>> networks" - which
>>>>>> could be called "small enterprise" - 
>>>>> dual-enduser-ISP
>> with dual-/48 or
>>>>>> NPT66 gets the job done in an easy and scalable way (HNCP would have
>>>>>> been great, but IETF politics killed it).
>>>>>> 
>>>>>> "Enterprise that truly need their own independent fully managed network
>>>>>> with multiple ISP uplinks and fully routed independent address space"
>>>>>> are probably way less than 10 million...
>>>>> 
>>>>>            I came up with 10 million quite some years ago as a reasonable estimate
>>>>>            of the number of medium to large businesses in the world, all of which
>>>>>            might depend on *reliable* Internet access to survive (and WfH during
>>>>>            COVID has made this even more important recently). So all of them
>>>>>            should have two independent paths to the Internet to 
>>>>> assure
>>>> reliability.
>>>>>            That means two different ISPs (or less good, two 
>>>>> completely
>>>> independent
>>>>>            paths to the same ISP).
>>>>> 
>>>>>            So, if PI addressing is the answer, that really does take us to
>>>>>            10M /48s to be routed.
>>>>> 
>>>>>            If PA is the answer, that's why I worked on SHIM6 (may it rest in
>>>>>            peace). Which is why I worked on RFC 8028. If that's 
>>>>> not
>> the
>>>>>            answer, we're back to NPTv6. Possibly even to ULA+NPTv6.
>>>>> 
>>>>>> Half of them do not want Internet access anyway, 
>>>>> just
>> access to their
>>>>>> ALGs that will do the filtering and TLS inspection and everything, and
>>>>>> then out to the Internet as a new TCP session (= 
>>>>> could
>>>> be done with
>>>>>> DMZ islands of upstream-provider-allocated space 
>>>>> just
>> fine).
>>>>>> 
>>>>>> 
>>>>>> We need to work on our marketing regarding multihoming.  "What is it that
>>>>>> you get, what is the cost, which of the variants do you want, and why...?"
>>>>> 
>>>>>            Yes.
>>>>>                 Brian
>>>>> 
>>>>>            _______________________________________________
>>>>>            v6ops mailing list
>>>>>            v6ops@ietf.org <mailto:v6ops@ietf.org>
>>>>>            https://www.ietf.org/mailman/listinfo/v6ops
>>>>> <https://www.ietf.org/mailman/listinfo/v6ops>
>>>>> 
>>>>>        _______________________________________________
>>>>>        v6ops mailing list
>>>>>        v6ops@ietf.org <mailto:v6ops@ietf.org>
>>>>>        https://www.ietf.org/mailman/listinfo/v6ops
>>>>> <https://www.ietf.org/mailman/listinfo/v6ops>
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> v6ops mailing list
>>>> v6ops@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/v6ops
>> 
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email