Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC

"Arie Vayner (avayner)" <avayner@cisco.com> Mon, 12 August 2013 17:37 UTC

Return-Path: <avayner@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBDE321F8C11 for <v6ops@ietfa.amsl.com>; Mon, 12 Aug 2013 10:37:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VjMZpkB8Dh-N for <v6ops@ietfa.amsl.com>; Mon, 12 Aug 2013 10:37:31 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 9187A21F9956 for <v6ops@ietf.org>; Mon, 12 Aug 2013 10:34:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8307; q=dns/txt; s=iport; t=1376328878; x=1377538478; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Ll6bpXndl1N7U0WZnZJIHvL2pniO/OBuaByV4zo/A+A=; b=P9kHbenErVLQ9c/jZ1QUQaM2wHd3ajq87k5tpVv1sS/FpVvllDNK2taA TQQBWkRAggrf4NWLKfZlmUAc8mfIVJw/0ZrpZkCwQ8PRBBGZ5uCj72lFN IT8oDJZf5AV3JmT06oAuT1hz31BwlL15C9JxFEJGBQZempuGPDMn6O0L4 I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgsFAKobCVKtJV2d/2dsb2JhbABbgkJENVC+VIEaFnSCJAEBAQQtTBACAQgRBAEBCx0HMhQJCAIEDgUIiAi2X5AKMQYBgxt2A6k1gxuCKg
X-IronPort-AV: E=Sophos; i="4.89,863,1367971200"; d="scan'208,217"; a="246361299"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-5.cisco.com with ESMTP; 12 Aug 2013 17:34:32 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id r7CHYVHY027210 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 12 Aug 2013 17:34:31 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.159]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0318.004; Mon, 12 Aug 2013 12:34:31 -0500
From: "Arie Vayner (avayner)" <avayner@cisco.com>
To: Lorenzo Colitti <lorenzo@google.com>
Thread-Topic: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC
Thread-Index: AQHOkTyDDMSxdUYJukeaGavK35KXPJmGm1kAgACKQoCAAF43gIAAFCCAgAArgQCAAkwdAIACTLxQgAUQVYCAAHTskA==
Date: Mon, 12 Aug 2013 17:34:31 +0000
Message-ID: <CA6D42D0F8A41948AEB3864480C554F104AEB134@xmb-rcd-x10.cisco.com>
References: <201308041800.r74I03pC023049@irp-view13.cisco.com> <3374_1375690984_51FF60E8_3374_427_1_983A1D8DA0DA5F4EB747BF34CBEE5CD15C5041E1E5@PUEXCB1C.nanterre.francetelecom.fr> <8C48B86A895913448548E6D15DA7553B96E2C5@xmb-rcd-x09.cisco.com> <CAKD1Yr13GK_cuvkt2LpJ1qJo2NR8eUnY-xfwMF_zWfe0P1mm9g@mail.gmail.com> <8C48B86A895913448548E6D15DA7553B96EAE7@xmb-rcd-x09.cisco.com> <CAKD1Yr2_d=4uD1W4WcQ82rupjVJ4UmmQAQmtSY+aQgTXmscNUw@mail.gmail.com> <97EB7536A2B2C549846804BBF3FD47E113128FA2@xmb-aln-x02.cisco.com> <CA6D42D0F8A41948AEB3864480C554F104AE7A3F@xmb-rcd-x10.cisco.com> <CAKD1Yr2T4qhkwn+owX-VvfcgfxrCRZASHh6YeVZ+CjehhDMJVw@mail.gmail.com>
In-Reply-To: <CAKD1Yr2T4qhkwn+owX-VvfcgfxrCRZASHh6YeVZ+CjehhDMJVw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.127.133]
Content-Type: multipart/alternative; boundary="_000_CA6D42D0F8A41948AEB3864480C554F104AEB134xmbrcdx10ciscoc_"
MIME-Version: 1.0
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 17:37:37 -0000

Actually, you can use NPTv6 to protect against it...
If I have an external pool per site, traffic egressing that site would get a source routed back only to that site... Am I missing something?

I agree there could be other ways to solve it, but this is how many enterprises solve it today with IPv4...

Arie

From: Lorenzo Colitti [mailto:lorenzo@google.com]
Sent: Sunday, August 11, 2013 22:35 PM
To: Arie Vayner (avayner)
Cc: Eric Vyncke (evyncke); Fred Baker (fred); v6ops@ietf.org
Subject: Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC

On Fri, Aug 9, 2013 at 2:21 PM, Arie Vayner (avayner) <avayner@cisco.com<mailto:avayner@cisco.com>> wrote:
Many enterprises rely on NAT on the Internet edge as their multi-homing/traffic engineering mechanism with IPv4.

If we recommend against ULA+NPTv6 (or just NPTv6 for traffic engineering), then we need to highlight the symmetry requirement due to stateful security layers.
Traffic leaving from an Internet gateway site to the Internet has to come back through the same site, or the stateful firewalls would break the flow (well, has to hit the same stateful security layer)

By itself, NPTv6 doesn't protect against this problem because it's not stateful. It only protects against this problem if each egress point is only reachable using one prefix (which is not a requirement for doing NPTv6 - you could just as well do it by configuring all multiple exit points to use the same prefix, or to use all prefixes from all exit points).

What does protect you against this is using source+destination routing, which is what this draft should recommend instead of recommending NPTv6.