IETF Logo Mail Archive

Re: [v6ops] Why should IP networks be different? [DHCP Option 108 Issue with Mac and iOS devices]

Daryll Swer <contact@daryllswer.com> Sun, 24 December 2023 02:37 UTC

Return-Path: <contact@daryllswer.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FC14C14F5E6 for <v6ops@ietfa.amsl.com>; Sat, 23 Dec 2023 18:37:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=daryllswer.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jv6c1XZCKufY for <v6ops@ietfa.amsl.com>; Sat, 23 Dec 2023 18:36:59 -0800 (PST)
Received: from mail-oa1-x2e.google.com (mail-oa1-x2e.google.com [IPv6:2001:4860:4864:20::2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C9EEC14E513 for <v6ops@ietf.org>; Sat, 23 Dec 2023 18:36:58 -0800 (PST)
Received: by mail-oa1-x2e.google.com with SMTP id 586e51a60fabf-2045bedb806so998912fac.3 for <v6ops@ietf.org>; Sat, 23 Dec 2023 18:36:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daryllswer.com; s=google; t=1703385417; x=1703990217; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FxySdBd7JDBUya2wl6eYFf4DBXRi4LrQqvPkzyWnvjM=; b=YEV9JoqfjfOLnrqxREHEuTvkTfLDgz8mGORcpe6D7wneown1VnQ5SpEy6olvnzox5h imj38GFblYzNcK/PbzbfNh4kF55zs1Aihnt0kJpYnsWmhpmS2bW8z/QDD5Dd2/oyQuXf IbtnGpw7TaOT52QGdRjWR/HreYywIAzRsax4qmK079Bqu96gBi+iiDtCtmVjUTPmW1IR RtnlSXHXTnesMRnxfP3cI/tjQISHlin7A/HsoIALpcO2yvOsBTsNx7/ubpXmdp8BmqGN /aT4OIfonZLQZKKJrFD/HmfOW8iU0i2XziuUiyFKBXXq/e1RVuG90mlly/7lQwOCBLN3 3ZtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703385417; x=1703990217; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FxySdBd7JDBUya2wl6eYFf4DBXRi4LrQqvPkzyWnvjM=; b=H5Al7lj3Erq0Mmjw1F6OlPBwbl+ju9Y2oNU06zH3aIW7aHHpv5lK2d6zOSx5RsKMM2 AWLP+UuBNphypXqIC66pO0txAP6EbzBzWo9LGHbZjHTLAR5J8FUq/r1Fg6fZ//YTS7xC 6IQZ1wAiFbRbJiCROtut8vXQPe6n5ud3nCFkujhKKiKYelfphexXIAsz4P+urpMOWf/I fJmRJfq/YmFA48biX/bQwr5/uWAIEgBKvBP0yeVGbYl+vFZMdVre/8ihmc1sw1Mf4arR ee+TWLCSSQFEFpjqoECu8R1uh/fvcW/S/K8L+PVNy6ADfZBgoUimCv6qdo+rjN6EDQml 9ZfA==
X-Gm-Message-State: AOJu0YyniOzFcb5KQiMun9XzFRXJgEi1cB83Dp7NFRDW9gm9i5pfYD3P G281ASQJd2O7gGAl8EqPTqxVEJExMa0Zq+3QTblx4e2qb4XiJg==
X-Google-Smtp-Source: AGHT+IF4W1JGrJ61AzgzTirAT1AYGLj4fH2ntwRr3Nf8OkNoK2MuZgdCtMCTpM5iZOpFPvJfx08CuA==
X-Received: by 2002:a05:6870:2050:b0:203:3016:2f56 with SMTP id l16-20020a056870205000b0020330162f56mr5361358oad.45.1703385417159; Sat, 23 Dec 2023 18:36:57 -0800 (PST)
Received: from mail-oo1-f48.google.com (mail-oo1-f48.google.com. [209.85.161.48]) by smtp.gmail.com with ESMTPSA id h6-20020a9d6a46000000b006d9d8abcdeesm1183282otn.40.2023.12.23.18.36.56 for <v6ops@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 23 Dec 2023 18:36:56 -0800 (PST)
Received: by mail-oo1-f48.google.com with SMTP id 006d021491bc7-5942cf8cf9dso1808005eaf.1 for <v6ops@ietf.org>; Sat, 23 Dec 2023 18:36:56 -0800 (PST)
X-Received: by 2002:a05:6358:290b:b0:173:22a:635a with SMTP id y11-20020a056358290b00b00173022a635amr5143289rwb.30.1703385416161; Sat, 23 Dec 2023 18:36:56 -0800 (PST)
MIME-Version: 1.0
References: <CACyFTPHbCc00z36PRSUCsP=8Av=z4Ms0KHwk1Rxd=19TXzdyhg@mail.gmail.com> <CAPt1N1=82h05qZRqhtDirXwS1Fvz8OPt0iFRWasFHMXkEp4Fuw@mail.gmail.com> <CACyFTPFJ=CjiYbZjdF8T63a14SgeNAKaAQeTVSbAxde4J9ZfRQ@mail.gmail.com> <CAO42Z2zfzwx2NuCYZh_-ncTvmQ0T1+AsOi540RQ2BjQC0w6Kkg@mail.gmail.com> <ZYSv6CZllItMyNSQ@Space.Net> <CAO42Z2y-zKtWWJXX837RfD9XuxKaXkhg75TiEGHF=hFdnnsydQ@mail.gmail.com> <CACyFTPHDhrANP+tssS3x14Dm19TiyAYpeEF=sZdLJsrwUpAWjw@mail.gmail.com> <CAPt1N1nFk1QYmcJe4vmnj_vKp2EZ8iLipcrW3QixPKayER50LA@mail.gmail.com> <8d990f81-d4ae-b602-1f58-a0aa0fc9de28@gmail.com> <CAO42Z2wBZ3EQVtH0-EBsDhkR8owCpxTAJZJE59pVC5-jSMjUzA@mail.gmail.com> <ZYayNL9kuwH37EqP@Space.Net> <CACyFTPEn2ag2ZtgFag1N+0MqJbagw6HzYkVw0rC=0VV+DDCm+g@mail.gmail.com> <8fb2c7c5-938c-3728-17c9-85e7004883e6@gmail.com> <CACyFTPHWCCLsiUT0GEuvpq5fhnaDdD-w910x3R0wMprUGnZ9nA@mail.gmail.com> <CAO42Z2z9bFemih_0_wDa8TA1ez4zSnACF6gU5yU74rknHKCwgw@mail.gmail.com> <CACyFTPGXNyhBHV_w0Uj3QQdz3OCQ-hqtAmPNNNgUKCFGoEbxow@mail.gmail.com> <CAPt1N1kQB9PYrt70vRTQT=cgvVOaRms=+OsH117_-H9Uj9kS1A@mail.gmail.com>
In-Reply-To: <CAPt1N1kQB9PYrt70vRTQT=cgvVOaRms=+OsH117_-H9Uj9kS1A@mail.gmail.com>
From: Daryll Swer <contact@daryllswer.com>
Date: Sun, 24 Dec 2023 08:06:18 +0530
X-Gmail-Original-Message-ID: <CACyFTPGMOC_ng3eSuxLyKytCa=RRpqqKVW_a=_wairNmVBV_uQ@mail.gmail.com>
Message-ID: <CACyFTPGMOC_ng3eSuxLyKytCa=RRpqqKVW_a=_wairNmVBV_uQ@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Mark Smith <markzzzsmith@gmail.com>, v6ops list <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a55f34060d3852a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/KqRjOLujoCUXitMO6Iyaq80Ef6E>
Subject: Re: [v6ops] Why should IP networks be different? [DHCP Option 108 Issue with Mac and iOS devices]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Dec 2023 02:37:03 -0000

> FWIW there is a proposal in the dhc working group to solve this by
registering SLAAC addresses using dhcp. If this would solve your problem,
maybe you could help out with that instead of complaining here.
I was not aware of this particular proposal, until now. Now this, this
looks like a real viable solution vs the NDP Table export or SNMP trap idea.

I will check it out, from a quick glance, it does appear to be in a good
state already from the early draft.

*--*
Best Regards
Daryll Swer
Website: daryllswer.com
<https://mailtrack.io/link/aadd307e57bc61783bb3f85b9d77d7966cdbf5a6?url=https%3A%2F%2Fwww.daryllswer.com&userId=2153471&signature=2266e815b82545f3>


On Sun, 24 Dec 2023 at 07:23, Ted Lemon <mellon@fugue.com> wrote:

> FWIW there is a proposal in the dhc working group to solve this by
> registering SLAAC addresses using dhcp. If this would solve your problem,
> maybe you could help out with that instead of complaining here. If it would
> not, then it would be helpful for the working group to understand why not.
>
> Op za 23 dec 2023 om 19:42 schreef Daryll Swer <contact=
> 40daryllswer.com@dmarc.ietf.org>
>
>> Mark
>>  SLAAC
>> > State synchronisation is hard.
>> It wouldn't be so hard if DHCPv6-related improvements were allowed to
>> come to fruition in the past 10 years, should SLAAC agenda not exist.
>>
>> > Another reason is fate sharing.
>> >
>> > A third reason is overhead of running a database server to allocate
>> addresses.
>> >
>> > A forth reason is running heavier weight clients to do database
>> transactions.
>> >
>> > SLAAC moves the processing and data that would be performed and stored
>> on a DHCPv6 server and distributes that per host processing and data to the
>> individual hosts.
>> >
>> > That means no requirement for a centralised database, nor any database
>> synchronisation requirements for redundancy.
>> >
>> > That means that failure of a host only affects the addressing state if
>> that host itself. Hosts don't share any addressing system fate with each
>> other or a database server.
>>
>> All trade-offs, a lot of enterprises are willing to make. Who exactly are
>> you (all the SLAAC agend-ists) to try to tell money-making businesses
>> globally, on how they should operate their business from a network
>> standpoint? The decision on the 'how' should be made by the respective
>> business as they see fit to match their technical and/or financial
>> requirements.
>>
>> SLAAC is not a one-size fits all solution. There's no such thing as a
>> “one-size fits all solution”.
>>
>> > Those are the technical benefits of a stateless address allocation
>> scheme
>> Financial benefits > technical benefits when decisions are required to be
>> made. Businesses operate on Excel sheets, not SLAAC vs DHCPv6 route count
>> in the routing table.
>>
>> Try deploying your SLAAC-based purist ideology in enterprises and “public
>> access networks” in economies like mine, let me know how it goes:
>> 1. Financially
>> 2. Technical scalability of vendor-specific implementations (also ties to
>> #1)
>> 3. All and any layer 8 overhead that comes with it
>>
>> All I see is Ivory Tower outlook-oriented arguments…
>>
>> You, apparently, missed the vendor warnings (“Problem 2”), storage cost
>> issue (“Problem 3”) and the fact that Google enterprise Cloud uses
>> DHCPv6 that I mentioned here
>> <https://mailarchive.ietf.org/arch/msg/v6ops/DFlzSXGxOldd-rK9kUz3FofLS0o/>
>> .
>>
>> *--*
>> Best Regards
>> Daryll Swer
>> Website: daryllswer.com <https://www.daryllswer.com>
>>
>>
>> On Sun, 24 Dec 2023 at 05:52, Mark Smith <markzzzsmith@gmail.com> wrote:
>>
>>>
>>>
>>> On Sun, 24 Dec 2023, 10:23 Daryll Swer, <contact=
>>> 40daryllswer.com@dmarc.ietf.org> wrote:
>>>
>>>> Brian
>>>>
>>>> Yeah, you're spot on, at least for certain economies.
>>>>
>>>> I should note that in my economy, “public access network” or “public
>>>> Wi-Fi” are required by law to take your mobile phone number and/or
>>>> government issued ID. I.e., you can't access the internet without verifying
>>>> the entered phone number through OTP or without the government issued ID.
>>>>
>>>> Now you might say, but phone numbers can be burners, not quite. Not in
>>>> my country, any more, due to various terrorist attacks from 2000s-2010s
>>>> era, that heavily relied on burner numbers to coordinate, the government
>>>> has made it virtually if not outright illegal to get a burner number.
>>>> Essentially, one cannot obtain a SIM card or e-SIM without government
>>>> issued ID, prior to 2010s era.
>>>>
>>>> This whole logging situation is complex enough as it is even with IPv4
>>>> (hello CGNAT), I don't know why the IETF insists on making it more
>>>> complicated with IPv6 with this “stateless” obsession of address
>>>> assignments.
>>>>
>>>
>>> You yourself have said at least one reason.
>>>
>>> State synchronisation is hard.
>>>
>>> Another reason is fate sharing.
>>>
>>> A third reason is overhead of running a database server to allocate
>>> addresses.
>>>
>>> A forth reason is running heavier weight clients to do database
>>> transactions.
>>>
>>> SLAAC moves the processing and data that would be performed and stored
>>> on a DHCPv6 server and distributes that per host processing and data to the
>>> individual hosts.
>>>
>>> That makes it scale.
>>>
>>> That means no requirement for a centralised database, nor any database
>>> synchronisation requirements for redundancy.
>>>
>>> That means that failure of a host only affects the addressing state if
>>> that host itself. Hosts don't share any addressing system fate with each
>>> other or a database server.
>>>
>>> Those are the technical benefits of a stateless address allocation
>>> scheme, which is why IPv4 before Ethernet had one, XNS had one, IPX had
>>> one, AppleTalk had one, CLNS had one, DecNET had one, Banyan Vines had one
>>> ...
>>>
>>> IPv4, post Ethernet, is the only layer 3 protocol that has a
>>> centralised, database driven address allocation protocol, and the origins
>>> of that can be tied to Ethernet addresses not being small enough to embed
>>> in the host portions of IPv4 addresses, unlike earlier layer 2 protocols
>>> such as BBN-1822/ARPANET and AUTODIN II.
>>>
>>> Address Mappings
>>> https://datatracker.ietf.org/doc/html/rfc796
>>>
>>>
>>> Regards,
>>> Big-SLAAC*
>>>
>>>
>>> *not affiliated with Big-Pharma
>>>
>>>
>>>
>>>> *--*
>>>> Best Regards
>>>> Daryll Swer
>>>> Website: daryllswer.com
>>>> <https://mailtrack.io/link/85f7534d570a5cdaff771e36c5c90abb833765e9?url=https%3A%2F%2Fwww.daryllswer.com&userId=2153471&signature=9badf9a5c38b04c8>
>>>>
>>>>
>>>> On Sun, 24 Dec 2023 at 02:21, Brian E Carpenter <
>>>> brian.e.carpenter@gmail.com> wrote:
>>>>
>>>>> On 24-Dec-23 02:58, Daryll Swer wrote:
>>>>> >  > I find it truly amazing how much energy is invested in approaches
>>>>> to work around the shortcomings of SLAAC, just because "DHCPv6 does not fit
>>>>> the architecture". Maybe the architecture is just... bad?  And this is one
>>>>> of the reasons
>>>>> >
>>>>> > It looks like we'll need to wait for law enforcement pressure to
>>>>> start piling up on IPv6-origin cybercrimes.
>>>>>
>>>>> I think there's a general failure to recognize that corporate networks
>>>>> and public-access networks are deeply different in this respect. (That
>>>>> dichotomy is over-simplified, but never mind for now.)
>>>>>
>>>>> If a bad actor drops into a public-access network, commits their
>>>>> crime, and goes away, any logging that the network has done is pretty
>>>>> useless - somebody with a variable MAC address appeared, grabbed an IP
>>>>> address for half an hour, and then vanished; that MAC address will never be
>>>>> seen again, the IP addresses might serve to identify the geographical
>>>>> location (modulo VPN usage), but the forensic evidence is pretty much
>>>>> useless. So SLAAC is fine for everybody; there's nothing to be gained from
>>>>> DHCP. (Alternatively, you can describe exactly the same scenario as
>>>>> protecting the privacy and civil rights of the person.)
>>>>>
>>>>> On a corporate network whose operator has financial, civil and
>>>>> criminal liability to consider, this is completely unacceptable. As Daryll
>>>>> pointed out, it's the "stateless" in SLAAC that's the problem.
>>>>>
>>>>> Two scenarios, two solutions.
>>>>>
>>>>>      Brian
>>>>>
>>>>>
>>>>> > When that happens, it'll put pressure on these enterprises, the
>>>>> enterprises will put pressure on the vendors, the vendors will come to
>>>>> these IETF mailing lists. Perhaps then, will the SLAAC agend-ists get off
>>>>> their Ivory Towers, come down to the ground reality and patch DHCPv6
>>>>> related issues or derive a completely new protocol/standard for stateful
>>>>> IPv6.
>>>>> >
>>>>> > As of now, even some recent big profile crimes done by ATPs, were
>>>>> funnily enough, largely, IPv4-only (from the attacker's side). But, nothing
>>>>> lasts forever, only a matter of time before the criminals learn IPv6,
>>>>> probably use SLAAC to their advantage if anything.
>>>>> >
>>>>> > *--*
>>>>> > Best Regards
>>>>> > Daryll Swer
>>>>> > Website: daryllswer.com <
>>>>> https://mailtrack.io/link/b50e45b18766146001d8eb00efbd0f9b7e027202?url=https%3A%2F%2Fwww.daryllswer.com&userId=2153471&signature=1d0a6ca56ace57cf
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Sat, 23 Dec 2023 at 15:41, Gert Doering <gert@space.net <mailto:
>>>>> gert@space.net>> wrote:
>>>>> >
>>>>> >     Hi,
>>>>> >
>>>>> >     On Sat, Dec 23, 2023 at 01:29:12PM +1100, Mark Smith wrote:
>>>>> >      > Routers could report ND cache entry creation via SNMP traps
>>>>> etc.
>>>>> >
>>>>> >     Note the "could" here.  Some might actually do, most don't.
>>>>> >
>>>>> >     Is there an RFC that requires router vendors to do that?
>>>>> >
>>>>> >      > SAVI validates IPv6 addresses assigned through multiple
>>>>> mechanisms, so
>>>>> >      > naturally it would be possible to add reporting of SAVI
>>>>> events to
>>>>> >      > implementations.
>>>>> >      >
>>>>> >      > RFC 8074, "Source Address Validation Improvement (SAVI) for
>>>>> Mixed
>>>>> >      > Address Assignment Methods Scenario".
>>>>> >
>>>>> >     Any vendor actually implementing this?
>>>>> >
>>>>> >     I find it truly amazing how much energy is invested in
>>>>> approaches to
>>>>> >     work around the shortcomings of SLAAC, just because "DHCPv6 does
>>>>> not
>>>>> >     fit the architecture".
>>>>> >
>>>>> >     Maybe the architecture is just... bad?  And this is one of the
>>>>> reasons
>>>>> >     why people do not adopt IPv6 in a timely fashion?
>>>>> >
>>>>> >     Gert Doering
>>>>> >              -- NetMaster
>>>>> >     --
>>>>> >     have you enabled IPv6 on something today...?
>>>>> >
>>>>> >     SpaceNet AG                      Vorstand: Sebastian v. Bomhard,
>>>>> Michael Emmer
>>>>> >     Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A.
>>>>> Grundner-Culemann
>>>>> >     D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
>>>>> >     Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
>>>>> >
>>>>> >     _______________________________________________
>>>>> >     v6ops mailing list
>>>>> >     v6ops@ietf.org <mailto:v6ops@ietf.org>
>>>>> >     https://www.ietf.org/mailman/listinfo/v6ops <
>>>>> https://www.ietf.org/mailman/listinfo/v6ops>
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> > v6ops mailing list
>>>>> > v6ops@ietf.org
>>>>> > https://www.ietf.org/mailman/listinfo/v6ops
>>>>>
>>>> _______________________________________________
>>>> v6ops mailing list
>>>> v6ops@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>>
>>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>

v2.23.0 | Report a Bug | By Email